3 Data Load

This chapter provides procedures for initial load of data into Oracle Role Manager. The data loader can be used to load data into the system. For information about implementing special processing as part of a load procedure, contact your Oracle Consulting Services representative.

This chapter assumes you have deployed the standard data model provided with Oracle Role Manager or a custom model built on the standard model. It also assumes that you understand the business requirements associated with the data that must be loaded into Oracle Role Manager.

It contains the following topics:

Load Process Overview
Data Load Scenarios
Understanding the Standard Model (Default)
Preparing Data Files
Running the Data Loader

3.1 Load Process Overview

To determine the best approach for loading data into Oracle Role Manager, it is important to understand the overall load process along with the sample scripts and procedures provided with Oracle Role Manager.

The overall load process of data into Oracle Role Manager (see Figure 3-1) involves the following components:

Load request

The load request defines which load procedures should run as part of the data load. This file also specifies the order for loading objects in the required sequence.
Data files

Normally in CSV format (although any character delimiter is supported), data files contain the actual data to load into Oracle Role Manager. For more information about data files, refer "Load Requests".

Note:
Oracle does not recommend you to use Microsoft Excel to edit the CSV file, because it inserts extra quotes when you insert double quotes in the file.
Load procedures

Load procedures contain the object creation and relationship creation procedures that map to the Business Logic (BL) definitions. Load procedures are a clean representation of the default load operations, uncluttered by the system-level details contained in the BL definitions. For more information about load procedures, refer "Default Loader Procedures (Standard Model)".
Business logic definitions

The BL definitions contain detailed procedures representing the default loadable objects, attributes, and relationships and the XML mapping to Business Logic Plug-ins for business operations called by the loader request. For more information about Business Logic Plug-ins, refer "Business Logic Plug-ins". For information about car file, refer to Step 4 of "Loading Data From an External Database".
File parsing scripts

These scripts contain mappings to load procedures and the load sequence of input parameters (attributes) within the load operation relative to object type. This commonly includes only a subset of the object's attributes into which to load data.

All data loaded into Oracle Role Manager is processed by the BL layer to ensure that various constraints are enforced at load time. For example, IT roles in Oracle Role Manager only gain membership through business role mappings. This is enforced by having the object definitions in the load procedures match those in the BL definition files. Another example is that the BL definition for the person object contains either the same or a superset of attribute definitions as those included in the createPerson load procedure.

If you have data to load into custom object definitions or custom attributes, you will need to add new business logic and load procedures.

Figure 3-1 Overall Data Load Process

Description of "Figure 3-1 Overall Data Load Process"

3.2 Data Load Scenarios

Before loading data, there are three questions you should ask to help identify the approach to take in loading your data:

Does the deployed data model contain all the object types and attributes you want to load?
Do the standard load procedures for each of your object types contain all of the operations you need?
Do the load operations in file parsing scripts for each of your object types contain all of the attributes you want to load?

The following three examples describe the possible business scenarios around initial data loads into Oracle Role Manager. Choose the most suitable scenario, which will identify the steps that you will need to follow. (For information about the Oracle Role Manager standard defaults, refer "Default Loader Procedures (Standard Model)".)

For each of these examples, you can refer to Figure 3-1 to help visualize the load process flow for your deployment of Oracle Role Manager.

Example 3-1 The data you want to load already maps to the standard data model and standard load procedures.

The standard data model and the file parser scripts must contain all the object types and attributes that you want to load and there are no model changes required to load your data set.

Even if your business model requires data model extensions, because you don't need to load data into the extended schema, you can still use the sample scripts.

This example requires the following steps:

Create load request.
Prepare data files.
Bundle and upload data with request.

Example 3-2 The standard data model supports the data you want to load, but the attributes in file parser load scripts aren't what you want.

In other words, the mismatch is only in the way the file parser script orders or maps the subset of attributes for a particular of multiple object types. For example, if the person file parser script maps six attributes for person data and you want to load twelve attributes.

As in Example 3-1, if the data model has been extended but the data you want to load is not part of the custom model, fewer components are involved in the load process.

This example requires the following steps:

Create new file parser scripts from existing sample scripts.
Bundle and deploy new configuration.
Create load request.
Prepare data files.
Bundle and upload data with request.

Example 3-3 The data to load must go into a custom model.

Whether your data model extensions into which you want to load data are an added attribute or a new object type, loading data into a custom model requires supporting business logic and new process definitions.

This example assumes the data model has already been extended and requires the following steps:

Create BL definitions.
Create load procedures.
Create file parser scripts.
Bundle and deploy new configuration.
Create load request.
Prepare data files.
Bundle and upload data with request.

3.3 Loading Data From an External Database

You can load the data into Role Manager from an external database by performing the following steps:

Write an SQL query to select the data that you want to load into Role Manager. Your query should return all attributes that Role Manager requires for the kind of object being loaded. Assign a name to each column of the query returned. The following is an example query that returns the required attributes for Role Manager PERSON objects:

Example 3-4 Query that returns attributes for Role Manager PERSON objects.

select 'A000001' as id,

'John' as first_name,

'Smith' as last_name,

'John Smith' as display_name,

'active' as status

from dual
Define a data source that your application server can use to execute queries. The procedure for doing this varies from one application server to the other.

Create a load script that will execute your query and return query results to the appropriate Role Manager task.

For example a load script named persondb_script.xml creates a procedure named loadPersonsFromDB. The version of the script and its dependencies are declared. In this case the business logic dependency was copied from another load script. If you go through several iterations of the script while debugging, it is important to increment the version number whenever the script is changed. When deploying the script, the new version number signals Role Manager that any previous versions are obsolete. If the version number is not incremented, then the deploy task exits without deploying the new script.

Note:

The loadPersonsFromDB procedure includes the query developed in the example and uses the JNDI name for the data source that will execute the query. This procedure will call the Role Manager loader's standard "createPerson" procedure.
In the input-params section of the script columns in the query's result set are mapped to the parameters of the createPerson procedure.

Example 3-5 Load Data

<!-- persondb_script.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<load-script xmlns="http://xmlns.oracle.com/iam/rm/loader/script/1_0"
xmlns:t="http://xmlns.oracle.com/iam/rm/type/def/1_0"
id="persondb_script" version="10.1.4.6">

<dependencies>
<business-logic-dependency def-id="bizlogic.sample" version="10.1.4.1"/>
</dependencies>

<procedures>
<procedure id="loadPersonsFromDB">
<operations>
<database-load id="database" 
datasource="java:/ExternalDS"
query-sql="select 'A000002' as id, 'John' as first_name, 'Smith' as last_name, 'John Smith' as display_name, 'active' as status from dual">
<procedure-call id="call" 
procedure-id="createPerson" 
script-id="procedures">

<input-params>
<column name="givenName" column-name="first_name"><t:string-ext/></column>
<column name="sn" column-name="last_name"><t:string-ext/></column>
<column name="displayName" column-name="display_name"><t:string-ext/></column>
<column name="uniqueName" column-name="id"><t:string-ext/></column>
<column name="status" column-name="status"><t:string-ext/></column>
</input-params>
</procedure-call>
</database-load>
</operations>
</procedure>

</procedures>

</load-script>

<!-- end persondb_load.xml>

Deploy the load script. You can do this by creating a car file that contains just the script(s) that loads the external data. First put the load script in a directory with the path name that loader expects (config/oracle.iam.rm.loader). A test directory (test_dbload) was used to isolate this experiment from the Role Manager installation:

test_dbload\config\oracle.iam.rm.loader

To create the car file:
1. Change to the parent of the config directory (test_dbload). Use zip to create the car file:
  
  jar -cvf test_dbload.car config
2. Copy testdb_load.car to the ORM_HOME/config directory.
3. Make sure the appserver has been stopped and then deploy the new car file using ORM_HOME/bin/deploy.bat:
  
  deploy.bat "..\config\test_dbload.car" ormowner ormuser admin
Create a load request that calls the loadPersonsFromDB procedure. Example 3-6 calls "persondb_script" and "loadPersonsFromDB". No parameters are required for this load, but it seems that a parameter section is required even if it is empty. The ordering mode ("trusted-sequential") was copied from another load script.
Example 3-6 Load Request
```

<?xml version="1.0" encoding="UTF-8"?>
<load-request xmlns="http://xmlns.oracle.com/iam/rm/loader/data/1_0" load-script-id="persondb_script" procedure-id="loadPersonsFromDB" ordering-mode="trusted-sequential">
 
<parameters>
</parameters>
</load-request>
```
Create a DAR file to contain the load request. Use zip to create the dar file:

zip dbtest.dar load-request.xml
Load the data by performing the following steps:
1. Start the application server.
2. Open ormconsole in a web browser and click Upload.
3. Enter the username and password for the admin user and browse for dbtest.dar.
4. Click Load.

3.3.1 Data Loading from the Command Line

The load.sh file is designed to allow loading DAR files in the Role Manager console in a command-line pattern. Using this feature, you can load DAR files automatically. The following is the command used to load the DAR file:

load.bat server_url dar_file orm_username

An example for this command is:

load.bat http://localhost:8080/ ../data/my_people.dar admin

When you execute this command, the password for the administrator user is prompted. If you are loading the DAR file automatically, you can avoid the password prompt using the following command:

load.bat http://localhost:8080/ ../data/my_people.dar admin/admin123

Running the automated load process may raise a security issue. This is because, users with access to the computer running the tool can see the administrator's password in the process list. To avoid compromising, Oracle recommends that you create a custom system identity for data loading and grant that identity a role configured with the minimum system privileges for the data to be loaded. The following example illustrates this scenario.

Example 3-7 Loading Data With Custom System Identity

Assume that the command-line tool is only used for loading people as part of reconciliation process. The system identity used for the tool must be able to run the person reconciliation business operation. To enable this and to limit the impact of this user's credentials being exposed, perform the following:

Create a new permission called "reconcile" and associate it with the person object type.
Create a new business operation for the person attribute reconciliation and assign "reconcile" privilege on person.
Create a new loader script that invokes the new business operation.
Create a new system role and associate it with the new "reconcile person" privilege.
Create a new system identity and grant the new system role to it. For more information about system identity, refer to Chapter 4.

The newly created system identity can now only be used to load person details to be reconciled.

Note:

The system identity created for loading person details to be reconciled cannot be used for loading anything other than person details.

3.4 Understanding the Standard Model (Default)

The default loader components can be used to understand the data loading process. This section describes these components in more detail and shows you where to find the scripts that you will either use by default or use as starting places, should you need to create new ones.

It may be useful to familiarize yourself with the standard data model along with any schema extensions that are planned or already deployed.

In this section:

Sample Loader Scripts and Standard Model Description
Default Loader Procedures (Standard Model)
Business Logic Definitions
File Parsing Scripts
Load Requests

3.4.1 Sample Loader Scripts and Standard Model Description

To view the sample loader scripts and procedures, you will need to extract them from the archive files provided in your Oracle Role Manager installation. You may want to refer to these file on an ongoing basis or you may want to use them for convenience as a starting place for your customized load processes.

To get the sample loader scripts and related files:

On the Oracle Role Manager installation host, navigate to ORM_HOME/config.
Using an utility like WinZip or gunzip, extract the entire contents of standard.car into a temporary location.
In the temporary location used to extract the files, navigate to config/oracle.iam.rm.loader.

These are copies of the files that are used when running the standard data procedure.
From the same location, navigate to config/oracle.iam.rm.bizlogic.def.

You will see the bizlogic.loader.xml file that is referenced when running the standard data procedure.
From the same location, navigate to config/oracle.iam.rm.temporal.

You will see the standard.xml file that represents the data model supporting the loader and the Oracle Role Manager Web UI.

These can be modified and used as a starting place for custom procedures.

3.4.2 Load Requests

Load requests specifies which load operations to run for a particular data load, while mapping the load operations to data files bundled with the load request in a DAR file (data archive).

Example 3-8 Load Request

<load-request load-script-id="reporting_script" procedure-id="buildReportingHierarchy">
  <parameters>
    <resource-ref name="reporting_file">
      <resource-path>reporting.txt</resource-path>
    </resource-ref>
  </parameters>
</load-request>

Load requests must be contained in a single file to ensure the operations are run in the correct sequence. The supported sequence of operations is shown in Table 3-1.

Table 3-1 Required Sequence of Load Operations

Operations in Sequence	File Parser
Roles
loadBusinessRoles (Maps first to the data file containing the business roles, then to membership rules data, and finally to eligibility rules data.)	business_role_script
loadSystemRoles	system_role_script
loadITRoles	it_role_script
loadApprovers	approver_script
loadITPrivileges Note: Although in the user interface, the term `ITPrivilege` has been changed to `Entitlement`, it remains unchanged in the script.	it_privileges_script
loadITRolePrivilegeMappings	itrole_to_privilege_script
loadSystemRolePrivilegeMappings	systemrole_to_privilege_script
loadBusinessRoleToItRoleMappings	businessrole_to_itrole_script
Organizations
loadOrganizationsWithParents	organization_script
loadOrganizationalUnitsWithParents	organizational_unit_script
loadPersons	person_script
buildPersonReportingHierarchy	reporting_person_script
buildLocationHierarchy	location_script
buildCostCenterHierarchy	cost_center_script
buildReportingHierarchy	reporting_script
RoleGrants
loadBusinessRoleGrants	business_role_grant_script
loadSystemRoleGrants	system_role_grant_script

Note:

Relationships between objects cannot be created until those objects already exist, so depending on these relationships, sequence can be an important relative to the business logic of the load operations.

3.4.3 File Parsing Scripts

The file parsing scripts determine which attributes to load and in what order. The matching data files must use the same order. It is recommended that there be a single parsing script for each entity type.

In the following example, note the input parameters in the operations section. This is where the order is specified.

Example 3-9 File Parser (reporting_script)

<?xml version="1.0" encoding="UTF-8"?>
<load-script xmlns="http://xmlns.oracle.com/iam/rm/loader/script/1_0"
             xmlns:t="http://xmlns.oracle.com/iam/rm/type/def/1_0"
        id="reporting_script" version="10.1.4"> 
<dependencies>
  <script-dependency script-id="procedures" version="10.1.4"/>
</dependencies>
 
<procedures>
  <procedure id="buildReportingHierarchy">
    <input-params>
      <input-param name="reporting_file">
        <t:binary>
          <t:non-null-constraint id="non-null">
            <t:violation-message>The binary must be provided.</t:violation-message>
          </t:non-null-constraint>
        </t:binary>
      </input-param>
    </input-params>
    <operations>
      <file-load id="file" file-param="reporting_file">
        <string-tokenizer string-delimiter="^" token-separator=",">
          <data-events>
            <data-event id="add_reporting">
              <procedure-call id="call" procedure-id="addToReportingHierarchy" script-id="procedures">
                <input-params>
                <token name="child-name" index="0"><t:string-ext/></token>
                <token name="parent-name" index="1"><t:string-ext/></token>
                </input-params>
              </procedure-call>
            </data-event>
          </data-events>
        </string-tokenizer>
      </file-load>
    </operations>
  </procedure>
</procedures>
</load-script>

3.4.4 Business Logic Definitions

The business logic (BL) definitions further define the allowable operations that can be invoked by load requests. These definitions, in a single XML file (bizlogic.loader.xml), contain the same operations as those in the load procedures file (see Table 3-2) yet also include further details such as:

Load confirmation text and argument mappings used for audit messages
The plug-in configuration containing the ID used to execute the load operation

Example 3-10 Plug-in Configuration (addToReportingHierarchy)

<snapshot-logic-definition plugin-pack-id="oracle.iam.rm.bizlogic.plugin.standard_ext" plugin-id="add_to_hierarchy">
  <ext config-version="1.0">
    <config>
      <![CDATA[
        <add-to-hierarchy xmlns="http://xmlns.oracle.com/iam/rm/bizlogic/plugin/standard_ext/1_0"
          hierarchy-type="reportingHierarchy"           parent-id-attribute-name="reportingOrg_id"
          root-id-attribute-name="reportingHierarchyRoot_id">
          <attributes>
            <attribute attribute-id="child-name" argument-id="child-name"/>
            <attribute attribute-id="parent-name" argument-id="parent-name"/>
          </attributes>
        </add-to-hierarchy>
      ]]>
    </config>
  </ext>
</snapshot-logic-definition>

In the preceding example, the plug-in ID is add_to_hierarchy and the configuration specifies the hierarchy type and the relationship paths, which allows that the Java plug-in class that handles this operation can be used for adding any object to any hierarchy, if it's supported by the schema.

3.4.5 Default Loader Procedures (Standard Model)

The default loader procedures, in a single XML file (procedures.xml), provide a convenient view into the standard data model as it relates to the default load operations. This file maps procedures to the business logic operations that can be called by load requests.

The load procedures define data loading operations that will be called in a load request (see Table 3-2) that can be used to create objects and relationships between those objects. The load procedures also illustrate data loading for all the attributes and object types in the standard data model. Example 3-11 illustrates procedure for data loading operation, addToReportingHierarchy defined in the definition-id, bizlogic.loader.

Example 3-11 Load Procedure (addToReportingHierarchy)

<procedure id="addToReportingHierarchy">
  <input-params>
    <input-param name="child-name">
      <t:string>
        <t:length id="length" max-length="256">
          <t:violation-message>The organization's name can be no longer than 256 characters.</t:violation-message>
        </t:length>
      </t:string>
    </input-param>
    <input-param name="parent-name">
      <t:string>
        <t:length id="length" max-length="256">
          <t:violation-message>The parent's name can be no longer than 256 characters.</t:violation-message>
        </t:length>
      </t:string>
    </input-param>
  </input-params>
  <operations>
    <business-transaction-operation id="add_to_reporting_hierarchy" definition-id="bizlogic.loader" operation-id="addToReportingHierarchy">
      <input-params>
        <param name="child-name" param-name="child-name"> <t:string-ext/></param>
        <param name="parent-name" param-name="parent-name"> <t:string-ext/></param>
      </input-params>
    </business-transaction-operation>
  </operations>
</procedure>

Note:

For File Parser definitions, refer to the oracle.iam.rm.loader file in the following location:

ORM_HOME/config/standard.car/config/oracle.iam.rm.loader

Table 3-2 Default Load Procedures in the Standard Model

Operation	Description	Attributes	File Parser
addManagerToPersonHiearchy	Creates a relationship between a manager and a person.	This operation requires the following attributes: child_email—email of the managed person. parent_email—email of the manager. Note: The default procedure identifies the person and the manager by their email attributes. If your data file contains the `uniqueName` attribute instead, you may need to first create and deploy your custom loader scripts. You need to add your own custom BL and procedure files and call the procedure from your `load-request.xml.`	person_manager_script
addPersonToReportingHiearchy	Creates a relationship between a person and a reporting hierarchy (organization in the reporting hierarchy).	This operation requires the following attributes: uniqueName—Name representing the person. parent-name—Name of parent organization in the reporting hierarchy.	reporting_person_script
addOrgHeadToOrganization	Creates a relationship between an organization head and the organization.	This operation requires the following attributes: org-name (displayName)—Name of the organization to which to add the org head. orgHead-mail (uniqueName)—Identifier representing the organization head.	organization_head_script
addToCostCenterHierarchy	Creates a relationship between an organization and the cost center hierarchy.	This operation requires the following attributes: child-name—Name of the organization to add to the cost center hierarchy. parent-name—Name of parent organization in the cost center hierarchy.	cost_center_script
addToLocationHierarchy	Creates a relationship between an organization and the location hierarchy.	This operation requires the following attributes: child-name—Name of the organization to add to the location hierarchy. parent-name—Name of parent organization in the location hierarchy.	location_script
addToReportingHierarchy	Creates a relationship between an organization and the reporting hierarchy.	This operation requires the following attributes: child-name—Name of the organization to add to the reporting hierarchy. parent-name—Name of parent organization in the reporting hierarchy.	reporting_script
createApprover	Creates an Approver Role with the attributes.	This operation requires the following attributes: displayName—User-readable name of the Approver Role. uniqueName—Identifier for the Approver Role. description—Text description of the Approver Role. eligibilities—Grant Policy eligibility rule in XML format. membershipRule—Membership rule in XML format. roleType—Either `dynamic` or `static` (required).	approver_script
createApproverRoleGrant	Grants an Approver Role to a person with the attributes.	This operation requires the following attributes: uniqueName—identifying the person to whom to grant the Approver Role. role_title (displayName)—Name of the Approver Role to grant.	approver_role_grant_script
createBusinessRole	Creates a Business Role with the attributes.	This operation requires the following attributes: description—Text description of the Business Role. displayName—User-readable name of the Business Role. eligibilities—Grant Policy eligibility rule in XML format. approverType—Approver for the Static Business Role. It can be `roleowner`, `specificperson`, or `noapproval`. isDelegatable—Either `true` or `false` depending on whether the Business Role can be delegated to another user by the grantee. If not specified, the default is `false`. membershipRule—Membership rule in XML format. roleType—Either `dynamic` or `static`. socHierarchyType (socHierarchy_id)— Name of the Business Role that can be used for sphere of control for the role. uniqueName—Name for the Business Role.	business_role_script
createBusinessRoleGrant	Grants a Business Role to a person by creating a role grant relationship with the attributes.	This operation requires the following attributes: uniqueName—Name of the person to whom to grant the Business Role. role_title (displayName)—Name of the Business Role to grant.	business_role_grant_script
createBusinessRoleToItRoleMapping	Maps a Business Role to an IT Role by creating a relationship with the attributes.	This operation requires the following attributes: businessRole (displayName)—Name of the Business Role to map. itRole (displayName)—Name of the IT Role to map.	business_to_itrole_script
createITRole	Creates an IT Role with the attributes. If you have deployed the data model extensions for the integration with Oracle Identity Manager, additional attributes can also be loaded. Refer to the Oracle Role Manager Integration Guide for Oracle Identity Manager for more information.	This operation requires the following attributes: displayName—User-readable name of the IT Role (required) isDelegatable—Either `true` or `false` depending on whether the role can be delegated to another user by the grantee. If not specified, the default is `false`. roleType—Either `dynamic` or `static`. uniqueName—Identifier for the IT Role. isFinanceRelated—Either true or false. If not specified, the default is false. isHighRisk—Either true or false. If not specified, the default is false. isNpiRelated—Either true or false. If not specified, the default is false. isSoxRelated—Either true or false. If not specified, the default is false.	it_role_script
createITPrivilege Note: Although in the user interface, the term `ITPrivilege` has been changed to `Entitlement`, it remains unchanged in the script.	Creates an ITPrivilege with the attributes.	This operation requires the following attributes: displayName—Name of the Entitlement. oimEntitlementId—Unique identifier of the corresponding Entitlement in Oracle Identity Manager. ITPrivilege Details—Used for additional content from external systems. resourceName—Name of the resource. uniqueName—Name for the ITPrivilege.	it_privilege_script
createITRolePrivilegeMapping	Maps an IT Role to an IT Privilege by creating a relationship with the attributes.	This operation requires the following attributes: itPrivilege (displayName)—Name of the IT Privilege to map. itRole (displayName)—Name of the IT Role to map. Note: Although in the user interface, the term `ITPrivilege` has been changed to `Entitlement`, it remains unchanged in the script.	itrole_to_privilege_script
createOrganization	Creates an Organization with the attributes.	This operation requires the following attributes: displayName—User-readable name of the Organization. uniqueName—Name representing the Organization.	organization_script
createPerson	Creates a `person` object with the attributes.	This operation requires the following attributes: displayName—User-readable full name of the person. givenName —First name of the person. mail—E-mail address of the person. sn—Surname (family name) of the person. status—Either `active` or `inactive`. If not provided, the default is `inactive`. userID—User name used to log on to the Oracle Role Manager system. userPassword—Password used for authentication for access to Oracle Role Manager. uniqueName—Name representing the person.	person_script
createOrganizationalUnit	Creates an Organizational Unit with the attribute.	This operation requires the following attributes: displayName—User-readable name of the Organizational Unit. uniqueName—Name representing the Organizational Unit.	organizational_unit_script
createSystemRole	Creates a System Role with the attributes.	This operation requires the following attributes: displayName—User-readable name of the System Role. isDelegatable—Either `true` or `false` depending on whether the System Role can be delegated to another user by the grantee. If not specified, the default is `false`. roleType—Either `dynamic` or `static`. socHierarchyType (socHierarchy_id)— Name of the hierarchy that can be used for sphere of control for the role. uniqueName—Identifier for the System Role.	system_role_script
createSystemRoleGrant	Grants a System Role to a person by creating a role grant relationship with the attributes.	This operation requires the following attributes: rootSocBinding and orgSocBinding (displayName)—Name of the organization to which to binds the sphere of control of the role grant. uniqueName—Name of the person to whom to grant the System Role. role_title (displayName)—Name of the System Role to grant.	system_role_grant_script
createSystemRolePrivilegeMapping	Maps a System Role to a System Privilege by creating a relationship with the attributes.	This operation requires the following attributes: systemPermission and systemResource (displayName)—Name of the System Privilege to map. systemRole (displayName)—Name of the System Role to map.	systemrole_to_privilege_script

Note:

Refer to the standard.xml file to see constraint information for each attribute in these load operations.

3.5 Configuring the DAR File Size

By default the largest DAR file you can load is 10MB, loading a larger file results in an error. You can configure the maximum DAR file size using the following instructions.

For WebLogic Server

To configure the DAR file size for WebLogic server:

Go to Environment, Servers, ORM Server.
On the Configuration tab, click the Server Start subtab.
In the Arguments field, append the following argument to the new value.
```
-Doracle.iam.rm.loader.max_upload_size=<new value>
```
Restart the WebLogic application server.

For JBoss Server

To configure the DAR file size for JBoss server:

Edit the config file:
```
JBOSS_HOME/bin/run.bat
```

Add the following argument to JAVA OPTS:

-Doracle.iam.rm.loader.max_upload_size=<new_value>

Restart the JBoss application server.

For WebSphere Server

To configure the DAR file size for WebSphere server:

Go to Servers, Application Servers, ORM Server.
In the Server Infrastructure section, expand Java and Process Management, and then click Process Definition.
In the Additional Properties section, click Java Virtual Machine, and then click Custom Properties.
Click New and enter the following information:
1. In the Name field, type oracle.iam.rm.loader.max_upload_size.
2. In the Value field, type the maximum size of data upload that you want to set, for example, 2 byte.
3. In the Description field, type the description for the maximum upload size that you set, for example, maximum size limit for the Oracle Role Manager loader.
4. Click Ok.
5. Restart the WebSphere application server.

3.6 Preparing Data Files

The data files that you bundle with the load request must match the file names specified in the load request.

Data files, normally text files in comma-separated (",") format and string delimiter for all object types in caret ( "^") format, contain actual data to load into Oracle Role Manager. Data files can use any character as a delimiter if it is set as the token-separator attribute in the script. The order of data, separated by the delimiter (with no spaces) must match the order of the input parameters in the respective file parsing script.

It is recommended that you separate the data files by type of entity and relationship to have enough flexibility to load them in the correct sequence.

To prepare your data files, bundle them with the load request as a DAR (data archive) file as follows:

In a command window, change to the directory containing the loader-request.xml file and other data files.
Run the following command:
```
zip -r custom _data.dar
```

Note:

Ensure the loader request refers to data files that exist. For example, your person data file might have a different file name than person.txt, the sample person data file.

3.7 Running the Data Loader

Initiating the load process involves several steps to prepare the archive files expected by the loader. In addition, the Oracle Role Manager server must be running on the application server. (Refer to the Oracle Role Manager Installation Guide for more information.)

To run the loader:

If you have customizations:
1. Make sure that the Oracle Role Manager users/schemas exist on the database.
2. Create a CAR file (configuration archive with .car extension) containing the new BL definitions, load procedures or file parsing scripts.
3. Deploy the configuration using the procedure described in Section 2.3.
Create a DAR file (data archive with .dar extension) containing the data files with the loader request file.
Deploy the Oracle Role Manager server to your application server as described in the Oracle Role Manager Installation Guide.
In a web browser, go to the application server host and port used for the Oracle Role Manager data loader. For example:
```
http://<host>:8080/ormconsole
```
Type the user name and password of the administrator who has the appropriate permissions to import data into Oracle Role Manager.
Click Browse to navigate to the newly create DAR file, then click Load.

The page will display the progress of your data load. You can click refresh at any time to refresh the page.