3 Using the Connector

After you deploy the connector, you must first reconcile all existing user data from the target system into Oracle Identity Manager. To achieve this:

1. Configure and run the scheduled task for lookup field synchronization.

2. Run the scheduled task for user reconciliation. Because you are running this scheduled task for the first time, full reconciliation is performed. In other words, all existing user data is fetched from the target system into Oracle Identity Manager.

After you perform these two steps, the integration between Oracle Identity Manager and the target system is ready for provisioning operations and reconciliation runs.

This chapter is divided into the following sections:

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

• Section 3.1, "Scheduled Task for Lookup Field Synchronization"

• Section 3.2, "Configuring Reconciliation"

• Section 3.3, "Configuring Scheduled Tasks"

• Section 3.4, "Provisioning Operations Performed in an SoD-Enabled Environment"

3.1 Scheduled Task for Lookup Field Synchronization

The SAP R3 LookupRecon scheduled task is used for lookup field synchronization.

Note:

The procedure to configure this scheduled task is described later in the guide.

Table 3-1 describes the attributes of this scheduled task. The procedure to configure scheduled tasks is described later in the guide.

Table 3-1 Attributes of the SAP R3 LookupRecon Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource for setting up the connection to the target system. The IT resource name that you specify must be the same as the name that you set while performing the procedure described in the "Configuring the IT Resource" section.
Lookup Mapping	This attribute holds the name of the lookup definition that stores mappings between names of lookup definitions to be synchronized and the corresponding BAPI details. Value: Lookup.SAP.R3.LookupMappings Note: You must not change the default value of this attribute. See Table 1-2 for information about this lookup definition.

3.2 Configuring Reconciliation

As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

• Limited Reconciliation vs. Regular Reconciliation

• Batched Reconciliation

• Reconciliation Scheduled Task

3.2.1 Full Reconciliation vs. Incremental Reconciliation

The TimeStamp IT resource parameter stores the time stamp at which a reconciliation run begins. During a reconciliation run, the scheduled task fetches only target system records that are added or modified after the time stamp stored in the parameter for target resource reconciliation. This is incremental reconciliation. If you set the parameter to 0, then full reconciliation is performed. In full reconciliation, all existing target system records are fetched into Oracle Identity Manager for reconciliation.

As mentioned earlier in this chapter, you can switch from incremental to full reconciliation at any time.

3.2.2 Limited Reconciliation vs. Regular Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.

For this connector, you create a filter by specifying values for the CustomizedReconQuery Task Scheduler parameter while configuring the IT resource.

The following table lists the SAP User Management attributes, and the corresponding Oracle Identity Manager attributes, that you can use to build the query condition. You specify this query condition as the value of the CustomizedReconQuery parameter.

Oracle Identity Manager Attribute	SAP User Management Attribute
User ID	userid
First Name	firstname
Last Name	lastname
Language	langcomm
User Type	usertype
Department	department
Functions	function
Country	country
User Group	usergroup
User Profile	userprofile
User Role	userrole

The following are sample query conditions:

• firstname=John&lastname=Doe

  With this query condition, records of users whose first name is John and last name is Doe are reconciled.

• firstname=John&lastname=Doe|usergroup=contractors

  With this query condition, records of users who meet either of the following conditions are reconciled:

  • The user's first name is John or last name is Doe.

  • The user belongs to the contractors user group.

If you do not specify values for the CustomizedReconQuery parameter, then all the records in the target system are compared with existing Oracle Identity Manager records during reconciliation.

The following are guidelines to be followed while specifying a value for the CustomizedReconQuery parameter:

• For the target system attributes, you must use the same case (uppercase or lowercase) as given in the table shown earlier in this section. This is because the attribute names are case-sensitive.

• You must not include unnecessary blank spaces between operators and values in the query condition.

  A query condition with spaces separating values and operators would yield different results as compared to a query condition that does not contain spaces between values and operators. For example, the output of the following query conditions would be different:

  firstname=John&lastname=Doe

  firstname= John&lastname= Doe

  In the second query condition, the reconciliation engine would look for first name and last name values that contain a space at the start.

• You must not include special characters other than the equal sign (=), ampersand (&), and vertical bar (|) in the query condition.

  Note:

  An exception is thrown if you include special characters other than the equal sign (=), ampersand (&), and vertical bar (|).

• The query condition must be an expression without any braces.

• Searching users based on multiple value roles and groups are not supported. Only one value for roles and profiles can be queried at a time. For example, if the query condition is Usergroup=a,b,c, then the query generates an error.

• Searching users based on more than three user attributes are not supported. For example, if the query condition is userid=JOHN&firstname=John&lastname=Doe&country=US, then the query generates an error.

You specify a value for the CustomizedReconQuery parameter while configuring the IT resource.

3.2.3 Batched Reconciliation

During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Manager. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.

You can configure batched reconciliation to avoid such problems.

To configure batched reconciliation, you must specify values for the following user reconciliation scheduled task attributes:

• StartRecord: Use this attribute to specify the record number from which batched reconciliation must begin.

• BatchSize: Use this attribute to specify the number of records that must be included in each batch.

• NumberOfBatches: Use this attribute to specify the total number of batches that must be reconciled. If you do not want to use batched reconciliation, specify All Available as the value of this attribute.

  Note:

  If you specify All Available as the value of this attribute, then the values of the StartRecord and BatchSize attributes are ignored.

You specify values for these attributes by following the instructions described in the "Configuring Scheduled Tasks" section.

After you configure batched reconciliation, if reconciliation fails during a batched reconciliation run, then refer to the log file for information about the batch at which reconciliation has failed.

3.2.4 Reconciliation Scheduled Task

You must specify values for the following attributes of the R3 Recon scheduled task.

Note:

• Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

• Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

Attribute	Description	Sample Value
OIMServerTimeZone	Time zone of the Oracle Identity Manager host computer	GMT
Exclude changes by SAPUser	Enter yes if you want to exclude changes made by the SAPUser directly on the target system. Otherwise, enter no.	no
Organization	Default organization assigned to a new user	Xellerate Users
Role	Default role assigned to a new user	Consultant
Xellerate Type	Default type assigned to a new user	End-User Administrator
ITResource	Name of the IT resource for setting up a connection to the SAP User Management server	SAP R3 IT Resource
ResourceObject	Name of the target system resource object into which users need to be reconciled	SAP R3 Resource Object
IsTrusted	Do not modify the value of this parameter. It will be removed in a future release.	false
Server	SAP server type The value is R3. Note: Do not change the default value.	R3
StartRecord	Start record for batched reconciliation This attribute is also discussed in the "Batched Reconciliation" section.	1
BatchSize	Number of records that must be there in a batch This attribute is also discussed in the "Batched Reconciliation" section.	3
NumberOfBatches	Number of batches that must be reconciled This attribute is also discussed in the "Batched Reconciliation" section.	Default value: All Available (for reconciling all users) Sample value: 50

3.3 Configuring Scheduled Tasks

This section describes the procedure to configure scheduled tasks. You can apply this procedure to configure the scheduled tasks for lookup field synchronization and reconciliation.

Table 3-2 lists the scheduled tasks that you must configure.

Table 3-2 Scheduled Tasks for Lookup Field Synchronization and Reconciliation

Scheduled Task	Description
SAP R3 LookupRecon	This scheduled task is used for lookup field synchronization.
R3 Recon	This scheduled task is used for user data reconciliation.

To configure a scheduled task:

1. Log in to the Administrative and User Console.

2. Expand Resource Management.

3. Click Manage Scheduled Task.

4. On the Scheduled Task Management page, enter the name of the scheduled task as the search criteria and then click Search.

5. In the search results table, click the edit icon in the Edit column for the scheduled task.

6. On the Edit Scheduled Task Details page, you can modify the following details of the scheduled task by clicking Edit:

   • Status: Specify whether or not you want to leave the task in the enabled state. In the enabled state, the task is ready for use.

   • Max Retries: Enter an integer value in this field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task. The default value is 1.

   • Next Start: Use the date editor to specify the date when you want the task to run. After you select a date value in the date editor, you can modify the time value that is automatically displayed in the Next Start field.

   • Frequency: Specify the frequency at which you want the task to run.

7. After modifying the values for the scheduled task details listed in the previous step, click Continue.

8. Specify values for the attributes of the scheduled task. To do so, select each attribute from the Attribute list, specify a value in the field provided, and then click Update.

   Note:

   • Attribute values are predefined in the connector XML file that you import. Specify values only for the attributes that you want to change.

   • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

   The attributes of the scheduled task that you select for modification are displayed on this page.

9. Click Save Changes to commit all the changes to the database.

Note:

If you want to stop a scheduled task while it is running, then use the Stop Execution feature of the Design Console. See the "The Task Scheduler Form" section in Oracle Identity Manager Design Console Guide for information about this feature.

3.4 Provisioning Operations Performed in an SoD-Enabled Environment

Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a SAP ERP account for the user. The following are types of provisioning operations:

• Direct provisioning

• Request-based provisioning of accounts

• Request-based provisioning of entitlements

• Provisioning triggered by policy changes

See Also:

Oracle Identity Manager Connector Concepts for information about the types of provisioning

This section discusses the following topics:

• Section 3.4.1, "Overview of the Provisioning Process in an SoD-Enabled Environment"

• Section 3.4.2, "Direct Provisioning in an SoD-Enabled Environment"

• Section 3.4.3, "Request-Based Provisioning in an SoD-Enabled Environment"

3.4.1 Overview of the Provisioning Process in an SoD-Enabled Environment

The following is the sequence of steps that take places during a provisioning operation performed in an SoD-enabled environment:

1. The provisioning operation triggers the appropriate adapter.

2. The user runs the scheduled task (either ResubmitUninitiatedProvisioningSODCheck or Resubmit Uninitiated Approval SOD Checks).

3. The scheduled task passes the entitlement data to the Web service of SAP GRC.

4. After SAP GRC runs the SoD validation process on the entitlement data, the response from the process is returned to Oracle Identity Manager.

5. The status of the process task that received the response depends on the response itself. If the entitlement data clears the SoD validation process, then the adapter carries provisioning data to the corresponding BAPI on the target system and the status of the process task changes to Completed. This translates into the entitlement being granted to the user. If the SoD validation process returns the failure response, then status of the process task changes to Canceled.

3.4.2 Direct Provisioning in an SoD-Enabled Environment

To provision a resource by using the direct provisioning approach:

1. Log in to the Administrative and User Console.

2. From the Users menu, select Manage if you want to provision a target system account to an existing OIM User.

3. If you select Create, on the Create User page, enter values for the OIM User fields and then click Create User. The following screenshot shows the Create User page.

   
   

4. If you select Manage, then search for the OIM User and select the link for the user from the list of users displayed in the search results.

5. On the User Detail page, select Resource Profile from the list at the top of the page. The following screenshot shows the User Detail page.

   
   

6. On the Resource Profile page, click Provision New Resource. The following screenshot shows the Resource Profile page.

   
   

7. On the Step 1: Select a Resource page, select SAP R3 Resource Object from the list and then click Continue. The following screenshot shows the Step 1: Select a Resource page.

   
   

8. On the Step 2: Verify Resource Selection page, click Continue. The following screenshot shows the Step 2: Verify Resource Selection page.

   
   

9. On the Step 5: Provide Process Data page for process data, enter the details of the account that you want to create on the target system and then click Continue. The following screenshot shows the user details added.

   
   

10. On the Step 5: Provide Process Data page for profile data, search for and select profiles for the user on the target system and then click Continue. The following screenshot shows this page.

    
    

11. On the Step 5: Provide Process Data page for role data, search for and select roles for the user on the target system and then click Continue. The following screenshot shows this page.

    
    

12. On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue. The following screenshot shows Step 6: Verify Process Data page.

    
    

13. The "Provisioning has been initiated" message is displayed. Click Back to User Resource Profile. The Resource Profile page shows that the resource has been provisioned to the user.

    The following screenshot shows this page:

    
    

14. If you click the View link in the Process Form column, then the process form is displayed. The following screenshot shows this page:

    
    

    In this screenshot, the SOD Check Status field shows SODCheckNotInitiated. The value in this field can be SoDCheckNotInitiated, SoDCheckResultPending, or SoDCheckCompleted.

15. If you click the resource, then the Resource Provisioning Details page is displayed. The following screenshot shows this page:

    
    

    This page shows the details of the process tasks that were run. The Holder and SODChecker tasks are in the Pending state. These tasks will change state after the status of the SoD check is returned from the SoD engine. The Add User Role tasks correspond to the two roles selected for assignment to this user.

16. The SODCheckNotInitiated status in the SOD Check Status field indicates that SoD validation has not started. To start SoD validation, you must run the ResubmitUninitiatedProvisioningSODChecks scheduled task.

    Note:

    SoD validation by SAP GRC is synchronous. The validation process returns a result as soon as it is completed. However, if the requested entitlement throws a large number of violations in policies defined on SAP GRC, then the process might take a long time to complete. If that happens, then Oracle Identity Manager might time out. The ResubmitUninitiatedProvisioningSODChecks scheduled task has been introduced to circumvent this issue.

    The following screenshot shows the ResubmitUninitiatedProvisioningSODChecks scheduled task in the Design Console:

    
    

17. After the ResubmitUninitiatedProvisioningSODChecks scheduled task is run, the results of the SoD validation process are brought to Oracle Identity Manager. If you click the View link in the Process Form column, then the process form is displayed. The following screenshot shows this page:

    
    

    In this screenshot, the SOD Check Status field shows SoDCheckCompleted. Because a violation by the SoD engine in this particular example, the SoD Check Violation field shows the details of the violation.

    In addition, the Resource Provisioning Details page shows the status of the SODChecker and Holder tasks as Completed.

    The following screenshot shows this page:

    
    

    In this screenshot, the status of the Add User Role tasks is Canceled because the request failed the SoD validation process.

18. As the administrator assigning a resource to a user, you can either end the process when a violation is detected or modify the assignment data and then resend it. To modify the assignment data, first click the Edit link in the Process Form column on the Resource Profile page.

19. In the Edit Form window that is displayed, you can modify the role and profile data that you had selected earlier.

    Note:

    To modify a set of entitlements In the Edit Form window, you must first remove all entitlements and then add the ones that you want to use.

    In the following screenshot, one of the roles selected earlier is marked for removal:

    
    

20. Rerun the ResubmitUninitiatedProvisioningSODChecks scheduled task to initiate the SoD validation process.

21. After the ResubmitUninitiatedProvisioningSODChecks scheduled task is run, the results of the SoD validation process are brought to Oracle Identity Manager. If you click the View link in the Process Form column, then the process form is displayed. The following screenshot shows this page:

    
    

    In this screenshot, the SOD Check Status field shows SoDCheckCompleted. Because no violation was detected by the SoD engine, the SoD Check Violation field shows Passed.

    In addition, the Resource Provisioning Details page shows the status of the SODChecker and Holder tasks as Completed.

    The following screenshot shows this page:

    
    

    On the Resource Provisioning Details page, the state of the Add User Role task is Completed.

3.4.3 Request-Based Provisioning in an SoD-Enabled Environment

See Also:

Section 2.3.3, "Configuring SoD"

The request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The request-based provisioning process described in this section covers steps to be performed by both entities.

In the example used in this section, the end user creates a request for two roles on the target system. The request clears the SoD validation process and is approved by the approver.

End-User's Role in Request-Based Provisioning

The following are types of request-based provisioning:

Request-based provisioning of accounts: OIM Users are created but not provisioned target system resources when they are created. Instead, the users themselves raise requests for provisioning accounts.

Request-based provisioning of entitlements: OIM Users who have been provisioned target system resources (either through direct or request-based provisioning) raise requests for provisioning entitlements.

The following steps are performed by the end user in a request-based provisioning operation:

Note:

The procedure is almost the same for request-based provisioning of both accounts and entitlements. Differences have been called out in the following sequence of steps.

1. Log in to the Administrative and User Console.

2. Expand My Resources, and then click Request New Resources.

3. On the Step 1: Provide resources page, use the Add button to select one of the following:

   • SAP R3 Resource Object, if you want to create a request for a target system account

   • SAP UM Roles or SAP UM Profiles, if you want to create a request for an entitlement on the target system

   The following screenshot shows the SAP UM Roles entitlement selected:

   
   

4. On the Step 2: Provide resource data page, click Continue.

   The following screenshot shows this page:

   
   

5. On the second Step 2: Provide resource data page, select the IT resource corresponding to the target system installation on which you want the selected entitlement.

   The following screenshot shows this page:

   
   

6. On the third Step 2: Provide resource data page, select the entitlements that you want to request.

   The following screenshot shows two roles selected on this page:

   
   

7. On the Step 3: Verify information page, review the information that you have provided and then submit the request.

   The following screenshot shows this page:

   
   

8. If you click Submit Now, then the Request Submitted page shows the request ID.

   The following screenshot shows this page:

   
   

9. If you click the request ID, then the Request Details page is displayed.

   The following screenshot shows this page:

   
   

   The SOD Status field shows SODCheckNotInitiated. The value in this field can be SoDCheckNotInitiated, SoDCheckResultPending, or SoDCheckCompleted.

10. To view details of the approval, select Approval Tasks from the list at the top of the page. The Approval Tasks page is displayed. The following screenshot shows this page:

    
    

    On this page, the status of the SODChecker task is Pending.

11. To initiate SoD validation of pending entitlement requests, an administrator must run the Resubmit Uninitiated Approval SOD Checks scheduled task. The following screenshots shows this scheduled task in the Design Console:

    
    

12. After the Resubmit Uninitiated Approval SOD Checks scheduled task is run, on the Approvals Task page, the status of the SODChecker task is Completed and the Approval task status is Pending. This page also shows details of the administrator who must now approve the request.

    The following screenshot shows the Approvals Task page after the request passes the SoD validation process.

    
    

Approver's Role in Request-Based Provisioning

This section discusses the role of the approver in a request-based provisioning operation.

The approver to whom the request is assigned can use the Pending Approvals feature to view details of the request.

In addition, the approver can click the View link to view details of the SoD validation process.

The approver can decide whether to approve or deny the request, regardless of whether the SoD engine accepted or rejected the request. The approver can also modify entitlements in the request.

The following are steps that the approver can perform:

1. As the approver, to edit and approve a request, click the Edit link.

2. In the Edit Form window, select the entitlement request data that you want to modify from the list at the top of the window and then make the required change. In the following screenshot, one of the roles that the requester had included in the request has been removed:

   
   

3. Close the Edit Form window, select the check box for the task that you want to approve, and then click Approve.

4. On the Confirmation page, click Confirm.

   The following screenshot shows this page:

   
   

5. On the Request Details page, the SOD Status column shows SODCheckCompleted.

   If you search for and open the requester's profile, the entitlements granted to the user are shown in the Provisioned state. This is shown in the following screenshot: