3 Using the Connector

After you deploy the connector, you must configure it to meet your requirements. This chapter discusses the following connector configuration procedures:

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

• Section 3.1, "Setting Up Lookup Definitions in Oracle Identity Manager"

• Section 3.2, "Scheduled Task for Lookup Field Synchronization"

• Section 3.3, "Configuring Reconciliation"

• Section 3.4, "Configuring Scheduled Tasks"

• Section 3.5, "Attributes for Which You Can Specify Values During New Resource and Entitlement Provisioning"

• Section 3.6, "Provisioning Operations Performed in an SoD-Enabled Environment"

3.1 Setting Up Lookup Definitions in Oracle Identity Manager

Depending on the connector that you are using, you must provide Decode values for some of the entries of the following lookup definition that holds configuration information.

To set a Decode value for an entry in a lookup definition:

1. On the Design Console, expand Administration, and then double-click Lookup Definition.

2. Search for and open the lookup definition that you want to modify.

3. Enter the value in the Decode column for the Code Key that you want to set.

4. Click the Save icon.

Depending on the connector that you are using, see one of the following section for information about the Code Key entries for which you must specify values:

• Section 3.1.1, "Setting Up the Lookup.EBS.UM.Configurations Lookup Definition"

• Section 3.1.2, "Setting Up the Lookup.EBS.UMHRMS.Configurations Lookup Definition"

• Section 3.1.3, "Setting Up the Lookup.EBS.UMTCA.Configurations Lookup Definition"

3.1.1 Setting Up the Lookup.EBS.UM.Configurations Lookup Definition

If you are using the User Management connector, then provide a Decode value for the following entry of the Lookup.EBS.UM.Configurations lookup definition:

USE_CONNECTION_POOLING

If you want the connector to use connection pooling, then set the value of the USE_CONNECTION_POOLING Code Key to Yes. See Section 1.4.12, "Connection Pooling" for more information about this feature.

3.1.2 Setting Up the Lookup.EBS.UMHRMS.Configurations Lookup Definition

If you are using the User Management with HR Foundation connector, then provide Decode values for the following entries of the Lookup.EBS.UMHRMS.Configurations lookup definition:

• USE_CONNECTION_POOLING

  If you want the connector to use connection pooling, then set the value of the USE_CONNECTION_POOLING Code Key to Yes. See Section 1.4.12, "Connection Pooling" for more information about this feature.

• UD_EBSH_USR_BIZGRPID and UD_EBSH_USR_PERTYPEID

  Business Group ID and Person Type ID are two of the attributes on the process form. By entering values for these attributes, you specify the subset of HRMS person records that must be considered for connector operations. You can enter values for these fields on the Administrative and User Console while performing direct provisioning. Alternatively, you can set values for these attributes in the UD_EBSH_USR_BIZGRPID and UD_EBSH_USR_PERTYPEID entries of the Lookup.EBS.UMHRMS.Configurations lookup definition. During a provisioning operation, if you do not enter values for these attributes on the process form, then the connector uses the Decode values of the UD_EBSH_USR_BIZGRPID and UD_EBSH_USR_PERTYPEID entries.

  Note:

  These entries in the lookup definition are also used during request-based provisioning.

  To determine the Decode value for the UD_EBSH_USR_BIZGRPID Code Key, run the following query on the target system database:

  SELECT business_group_id FROM hr_all_organization_units WHERE business_group_id = organization_id and hr_all_organization_units.name = 'ORGANIZATION_NAME'
  

  To determine the Decode value for the UD_EBSH_USR_PERTYPEID Code Key, run the following query on the target system database:

  SELECT person_type_id, user_person_type FROM per_person_types WHERE business_group_id = BUSINESS_GROUP_ID AND system_person_type = 'EMP'
  

  In this query, replace the BUSINESS_GROUP_ID with the value returned from the query for the UD_EBSH_USR_BIZGRPID Code Key. This query returns the Person Type ID for records that are of the EMP type, for example, Employee, Retiree, and Contractor.

3.1.3 Setting Up the Lookup.EBS.UMTCA.Configurations Lookup Definition

If you are using the User Management with TCA Foundation connector, then provide Decode values for the following entries of the Lookup.EBS.UMTCA.Configurations lookup definition:

USE_CONNECTION_POOLING

If you want the connector to use connection pooling, then set the value of the USE_CONNECTION_POOLING Code Key to Yes. See Section 1.4.12, "Connection Pooling" for more information about this feature.

3.2 Scheduled Task for Lookup Field Synchronization

The eBusiness UM Lookup Definition Reconciliation scheduled task is used for lookup field synchronization.

Note:

The procedure to configure this scheduled task is described later in the guide.

The descriptions of some attributes also instruct you not to change the default values.

However, if you create a copy of this scheduled task, then you can enter attribute values specific to the target system installation for which you create the copy of scheduled task. See Section 4.6, "Configuring the Connector for Multiple Installations of the Target System" for more information about creating copies of connector objects.

You must specify values for attributes whose default value is the "Enter a value" string.

Table 3-1 describes the attributes of this scheduled task.

Table 3-1 Attributes of the eBusiness UM Lookup Definition Reconciliation Scheduled Task

Attribute	Description
Query Properties File	Enter the full path and name of the file containing the lookup definition synchronization query that you want to run. Sample value: /usr/temp/ebsUMLookupQuery.properties
IT Resource Name	Enter the name of the IT resource that you configure by performing the procedure described in Section 2.3.3.6, "Configuring the IT Resource". Sample value: EBS-APPS12
Lookup Definition Name	Enter the name of the lookup definition that you want to synchronize with the target system. You can specify one of the following lookup definitions: Lookup.EBS.Application Lookup.EBS.Responsibility Lookup.EBS.UMX.Roles
Task Name	This attribute holds the name of the scheduled task. Value: eBusiness UM Lookup Definition Reconciliation Note: For this scheduled task, you must not change the value of this attribute. However, if you create a copy of this scheduled task, then you must enter the unique name of that scheduled task as the value of the attribute in that scheduled task.
Mode	Default value: Update Note: You must not change the default value.

Note:

The IllegalInputException exception is thrown if lookup field data synchronized by the connector contains characters that are treated as illegal by Oracle Identity Manager. When a record containing an illegal character is encountered, the connector skips that record and proceeds to reconcile other records.

You can search for the string Skipped code = in the log to track down the entry that caused the exception.

See Oracle Identity Manager Globalization Guide for information about special characters that are supported by Oracle Identity Manager.

3.3 Configuring Reconciliation

As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

• Section 3.3.1, "Reconciliation Time Stamp"

• Section 3.3.2, "Batched Reconciliation"

• Section 3.3.3, "Configuring Limited Reconciliation"

• Section 3.3.4, "Reconciliation Scheduled Tasks"

3.3.1 Reconciliation Time Stamp

This section describes the Last Execution Time attribute of the scheduled task.

The Last Execution Time attribute holds the time stamp at which the last reconciliation run started. This attribute is used in conjunction with the reconciliation query specified by the Query Name attribute. During a reconciliation run, only target system records added or modified after the time stamp value stored in the Last Execution Time attribute are fetched into Oracle Identity Manager for reconciliation.

Apply the following guidelines while deciding on a value for the Last Execution Time attribute:

• For a particular reconciliation mode, if you want to fetch all target system records for reconciliation, then set the value of the attribute to 0.

• If you want to specify a time stamp, then first run the following query to convert the time stamp into the required format:

  SELECT (TO_DATE('DATE_TO_BE_CONVERTED','DD-MON-YYYY') - TO_DATE('01011970', 'DDMMYYYY')) *24*60*60*1000 as ts FROM DUAL
  

  In this query, replace DATE_TO_BE_CONVERTED with the date that you want to use as the time stamp. For example, if you want to use 5-Dec-2008 as the time stamp, then run the following query:

  SELECT (TO_DATE('5-Dec-2008','DD-MON-YYYY') - TO_DATE('01011970', 'DDMMYYYY')) *24*60*60*1000 as ts FROM DUAL
  

  The query returns the following value:

  1228435200000
  

  Specify this value as the value of the Last Execution Time attribute.

• The Last Execution Time attribute is updated during each reconciliation run. For example, the Last Execution Time attribute is set to the time stamp at which the run begins.

3.3.2 Batched Reconciliation

During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Manager. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.

You can configure batched reconciliation to avoid these problems.

To configure batched reconciliation, you must specify a value for the Batch Size user reconciliation scheduled task attribute. The value that you specify is the number of records that must be included in each batch. The default value is 1000.

3.3.3 Configuring Limited Reconciliation

Note:

This section describes an optional procedure. Perform this procedure only if you want to add filter parameters for reconciliation. The alternative to performing this procedure is to add a condition directly in the WHERE clause of the reconciliation query that you want to run.

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by adding a filter parameter in the reconciliation query and specifying a value for the parameter in the, for example, Lookup.EBS.UM.QueryFilters lookup definition.

For example, you can add a parameter in the WHERE clause of the UM_USER_RECON query so that it returns FND_USER records whose user name is the one that you specify in the lookup definition.

To add a filter parameter in a reconciliation query:

Note:

Before you modify a query in the properties file, you must run the query by using any standard database client to ensure that the query produces the required results when it is run against the target system database.

1. Modify the query as follows:

   1. Open the properties file in a text editor.

   2. Add the condition in the WHERE clause of the query that you want to modify.

      Note:

      The parameter name must begin with the colon (:) as a prefix. In addition, there must be no space between the colon and parameter name and within the parameter name.

      For example, in the following snippet of the UM_USER_RECON query, the variable condition highlighted in bold has been added:

      round((rolegrp.LAST_UPDATE_DATE - to_date('01011970', 'ddmmyyyy')) * 1440 * 60 * 1000)> :lastExecutionTime \
              GROUP BY rolegrp.USER_NAME, fnd.EMPLOYEE_ID, fnd.USER_ID, fnd.DESCRIPTION, fnd.EMAIL_ADDRESS,fnd.FAX, \
              fnd.START_DATE, fnd.END_DATE) \
              ) usr where UPPER(USER_NAME) = UPPER(:username)
      

   3. Save and close the file.

2. Configure the Lookup.EBS.UM.QueryFilters lookup definition as follows:

   1. Log in to the Design Console.

   2. Expand the Administration folder, and then double-click Lookup Definition.

   3. Search for and open the Lookup.EBS.UM.QueryFilters lookup definition.

   4. To add a row, click Add.

   5. In the Code Key column, enter the variable name that you specified in the properties file. Do not include the colon (:) character. For example, enter username in the Code Key column.

   6. In the Decode column, enter the value that you want to assign to the parameter for subsequent reconciliation runs. Use one of the following formats to specify a value:

      • value|DATE|DATE_FORMAT

        Sample value: 1-Dec-1975|DATE|DD-Mon-YYYY

        Note:

        For the USER NAME example, you can enter the following sample value.

      • value|STRING

        Sample value: jdoe|STRING

      • value|NUMBER

        Sample value: 33|NUMBER

   7. Click the Save icon.

When you next run the query that you have modified, the condition that you add is applied as an additional filter during reconciliation.

3.3.4 Reconciliation Scheduled Tasks

The following scheduled tasks are used to reconcile user data:

• The eBusiness UM Target Resource User Reconciliation scheduled task is used for the User Management connector.

• The eBusiness UM Target Resource User-HRMS Reconciliation scheduled task is used for the User Management with HR Foundation connector.

• The eBusiness UM Target Resource User-TCA Reconciliation scheduled task is used for the User Management with TCA Foundation connector.

Table 3-2 describes the attributes of these scheduled tasks.

Note:

• Values for most attributes are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

• Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

• The descriptions of some attributes also instruct you not to change the default values. However, if you create a copy of this scheduled task, then you can enter attribute values specific to the target system installation for which you create the copy of scheduled task. See Section 4.6, "Configuring the Connector for Multiple Installations of the Target System" for more information about creating copies of connector objects.

Table 3-2 Attributes of the eBusiness UM Target Resource User Reconciliation Scheduled Task

Attribute	Description
Recon Lookup Definition	This attribute holds the name of the lookup definition that holds mappings between the target system with the process form fields. Value for the User Management connector: Lookup.EBS.UM.UserRecon Value for the User Management with HR Foundation connector: Lookup.EBS.UM.UserHRMSRecon Value for the User Management with TCA Foundation connector: Lookup.EBS.UM.UserTCARecon Note: You must not change this value.
Target Date Format	Enter the format of date values stored in the target system database. Default value: MM/dd/yyyy hh:mm:ss
Query Properties File	Enter the full path and name of the file containing the user reconciliation query that you want to run. Sample value: /user/temp/ebsUMQuery.properties
Query Name	Enter the name of the query in the reconciliation query file that you want to run. Default value: Value for the User Management connector: UM_USER_RECON Value for the User Management with HR Foundation connector: UM_USER_HRMS_RECON Value for the User Management with TCA Foundation connector: UM_USER_TCA_RECON
IT Resource Name	Enter the name of the IT resource that you configure by performing the procedure described in Section 2.3.3.6, "Configuring the IT Resource". Sample value: EBS-APPS12
Last Execution Time	This attribute holds the time stamp at which the last reconciliation run started. Default value: 0 See Section 3.3.1, "Reconciliation Time Stamp" for information about setting a value for the Last Execution Time attribute.
Batch Size	Enter the number of records that must be included in each batch fetched from the target system.Default value: 1000 This attribute is discussed in Section 3.3.2, "Batched Reconciliation".
Task Name	This attribute holds the name of the scheduled task. Value for the User Management connector: eBusiness UM Target Resource User Reconciliation Value for the User Management with HR Foundation connector: eBusiness UM Target Resource User-HRMS Reconciliation Value for the User Management with TCA Foundation connector: eBusiness UM Target Resource User-TCA Reconciliation Note: For this scheduled task, you must not change the value of this attribute. However, if you create a copy of this scheduled task, then you must enter the unique name of that new scheduled task as the value of the Task Name attribute in that scheduled task.
Resource Object Name	This attribute holds the name of the resource object for the connector. Value for the User Management connector: eBusiness Suite User Value for the User Management with HR Foundation connector: eBusiness Suite User HR Foundation Value for the User Management with TCA Foundation connector: eBusiness Suite User TCA Foundation Note: Do not change the default value. However, if you create a copy of the resource object, then you can specify the name of the new resource object as the value of the Resource Object attribute.
Query Filter Lookup Definition	This attribute holds the name of the lookup definition that contains information about reconciliation filter parameters. Value for the User Management connector: Lookup.EBS.UM.QueryFilters Value for the User Management with HR Foundation connector: Lookup.EBS.UMHRMS.QueryFilters Value for the User Management with TCA Foundation connector: Lookup.EBS.UMTCA.QueryFilters Note: You must ensure that the filter parameters in this lookup definition can be applied along with the query specified by the Query Name attribute. An error is encountered if this condition is not met.

3.4 Configuring Scheduled Tasks

This section describes the procedure to configure scheduled tasks. You can apply this procedure to configure the scheduled tasks for lookup field synchronization and reconciliation.

To configure a scheduled task:

1. Log in to the Administrative and User Console.

2. Expand Resource Management.

3. Click Manage Scheduled Task.

4. On the Scheduled Task Management page, enter the name of the scheduled task as the search criteria and then click Search.

   The following screenshot shows the Scheduled Task Management page:

   
   

5. In the search results table, click the edit icon in the Edit column for the scheduled task. The following screenshot shows the Scheduled Task Details page:

   
   

6. On the Edit Scheduled Task Details page, you can modify the following details of the scheduled task by clicking Edit:

   • Status: Specify whether or not you want to leave the task in the enabled state. In the enabled state, the task is ready for use.

   • Max Retries: Enter an integer value in this field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task. The default value is 2.

   • Next Start: Use the date editor to specify the date when you want the task to run. After you select a date value in the date editor, you can modify the time value that is automatically displayed in the Next Start field.

   • Frequency: Specify the frequency at which you want the task to run.

   When you click Edit, the Edit Scheduled Task page is displayed.

7. After modifying the values for the scheduled task details listed in the previous step, click Continue.

8. Specify values for the attributes of the scheduled task. To do so, select each attribute from the Attribute list, specify a value in the field provided, and then click Update.

   Note:

   • Attribute values are predefined in the connector XML file that you import. Specify values only for the attributes that you want to change. You must specify values for attributes whose default value is the "Enter a value" string.

   • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

   The following screenshot shows the Attributes page. The attributes of the scheduled task that you select for modification are displayed on this page.

   
   

9. Click Save Changes to commit all the changes to the database.

Note:

If you want to stop a scheduled task while it is running, then use the Stop Execution feature of the Design Console. See the "The Task Scheduler Form" section in Oracle Identity Manager Design Console Guide for information about this feature.

3.5 Attributes for Which You Can Specify Values During New Resource and Entitlement Provisioning

This section lists the resource and entitlement attributes for which values can be set on the Administrative and User Console during new resource or entitlement provisioning. During an Update Resource or Update Entitlement provisioning operation, all attributes of the resource or entitlement can be updated.

This section is divided into the following topics:

• Section 3.5.1, "Resource Provisioning Using the User Management Connector"

• Section 3.5.2, "Resource Provisioning Using the User Management with TCA Foundation Connector"

• Section 3.5.3, "Resource Provisioning Using the User Management with HR Foundation Connector"

• Section 3.5.4, "Entitlement Provisioning Using All Three Connectors"

3.5.1 Resource Provisioning Using the User Management Connector

If you are using the User Management connector, then you can set values for the following attributes while provisioning a resource:

• IT resource representing the target system installation on which the provisioning operation is to be performed

• Person ID

• Description

• Email

• Fax

• SSO User ID

3.5.2 Resource Provisioning Using the User Management with TCA Foundation Connector

If you are using the User Management with TCA Foundation connector, then you can set values for the following attributes while provisioning a resource:

• IT resource representing the target system installation on which the provisioning operation is to be performed

• Description

• Email

• Fax

• SSO User ID

The Username and Password fields are pre-populated with OIM User data. The Effective Date From attribute is populated with the current date. Values cannot be set for the Effective Date To, Password Expiration Type and Password Expiration Interval attributes.

In addition the OIM User can set values for the role and responsibility attributes listed later in this section.

3.5.3 Resource Provisioning Using the User Management with HR Foundation Connector

If you are using the User Management with HR Foundation connector, then you can set values for the following attributes while provisioning a resource:

• IT resource representing the target system installation on which the provisioning operation is to be performed

• Description

• Email

• Fax

• SSO User ID

• Gender

• Employee Number

The Username, Password, First Name, and Last Name fields are pre-populated with OIM User data. The Effective Date From, Hire Date fields are populated with the current date. The Business Group ID and Person Type ID attributes have default values of 202 and 13, respectively. The Effective Date To, Password Expiration Type and Password Expiration Interval fields are provisioned without any values. The OIM User cannot enter values for these attributes while submitting a request for a new resource.

3.5.4 Entitlement Provisioning Using All Three Connectors

If you are using any of the three connectors, you can set values for the following entitlement attributes along with values that you set for the resource:

• Application Name

• Role or Responsibility Name

• Start Date

The Expiration Date attribute is provisioned without any values. End-users are not allowed to fill in this attribute during new resource provisioning.

3.6 Provisioning Operations Performed in an SoD-Enabled Environment

Provisioning a resource for an OIM User involves using Oracle Identity Manager to create an Oracle E-Business Suite account for the user.

When you run the Connector Installer, configurations for both direct provisioning and request-based provisioning of Oracle E-Business Suite user accounts are installed. Therefore, during direct provisioning, the process form is suppressed and object form is displayed. If you want to enable the use of the process form during direct provisioning:

Note:

Request-based provisioning is disabled when you perform this procedure.

1. Open the resource object.

2. To detach the object form from the resource object, remove the name of the field from the Table Name field.

3. Deselect the Self Request Allowed check box.

4. Click the Save icon.

5. Open the process definition of provisioning type.

6. Deselect the Auto Save check box.

7. On the Data Flow tab, delete all mappings that are displayed.

8. Click the Save icon.

The following are types of provisioning operations:

• Direct provisioning

• Request-based provisioning of accounts

• Request-based provisioning of entitlements

• Provisioning triggered by policy changes

See Also:

Oracle Identity Manager Connector Concepts for information about the types of provisioning

This section discusses the following topics:

• Section 3.6.1, "Overview of the Provisioning Process in an SoD-Enabled Environment"

• Section 3.6.2, "Direct Provisioning in an SoD-Enabled Environment"

• Section 3.6.3, "Request-Based Provisioning in an SoD-Enabled Environment"

3.6.1 Overview of the Provisioning Process in an SoD-Enabled Environment

The following is the sequence of steps that take places during a provisioning operation performed in an SoD-enabled environment:

1. The provisioning operation triggers the appropriate adapter.

2. The adapter carries provisioning data to the corresponding BAPI on the target system.

3. If you select an account or entitlements to be provisioned to the OIM User, then the SoD check is initiated. The SoDChecker task submits the User Account and Entitlements details in a form of Duties list to Oracle Application Access Controls Governor. In other words, the SoD validation process takes place asynchronously.

4. The user runs either the Get SOD Check Results Provisioning or Get SOD Check Results Approval scheduled task.

5. The scheduled task passes the entitlement data to the Web service of Oracle Application Access Controls Governor.

6. After Oracle Application Access Controls Governor runs the SoD validation process on the entitlement data, the response from the process is returned to Oracle Identity Manager.

7. The status of the process task that received the response depends on the response itself. If the entitlement data clears the SoD validation process, then the status of the process task changes to Completed. This translates into the entitlement being granted to the user. If the SoD validation process returns the failure response, then status of the process task changes to Canceled.

3.6.2 Direct Provisioning in an SoD-Enabled Environment

To provision a resource by using the direct provisioning approach:

1. Log in to the Administrative and User Console.

2. From the Users menu, select Manage if you want to provision a target system account to an existing OIM User.

3. If you select Create, on the Create User page, enter values for the OIM User fields and then click Create User. The following screenshot shows the Create User page:

   
   

4. If you select Manage, then search for the OIM User and select the link for the user from the list of users displayed in the search results.

5. On the User Detail page, select Resource Profile from the list at the top of the page. The following screenshot shows the User Detail page.

   
   

6. On the Resource Profile page, click Provision New Resource. The following screenshot shows the Resource Profile page.

   
   

7. On the Step 1: Select a Resource page, select the resource that you want to provision from the list and then click Continue. The following screenshot shows the Step 1: Select a Resource page.

   
   

8. On the Step 2: Verify Resource Selection page, click Continue. The following screenshot shows the Step 2: Verify Resource Selection page.

   
   

9. On the Step 3: Provide Resource Data page for process data, enter the details of the account that you want to create on the target system and then click Continue. The following screenshot shows the user details added.

   
   

10. On the Step 3: Provide Process Data page for responsibility data, specify the application name, responsibility name, and effective start date for the account and then click Add. If you want to add more than one responsibility, repeat the process. Then, click Continue. The following screenshot shows this page:

    
    

11. On the Step 3: Provide Process Data page for role data, specify the application name, role name, and start date for the role assignment and then click Add. If you want to add more than one role, repeat the process. Then, click Continue. The following screenshot shows this page:

    
    

12. On the Step 4: Verify Process Data page, verify the data that you have provided and then click Continue. The following screenshot shows Step 4: Verify Process Data page.

    
    

13. The "Provisioning has been initiated" message is displayed. Click Back to User Resource Profile. The Resource Profile page shows that the resource has been provisioned to the user. The following screenshot shows this page:

    
    

14. If you click the View link in the Process Form column, then the process form is displayed. The following screenshot shows this page:

    
    

    In this screenshot, the SODCheckStatus field shows SODCheckPending. The value in this field can be SoDCheckResultPending or SoDCheckCompleted.

    Note:

    If Oracle Identity Manager is not SoD enabled, then then SOD Check Status field shows SODCheckNotInitiated.

15. If you click the resource, then the Resource Provisioning Details page is displayed. The following screenshot shows this page:

    
    

    This page shows the details of the process tasks that were run. The Holder and SODChecker tasks are in the Pending state. These tasks will change state after the status of the SoD check is returned from the SoD engine. The Add Responsibility and Add Role to User tasks correspond to the responsibilities and roles selected for assignment to this user.

    Note:

    SoD validation by Oracle Application Access Controls Governor is asynchronous. The validation process returns a result as soon as it is completed.

16. After the Get SOD Check Results Provisioning scheduled task is run, the results of the SoD validation process are brought to Oracle Identity Manager. If you click the View link in the Process Form column, then the process form is displayed. The following screenshot shows this page:

    
    

    In this screenshot, the SOD Check Status field shows SoDCheckCompleted. Because a violation by the SoD engine in this particular example, the SoD Check Violation field shows the details of the violation.

    In addition, the Resource Provisioning Details page shows the status of the SODChecker and Holder tasks as Completed.

    The following screenshot shows this page:

    
    

    In this screenshot, the status of the Add User Role tasks is Canceled because the request failed the SoD validation process.

17. As the administrator assigning a resource to a user, you can either end the process when a violation is detected or modify the assignment data and then resend it. To modify the assignment data, first click the Edit link in the Process Form column on the Resource Profile page.

18. In the Edit Form window that is displayed, you can modify the role and profile data that you had selected earlier.

    Note:

    To modify a set of entitlements In the Edit Form window, you must first remove all entitlements and then add the ones that you want to use.

    In the following screenshot, one of the roles selected earlier is marked for removal:

    
    

19. Rerun the Get SOD Check Results Provisioning scheduled task to initiate the SoD validation process.

20. After the Get SOD Check Results Provisioningscheduled task is run, the results of the SoD validation process are brought to Oracle Identity Manager. If you click the View link in the Process Form column, then the process form is displayed. The following screenshot shows this page:

    
    

    In this screenshot, the SOD Check Status field shows SoDCheckCompleted. Because no violation was detected by the SoD engine, the SoDCheckResult field shows Passed.

    In addition, the Resource Provisioning Details page shows the status of the SODChecker and Holder tasks as Completed.

    The following screenshot shows this page:

    
    

    On the Resource Provisioning Details page, the state of the Add Role to User task is Completed.

3.6.3 Request-Based Provisioning in an SoD-Enabled Environment

See Also:

Section 2.3.1, "Configuring SoD"

The request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The request-based provisioning process described in this section covers steps to be performed by both entities.

In the example used in this section, the end user creates a request for two roles on the target system. The request clears the SoD validation process and is approved by the approver.

End-User's Role in Request-Based Provisioning

The following are types of request-based provisioning:

Request-based provisioning of accounts: OIM Users are created but not provisioned target system resources when they are created. Instead, the users themselves raise requests for provisioning accounts.

Request-based provisioning of entitlements: OIM Users who have been provisioned target system resources (either through direct or request-based provisioning) raise requests for provisioning entitlements.

The following steps are performed by the end user in a request-based provisioning operation:

Note:

The procedure is almost the same for request-based provisioning of both accounts and entitlements. Differences have been called out in the following sequence of steps.

1. Log in to the Administrative and User Console.

2. Expand My Resources, and then click Request New Resources.

3. On the Step 1: Provide resources page, use the Add button to select one of the following:

   • eBusiness Suite User, if you want to create a request for a target system account

   • eBusiness Suite User Responsibility or eBusiness Suite User Role, if you want to create a request for an entitlement on the target system

   The following screenshot shows the eBusiness Suite User Responsibility entitlement selected:

   
   

4. On the Step 2: Provide resource data page, click Continue.

   The following screenshot shows this page:

   
   

5. On the second Step 2: Provide resource data page, select the IT resource corresponding to the target system installation on which you want the selected entitlement.

   The following screenshot shows this page:

   
   

6. On the third Step 2: Provide resource data page, to add the responsibility data, specify the application name, responsibility name and effective start date for the responsibility and then click Add. If you want to add more than one responsibility, repeat the process. Then, click Continue.

   The following screenshot shows two roles selected on this page:

   
   

7. On the Step 3: Verify information page, review the information that you have provided and then submit the request. The following screenshot shows this page:

   
   

8. If you click Submit Now, then the Request Submitted page shows the request ID. The following screenshot shows this page:

   
   

9. If you click the request ID, then the Request Details page is displayed. The following screenshot shows this page:

   
   

   In this screenshot, the SODCheckStatus field shows SODCheckPending. The value in this field can be SoDCheckResultPending or SoDCheckCompleted.

   Note:

   If Oracle Identity Manager is not SoD enabled, then the SOD Check Status field shows SODCheckNotInitiated.

10. To view details of the approval, select Approval Tasks from the list at the top of the page. The Approval Tasks page is displayed. The following screenshot shows this page:

    
    

    On this page, the status of the SODChecker task is Pending.

11. To initiate SoD validation of pending entitlement requests, the approver must run the Get SOD Check Results Approval scheduled task.

12. After the Get SOD Check Results Approval scheduled task is run, on the Approvals Task page, the status of the SODChecker task is Completed and the Approval task status is Pending. This page also shows details of the administrator who must now approve the request.

    The following screenshot shows the Approvals Task page after the request passes the SoD validation process.

Approver's Role in Request-Based Provisioning

This section discusses the role of the approver in a request-based provisioning operation.

The approver to whom the request is assigned can use the Pending Approvals feature to view details of the request.

In addition, the approver can click the View link to view details of the SoD validation process.

The approver can decide whether to approve or deny the request, regardless of whether the SoD engine accepted or rejected the request. The approver can also modify entitlements in the request.

The following are steps that the approver can perform:

1. As the approver, to edit and approve a request, click the Edit link.

2. In the Edit Form window, select the entitlement request data that you want to modify from the list at the top of the window and then make the required change. In the following screenshot, one of the roles that the requester had included in the request has been removed:

   
   

3. Close the Edit Form window, select the check box for the task that you want to approve, and then click Approve.

4. On the Confirmation page, click Confirm.

   The following screenshot shows this page:

   
   

5. On the Request Details page, the SOD Status column shows SODCheckCompleted.

   If you search for and open the requester's profile, the entitlements granted to the user are shown in the Provisioned state. This is shown in the following screenshot: