Oracle® Identity Manager Administrative and User Console Guide Release 9.1.0.1 Part Number E14057-01 |
|
|
View PDF |
Known issues related to generic technology connectors are divided into the following categories:
This section describes the following known issues related to the names that you specify for generic technology connectors and connector objects:
Summary:
No warning is displayed if the name that you specify for a generic technology connector is the same as the name of an existing connector object.
No warning is displayed if an existing connector object is overwritten by a new connector object when you import a connector XML file.
Description:
During the creation or modification of a generic technology connector, various objects are automatically created or modified by the generic technology connector framework. You are prompted to specify names for the generic technology connector and process forms. The framework automatically generates names for the remaining objects. These autogenerated names are based on the name that you specify for the generic technology connector.
When you specify a name for the generic technology connector, you must ensure that the name is unique across all object categories (such as resource objects and IT resources) for that Oracle Identity Manager installation. Similarly, you must also ensure that the process form names are unique. This guideline must be followed even while importing a generic technology connector XML file to a different Oracle Identity Manager installation. You must ensure that the names of objects defined in the XML file are not the same as the names of objects belonging to the same category on the destination Oracle Identity Manager installation. For example, the name of the scheduled task defined in the XML file must not be the same as the name of any other scheduled task on the destination Oracle Identity Manager installation.
The scope of this guideline covers all connector objects, regardless of whether the object is used by a predefined connector or a generic technology connector on the destination Oracle Identity Manager installation.
If you do not follow this guideline, then existing objects that have the same name as imported objects are overwritten during the XML file import operation. No message is displayed during the overwrite process, and the process leads to eventual failure of the affected connectors.
This point has also been discussed in the "Connector Objects" section.
This section describes the following known issues related to the input that you specify on the Step 3: Modify Connector Configuration page:
Summary:
While modifying an existing generic technology connector, if you modify the fields or child data sets of the OIM - Account data set, then corresponding changes are not made in the Oracle Identity Manager database entries for the forms that are based on these data sets. At the same time, no error message is displayed.
Description:
The Step 3: Modify Connector Configuration page provides features to add, modify, and delete fields and field mappings. You can use these features to modify the length or data type of fields in the OIM - Account data set or its child data sets. However, this action would not translate into corresponding changes in the Oracle Identity Manager database entries for these data sets. At the same time, no error message is displayed.
This issue will be fixed in a future release of Oracle Identity Manager. Until then, you must not make changes in the fields or child data sets of the OIM - Account data set.
Summary:
Suppose you create a generic technology connector, use it for provisioning or reconciliation, and then delete fields or child data sets of the OIM - Account data set. An error occurs the next time you perform provisioning or reconciliation by using the same generic technology connector.
Description:
Suppose you create a generic technology connector and then use it for provisioning or reconciliation. You then delete some fields or child data sets of the OIM - Account data set of this generic technology connector. The next time you perform provisioning or reconciliation by using the same generic technology connector, an exception is thrown.
After you use the generic technology connector for provisioning or reconciliation even once, deleting the fields or child data sets of the OIM - Account data set is an invalid operation. This is because data linked to the fields or child data sets that you delete has already been stored in the Oracle Identity Manager database.
Therefore, you must not delete fields or child data sets of the OIM - Account data set if the generic technology connector has already been used to perform provisioning or reconciliation.
In a future release, an appropriate error message will be displayed instead of the exception that is thrown at present.
Summary:
If the name of a Reconciliation Staging field used in a matching-only mapping were to be reused as the name of a field in a Reconciliation Staging child data set, then reconciliation would fail.
Description:
You create a reconciliation rule by creating matching-only mappings between fields of the Reconciliation Staging data set and OIM - User data set. If there are child data sets, then you must ensure that the names of fields of the Reconciliation Staging data set that are input fields for the matching-only mappings are not used in any of the Reconciliation Staging child data sets. If the name of a Reconciliation Staging field used in a matching-only mapping were to be reused as the name of a field in a Reconciliation Staging child data set, then reconciliation would fail.
The following example illustrates this scenario:
The AD_User
data set is the Reconciliation Staging parent data set. The following are the fields of this data set:
User ID
Name
Designation
Location
The Admin_Groups
data set is a child data set of the AD_User
data set. If you use the User ID
field of the AD_User
data set to create a matching-only mapping with the OIM - User data set, then you cannot have a field with the name User ID
in the Admin_Groups
data set. If this child data set were to contain a field with the name User ID
, then reconciliation would fail.
Summary:
The Password field is displayed in the OIM – User data set, even though this field is not reconciled by the reconciliation engine.
Description:
If you select the Trusted Source Reconciliation option on the Step 1: Provide Basic Information page, then the Password field is displayed in the OIM – User data set on the Step 3: Modify Connector Configuration page, even though this field is not reconciled by the reconciliation engine. If you create a mapping between this field and the corresponding target system field in the Reconciliation Staging data set, then the reconciliation field mapping that is automatically generated would try to map the field to the Password field. This, in turn, would cause the reconciliation event to fail.
There are limitations related to creating transformation mappings across the following data sets:
Source and Reconciliation Staging
OIM and Provisioning Staging
These limitations are as follows:
You cannot create a transformation mapping between a child data set of the Source or OIM data set and a different (that is, not corresponding) child data set of the Reconciliation Staging or Provisioning Staging data sets. This also means that you cannot create a many-to-one mapping from multiple child data sets of one parent data set to a single child data set of another parent data set.
The following example illustrates this limitation:
Suppose the Source parent data set has the following child data sets:
MyGTC:Group data set
Field 1: Group Name
Field 2: Group Type
MyGTC:Role data set
Field 1: Role Name
Field 2: Role Type
Suppose the Reconciliation Staging parent data set has the following child data sets:
MyGTC:Group data set
Field 1: Group Name
Field 2: Group Type
MyGTC:Role data set
Field 1: Role Definition
According to this limitation, you cannot create a transformation mapping between, for example, the Group Name field of the Source data set and the Role Definition field of the Reconciliation Staging data set.
However, you can create a many-to-one transformation mapping between, for example, the Role Name and Role Type fields of the Source data set and the Role Definition field of the Reconciliation Staging data set.
You cannot create a transformation mapping between a Source or OIM parent data set and a Reconciliation Staging or Provisioning Staging child data set.
The following example illustrates this limitation:
Suppose the following are OIM data sets and their fields:
Field 1: Name
Field 2: Address
Field 3: User ID
.. .
Suppose the following are Provisioning Staging child data sets and their fields:
Group data set
Field 1: Group Name
Field 2: Group Type
According to this limitation, you cannot create a transformation mapping between, for example, the Name field of the OIM - Account data set and the Group Name field of the Group data set.
To create a reconciliation rule, you create matching-only mappings between fields of the Reconciliation Staging data set and the OIM - User data set. If there are child data sets, then ensure that the names of fields of the Reconciliation Staging data set that are input fields for the matching-only mappings are not used in any of the Reconciliation Staging child data sets.
If this guideline is not followed, then reconciliation would fail.
Suppose you set the Date data type for a field on a child form. A Delete Child Record provisioning operation would fail if there is a date value in this field during the operation.
This section describes the following known issues related to the Multilanguage Support feature:
Summary:
No warning is displayed if there are non-ASCII characters in the first or second line of the data files in the staging directory.
Description:
There is no support for non-ASCII data in the metadata of target system user data. If you use the CSV Reconciliation Format Provider, then this limitation means that you cannot include non-ASCII characters in the metadata line (second line) of the parent and child data files that you store in the staging directory.
The reason for this limitation is as follows:
The generic technology connector framework creates User Defined process forms in Oracle Identity Manager and names the forms and their fields on the basis of the input metadata. In addition, database tables and columns are created for these forms and their fields, respectively. Because non-ASCII characters cannot be used in database object names, these characters are not supported in the target system metadata.
The generic technology connector framework may be able to parse and correctly display non-ASCII characters in the first and second lines of the data files. However, to ensure that the connector objects are created correctly, you must ensure that non-ASCII characters are not used in the first and second lines of the data files.
Note:
From the third line onward in the data files, the field data values can contain non-ASCII characters. These data values are reconciled and stored in the Oracle Identity Manager database.Summary:
For any language that Oracle Identity Manager supports, if the browser language setting does not match the operating system language setting of the Oracle Identity Manager server, then data is not displayed correctly on the Step 3: Modify Connector Configuration page.
Description:
The Step 3: Modify Connector Configuration page displays an image that is dynamically created by the generic technology connector framework. The following are limitations related to the display of localized text items on this page:
The language in which you want field labels to be displayed must match the following language settings:
Oracle Identity Manager language
Operating system language
Browser language
If the browser language setting is the same as the operating system language setting of the Oracle Identity Manager server, then all the text items (field names and GUI element labels) are displayed in the required language.
Note:
Localized GUI element labels are displayed only if you create and use resource bundles that contain localized labels for these GUI elements.
If you are using the Traditional Chinese or Simplified Chinese language, then the browser locale (language and country/region) must be the same as the operating system locale (language and country/region) for all the text items to be displayed in the required language.
If the browser language is not the same as the operating system language, then the following static labels would be displayed in English (regardless of the browser language):
Labels of the OIM - User and OIM - Account data sets: "User" and "Account"
Labels of the fields that constitute the OIM - User data set:
"User ID"
"Email"
"First Name"
"Last Name"
For non-ASCII languages, labels for the remaining items on the Step 3: Modify Connector Configuration page would not be displayed correctly.
Summary:
Certain text items displayed on the Step 3: Modify Connector Configuration page are always displayed in English.
Description:
For this release, some of the static text displayed on the Step 3: Modify Connector Configuration page has not been localized. For example, suppose you create a generic technology connector named MyGTC
. When you provision the resource object of this connector to a user, the following text is displayed on the page:
Provisioning form for MyGTC
Child Form of MyGTC representing child-dataset:
child_data_set_name
In this release of Oracle Identity Manager, the static part of this text is always displayed in English.
If required, you can localize the static text as follows:
For the language to which you want to localize the text, open the corresponding customResources.properties
file. The files for all the languages that Oracle Identity Manager supports are in the OIM_HOME
/xellerate/customResources
directory.
The following example illustrates this step of the procedure.
Suppose you specify the following values while creating a generic technology connector:
Connector Name: MyGTC
Parent Form name: ADUser
Child data set name: ADUserRole
Child form name: ADURole1
If you want the static text to be displayed in the Spanish language, then open the customResources_es.properties
file. This file is in the OIM_HOME
/xellerate/customResources
directory.
In the customResources.properties
file for the required language, add the following lines:
global.UD_PARENT_FORM_NAME.description=Localized_text_for_"Provisioning form for" GTC_name global.UD_CHILD_FORM_NAME.description=Localized_text_for_"Child Form of" GTC_name Localized_text_for_"representing the child data set": child_data_set_name
In these two lines, replace:
PARENT_FORM_NAME
with the name of the parent form
The parent form name is always converted to uppercase letters in Oracle Identity Manager. Therefore, the name that you enter must be in uppercase letters.
Localized_text_for_"Provisioning form for"
with localized text for the words "Provisioning form for"
GTC_name
with the name of the generic technology connector
CHILD_FORM_NAME
with the name of the child form
The child form name is always converted to uppercase letters in Oracle Identity Manager. Therefore, the name that you enter must be in uppercase letters.
Localized_text_for_"Child Form of"
with localized text for the words "Child form for"
child_data_set_name
with the name of the child data set
For example:
For the Spanish language, add the following lines in the customResources_es.properties
file:
global.UD_ADUSER.description=Spanish_text_for_"Provisioning form for" MyGTC global.UD_ADUROLE1.description=Spanish_text_for_"Child Form of" MyGTC Spanish_text_for_"representing the child data set": ADUserRole
This section describes the following known issues related to the connector objects that are automatically created by the generic technology connector framework:
Summary:
No warning is displayed if the name that you specify for a generic technology connector is the same as the name of an existing connector object.
No warning is displayed if an existing connector object is overwritten by a new connector object when you import a connector XML file.
Description:
This point has also been discussed in the "Names of Generic Technology Connectors and Connector Objects" section.
Summary:
After an error occurs during generic technology connector creation, form names are not displayed on the Step 4: Verify Connector Form Names page when you revisit that page by clicking Back on the Step 5: Verify Connector Information page.
This is intentional and not the result of an issue or limitation of the software.
Description:
As mentioned earlier in this guide, some connector objects are automatically created even if the overall generic technology connector creation process fails. This set of connector objects includes process forms whose names you specify on the Step 4: Verify Connector Form Names page. In the event that the connector creation process fails, you are prompted to enter new form names through the display of blank fields on the Step 4: Verify Connector Form Names page. This is to ensure that the uniqueness checks on the process form names are reapplied when you submit the new form names.
As an alternative to revisiting the previous pages and providing input for creating the generic technology connector, you can start all over again from the Step 1: Provide Basic Information page and re-create the generic technology connector.
Summary:
You cannot provision generic technology connector resource objects to organizations defined in Oracle Identity Manager.
Description:
A resource object is one of the connector objects that get created automatically during generic technology connector creation. This resource object can be provisioned only to OIM Users. You must not attempt to provision it to organizations defined in Oracle Identity Manager.
Summary:
Customization work done on objects of a generic technology connector would be overwritten if you perform a Manage Generic Technology Connector operation.
Description:
You can use the Design Console to customize connector objects that are automatically created during generic technology connector creation. However, after you customize connector objects, if you perform a Manage Generic Technology Connector operation, then all the customization done on the connector objects would be overwritten. Therefore, Oracle recommends that you to apply one of the following guidelines:
Do not use the Design Console to modify generic technology connector objects.
The exception to this guideline is the IT resource. You can modify the parameters of the IT resource by using the Design Console. However, if you have enabled the cache for the GenericConnector
and GenericConnectorProviders
categories, then you must purge the cache either before or after you modify IT resource parameters. See Oracle Identity Manager Best Practices Guide for information about running the PurgeCache
utility.
If you use the Design Console to modify generic technology connector objects, then do not use the Manage Generic Technology Connector feature to modify the generic technology connector.
Connector objects that are automatically created are not deleted even if the generic technology connector creation process fails.
This section describes the following known issues that do not fall under any of the preceding categories:
Summary:
Unsafe-Filename exceptions may be thrown during the generic technology connector creation process.
Description:
On Oracle WebLogic Server and Oracle Application Server, the Unsafe-Filename exception may be thrown during the generic technology connector creation process. This exception can be ignored. The generic technology connector creation process is not affected by the occurrence of these exceptions. This issue is not seen on IBM WebSphere Application Server and JBoss Application Server.
Generic technology connectors do not support the reconciliation of parent data deletion.
You cannot use a generic technology connector to reconcile the deletion of parent data. For example, if the account of user John Doe
is deleted from the target system, then you cannot use a generic technology connector to reconcile this user deletion in Oracle Identity Manager.
Summary:
The contents of a UDF are not encrypted if the Password Field and Encrypted attributes have been set for the field by using the Design Console.
Description:
As mentioned earlier, the Password field is one of the predefined fields of the OIM - User data set. The Password Field and Encrypted attributes are set for this field. By using the Design Console, you can set the Password Field and Encrypted attributes for a UDF that you create. This would give the newly created UDF the same properties as the existing Password field. However, the generic technology connector framework treats this field the same as any other text field (with the String data type) and the contents are not encrypted in the Administrative and User Console or database.
In this release of Oracle Identity Manager, the generic technology connector framework does not provide some of the functionality that the Design Console offers for creating reconciliation rules. Only reconciliation rules of the following pattern can be created:
A equals B
"and"
C equals D
"and"
E equals F
For more information about working with reconciliation rules, refer to Oracle Identity Manager Design Console Guide.
While creating a generic technology connector, you cannot specify that the target system requires a remote manager to communicate with the target system. Therefore, a generic technology connector cannot use a remote manager.
You use the Target Date Format parameter to specify the format in which date values must be sent to the target system during provisioning. Date validation for this parameter does not take place if you enter a date in numeric format. For information about the date formats that you can specify, see the following Web page:
http://java.sun.com/docs/books/tutorial/i18n/format/simpleDateFormat.html#datepattern
Scheduled tasks that are not currently running have the INACTIVE
status. These tasks run at the next specified date and time. Under certain conditions, a scheduled task is automatically assigned the NONE
status. However, this status change does not affect the functionality of the task, which continues to run at the specified date and time.
When you import a release 9.0.3 generic technology connector into a release 9.1.0.1 Oracle Identity Manager installation, a non-fatal exception is recorded in the application server log file.
This occurs only if the connector supports provisioning, regardless of whether or not it supports reconciliation. You can ignore this exception message. No error message is displayed on the Administrative and User Console.
During a Manage Generic Technology Connector operation, if you change the data type of a field in the OIM - Account data set, then an error is thrown when you click Create on the Step 5: Verify Connector Information page.