3 Using the Connector

This chapter is divided into the following sections:

Note: These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

• Section 3.1, "Setting Up Lookup Definitions in Oracle Identity Manager"

• Section 3.2, "Guidelines on Configuring Reconciliation"

• Section 3.3, "Scheduled Task for Lookup Field Synchronization"

• Section 3.4, "Configuring Reconciliation"

• Section 3.5, "Configuring Scheduled Tasks"

• Section 3.6, "Guidelines on Performing Provisioning Operations"

• Section 3.7, "Performing Provisioning Operations"

3.1 Setting Up Lookup Definitions in Oracle Identity Manager

You must provide Decode values for some of the entries of the following lookup definitions.

To set a Decode value for an entry in a lookup definition:

1. On the Design Console, expand Administration, and then double-click Lookup Definition.

2. Search for and open the lookup definition that you want to modify.

3. Enter the value in the Decode column for the Code Key that you want to set.

4. Click the Save icon.

Depending on whether you have configured your target system as a trusted source of target resource, see one of the following sections for information about the entries for which you must specify Decode values:

• Section 3.1.1, "Setting Up the Configuration Lookup Definition for a Target Resource"

• Section 3.1.2, "Setting Up the Configuration Lookup Definition for a Trusted Source"

• Section 3.1.3, "Setting Up the ExclusionList Lookup Definition"

3.1.1 Setting Up the Configuration Lookup Definition for a Target Resource

Depending on the target system that you are using, the following is the list of Configuration lookup definitions:

• For IBM DB2 UDB: Lookup.DBUM.DB2.Configuration

• For Microsoft SQL Server: Lookup.DBUM.MSSQL.Configuration

• For Oracle Database: Lookup.DBUM.Oracle.Configuration

• For Sybase: Lookup.DBUM.Sybase.Configuration

Provide Decode values for the following entries of the Configuration lookup definition:

• Reconciliation Query Property File

  Enter the full path and name of the file containing queries that must be run during reconciliation.

• Reconciliation SQL Injection Keywords

  Enter the list of SQL keywords that must not be used in the reconciliation query. Use the tilde (~) character as a separator if you want to specify more than one SQL keyword. During target resource reconciliation runs, the connector does not run a query (used for target resource reconciliation) that contains any of the keywords listed in the Decode column.

• Reserved Words List

  Enter the list of reserved words that are not supported in the OIM User process form fields during provisioning operations. Use the tilde (~) character as a separator if you want to specify more than one reserved word.

• Target Date Format

  Enter the format in which date values are stored on the target system.

• Unsupported Special Characters

  Enter the list of special characters that are not supported in the process form fields during provisioning operations.

  Sample value: #*~^

3.1.2 Setting Up the Configuration Lookup Definition for a Trusted Source

Depending on the target system that you are using, the following is the list of Configuration lookup definitions:

• For IBM DB2 UDB: Lookup.DBUM.DB2.TrustedRecon.Configuration

• For Microsoft SQL Server: Lookup.DBUM.MSSQL.TrustedRecon.Configuration

• For Oracle Database: Lookup.DBUM.Oracle.TrustedRecon.Configuration

• For Sybase: Lookup.DBUM.Sybase.TrustedRecon.Configuration

Provide Decode values for the following entries of the Configuration lookup definition:

• Reconciliation Query Property File

  Enter the full path and name of the file containing queries that must be run during reconciliation.

• Reconciliation SQL Injection Keywords

  Enter the list of SQL keywords that must not be used in the reconciliation query. Use the tilde (~) character as a separator if you want to specify more than one SQL keyword. During trusted source reconciliation runs, the connector does not run a query that contains any of the keywords listed in the Decode column.

• Target Date Format

  Enter the format in which date values are stored on the target system.

3.1.3 Setting Up the ExclusionList Lookup Definition

In the ExclusionList lookup definition, enter the user attributes of the target system accounts for which you do not want to perform target resource reconciliation and provisioning as follows:

1. On the Design Console, expand Administration and then double-click Lookup Definition.

2. Depending on the target system that you are using, search for and open one of the following lookup definitions:

   • Lookup.DBUM.DB2.ExclusionList

   • Lookup.DBUM.MSSQL.ExclusionList

   • Lookup.DBUM.Oracle.ExclusionList

   • Lookup.DBUM.Sybase.ExclusionList

3. Click Add.

4. If you want to specify the target system accounts on which you do not want to perform provisioning, then:

   1. In the Code Key column, enter the name of the process form field.

   2. In the Decode column, enter tilde-separated list of values for the process form field.

      For example, if you are using IBM DB2 UDB as your target system and you do not want to provision users with user namesDB2 admin, JDoe, and DFinn, then populate the lookup definition with the following values:

      Code Key	Decode
      UD_DB_DB2_U_USERNAME	DB2 admin~JDoe~DFinn

      
      

5. If you want to specify the target system accounts on which you do not want to perform target resource reconciliation, then:

   1. In the Code Key column, enter the reconciliation field of the resource object.

   2. In the Decode column, enter a tilde-separated list of values for the reconciliation field of resource object

      For example, if you are using IBM DB2 UDB as your target system and you do not want to reconcile user account data of John, Mary, and Anna, then populate the lookup definition with the following values:

      Code Key	Decode
      User Name	John~Mark~Anna

      
      

6. Click the Save icon.

3.2 Guidelines on Configuring Reconciliation

The following are guidelines that you must apply while configuring reconciliation:

• Before a target resource reconciliation run is performed, lookup definitions must be synchronized with the lookup fields of the target system. In other words, the scheduled task for lookup field synchronization must be run before user reconciliation runs.

• The scheduled task for user or login reconciliation must be run before the scheduled task for reconciliation of deleted user or login data.

• After you configure batched reconciliation, if reconciliation fails during a batched reconciliation run, then rerun the scheduled task without changing the values of the task attributes.

3.3 Scheduled Task for Lookup Field Synchronization

The DBUM Lookup reconciliation scheduled task is used for lookup field synchronization. Table 3-1 describes the attributes of this scheduled task. The procedure to configure scheduled tasks is described later in the guide.

Table 3-1 Attributes of the DBUM Lookup reconciliation Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that you configure by performing the procedure described in Section 2.3.5, "Configuring the IT Resource" Sample value: Oracle
Lookup Definition Name	Enter the name of the lookup definition in Oracle Identity Manager that you want to synchronize with the target system. Depending on the target system that you are using, the value can be one of the following: For IBM DB2 UDB, the value can be one of the following: - Lookup.DBUM.DB2.Tablespaces - Lookup.DBUM.DB2.Schema For Microsoft SQL Server, the value can be one of the following: - Lookup.DBUM.MSSQL.DBNames - Lookup.DBUM.MSSQL.DBRoles - Lookup.DBUM.MSSQL.DefaultLang For Oracle Database, the value can be one of the following: - Lookup.DBUM.Oracle.Profiles - Lookup.DBUM.Oracle.Roles - Lookup.DBUM.Oracle.Privileges - Lookup.DBUM.Oracle.Temp.Tablespace - Lookup.DBUM.Oracle.Tablespaces For Sybase, the value can be one of the following: - Lookup.DBUM.Sybase.Databases - Lookup.DBUM.Sybase.Roles - Lookup.DBUM.Sybase.DefaultLang - Lookup.DBUM.Sybase.DBGroups Sample value: Lookup.DBUM.Oracle.Roles
Exclusion List	Enter the lookup value in the target system lookup fields that you do not want to synchronize with the corresponding lookup definitions in Oracle Identity Manager. If you want to specify more than one lookup value that must be excluded during lookup field synchronization, then enter a tilde-separated list of lookup values. If you do not want to exclude any lookup value, then leave the default value for this attribute unchanged. The following is an example of a list of role lookup values in Oracle Database that must be excluded during lookup reconciliation: CONNECT~RESOURCE
Task Name	This attribute holds the name of the scheduled task. Value: DBUM Lookup reconciliation Note: You must not change this value.
Ref Data Provider Impl	This attribute holds the name of the class that implements the logic for lookup field synchronization. Default value: MapResultSetProvider Note: You must not change this value.
Query Properties File Path	Enter the full path and name of the file containing the lookup definition synchronization query that you want to run. Sample value: /usr/temp/DBUMLookUpQuery.properties

3.4 Configuring Reconciliation

As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

• Section 3.4.1, "Performing Full Reconciliation"

• Section 3.4.2, "Reconciliation Time Stamp"

• Section 3.4.3, "Batched Reconciliation"

• Section 3.4.4, "Configuring Limited Reconciliation"

• Section 3.4.5, "Reconciliation Scheduled Tasks"

3.4.1 Performing Full Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation. In addition, you can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Manager.

To perform a full reconciliation run, specify values for the following attributes while performing the procedure described in Section 3.4.5, "Reconciliation Scheduled Tasks":

• Last Execution Time: This attribute holds the time stamp at which the last reconciliation run started. You must set the value of this attribute to 0.

• Custom Query: This attribute holds the query for filtering records returned during reconciliation. If you need to perform full reconciliation, then accept the default value of NODATA for this attribute.

• Use Custom Query: Set the value of this attribute to No.

For Oracle Database, at the end of the full reconciliation run, the Last Execution Time attribute is automatically set to the time stamp at which the run started. For other target systems, the Last Execution Time attribute is automatically set to the time stamp at which the run started only if you have performed the procedure described in Section 2.3.1.6, "Configuring the Connector for Incremental Reconciliation". From the next run onward, only records created or modified after this time stamp value are considered for reconciliation.

3.4.2 Reconciliation Time Stamp

This section describes the Last Execution Time attribute of the scheduled task.

The Last Execution Time attribute holds the time stamp at which the last reconciliation run started. This attribute is used in conjunction with the reconciliation query specified by the Query Name attribute. During a reconciliation run, only target system records added or modified after the time stamp value stored in the Last Execution Time attribute are fetched into Oracle Identity Manager for reconciliation.

Apply the following guidelines while deciding on a value for the Last Execution Time attribute:

• If you want to fetch all target system records for reconciliation, then set the value of the attribute to 0.

• If you want to specify a time stamp, then first run the query to convert the time stamp into the required format.

  For example, on Oracle Database, you first run the following query:

  SELECT (TO_DATE('DATE_TO_BE_CONVERTED','DD-MON-YYYY') - TO_DATE('01011970', 'DDMMYYYY')) *24*60*60*1000 as ts FROM DUAL
  

  In this query, replace DATE_TO_BE_CONVERTED with the date that you want to use as the time stamp. For example, if you want to use 5-Dec-2008 as the time stamp, then run the following query:

  SELECT (TO_DATE('5-Dec-2008','DD-MON-YYYY') - TO_DATE('01011970', 'DDMMYYYY')) *24*60*60*1000 as ts FROM DUAL
  

  The query returns the following value:

  1228435200000
  

  Specify this value as the value of the Last Execution Time attribute.

• The Last Execution Time attribute is updated during each reconciliation run. For example, the Last Execution Time attribute is set to the time stamp at which the run begins.

3.4.3 Batched Reconciliation

Note: You can configure the connector to perform batched reconciliation only if you are using IBM DB2 UDB or Oracle Database as the target system.

During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Manager. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.

You can configure batched reconciliation to avoid these problems.

To configure batched reconciliation, you must specify values for the following attributes while performing the procedure described in Section 3.4.5, "Reconciliation Scheduled Tasks":

• Use Batched Reconciliation: Use this attribute to enable batched reconciliation. Set the value of this attribute to Yes.

• Batch Reconciliation Query Name: Use this attribute to specify the name of the batched reconciliation query in the reconciliation query file that you want to run.

• Batch Size: Use this attribute to specify the number of records that must be included in each batch. The default value is 100.

3.4.4 Configuring Limited Reconciliation

Note: This section describes an optional procedure. Perform this procedure only if you want to add filter parameters for reconciliation.

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled.

You can configure limited reconciliation by performing the procedures described in one of the following sections:

• Section 3.4.4.1, "Specifying a Value for the Custom Query Attribute"

• Section 3.4.4.2, "Adding a Filter Parameter in the Reconciliation Query"

3.4.4.1 Specifying a Value for the Custom Query Attribute

If your target system database uses stored procedures to retrieve user records, and your database does not support filtering of records returned by the store procedure, then you can use the Custom Query scheduled task attribute to configure limited reconciliation. You set the value of the Custom Query attribute while performing the procedure described in Section 3.4.5.1, "Scheduled Tasks for Reconciling Data About Users and Logins".

You must use the following format to specify a value for the Custom Query attribute:

RESOURCE_OBJECT_FIELD_NAME=VALUE

For example, if you specify Last Name=Doe as the value of the Custom Query attribute, then only records for persons whose last name is Doe are considered for reconciliation.

You can add multiple query conditions by using a combination of resource object attributes and the following logical operators:

• The AND operator represented by the ampersand (&)

• The OR operator represented by the vertical bar (|)

• The EQUAL operator represented by the equal sign (=)

For example, the following query condition is used to limit reconciliation to records of those persons whose first name is John and last name is Doe:

First Name=John & Last Name=Doe

The following query condition can be used to limit reconciliation to the records of those persons whose first name is either John or their User ID is 219786:

First Name=John | User ID=219786

You must apply the following guidelines while creating the query condition:

• Use only the equal sign (=), ampersand (&), and vertical bar (|) in the query condition. Do not include any other special characters in the query condition. Any other character that is included is treated as part of the value that you specify.

• Add a space before and after ampersand and vertical bars used in the query condition. For example:

  First Name=John & Last Name=Doe

  This is to ensure to help the system distinguish between ampersands and vertical bars used in the query and the same characters included as part of attribute values specified in the query condition.

• You must not include unnecessary blank spaces between operators and values in the query condition.

  A query condition with spaces separating values and operators would yield different results as compared to a query condition that does not contain spaces between values and operators. For example, the output of the following query conditions would be different:

  First Name=John & Last Name=Doe

  First Name= John & Last Name= Doe

  In the second query condition, the reconciliation engine would look for first name and last name values that contain a space at the start.

3.4.4.2 Adding a Filter Parameter in the Reconciliation Query

If your target system database enables you to add a WHERE clause to the query that you use to retrieve user records, then you can configure limited reconciliation by adding a filter parameter in the reconciliation query and specifying a value for the parameter in the Query Filter lookup definition.

For example, you can add a parameter in the WHERE clause of the ORACLE_TARGET_USER_RECON query so that it returns records of users whose user name is the one that you specify in the lookup definition.

To add a filter parameter in a reconciliation query:

Note: Before you modify a query in the properties file, run the query by using any standard database client to ensure that the query produces the required results when it is run against the target system database.

1. Modify the query as follows:

   1. Open the properties file in a text editor.

   2. Add the WHERE clause with the condition to the query that you want to modify.

      
      

      Note: The parameter name must begin with the colon (:) as a prefix. In addition, there must be no space between the colon and parameter name and within the parameter name.

      
      

      For example, in the following snippet of the ORACLE_TARGET_USER_RECON query, the variable condition highlighted in bold has been added:

      WHERE ((CREATED - TO_DATE('01011970','ddmmyyyy')) *24*60*60*1000) > :lastExecutionTime \
      AND USERNAME = :username
      

   3. Save and close the file.

2. Configure the Query Filter lookup definition as follows:

   1. Log in to the Design Console.

   2. Expand the Administration folder, and then double-click Lookup Definition.

   3. If you have configured the target system as trusted source, then search for and open the appropriate lookup definition:

      • Lookup.DBUM.DB2.TrustedRecon.QueryFilter

      • Lookup.DBUM.MSSQL.TrustedRecon.QueryFilter

      • Lookup.DBUM.Oracle.TrustedRecon.QueryFilter

      • Lookup.DBUM.Sybase.TrustedRecon.QueryFilter

   4. If you have configured the target system as target resource, then search for and open the appropriate lookup definition:

      • Lookup.DBUM.DB2.TargetRecon.QueryFilter

      • Lookup.DBUM.MSSQL.TargetRecon.QueryFilter

      • Lookup.DBUM.Oracle.TargetRecon.QueryFilter

      • Lookup.DBUM.Sybase.TargetRecon.QueryFilter

   5. To add a row, click Add.

   6. In the Code Key column, enter the variable name that you specified in the properties file. Do not include the colon (:) character. For example, enter username in the Code Key column.

   7. In the Decode column, enter the value that you want to assign to the parameter for subsequent reconciliation runs.

      Sample value: jdoe

   8. Click the Save icon.

When you next run the query that you have modified, the condition that you add is applied as an additional filter during reconciliation.

3.4.5 Reconciliation Scheduled Tasks

This connector supports both trusted source and target resource reconciliation. When you run the connector installer, the following scheduled tasks are automatically created in Oracle Identity Manager:

• Section 3.4.5.1, "Scheduled Tasks for Reconciling Data About Users and Logins"

• Section 3.4.5.2, "Scheduled Tasks for Reconciling Data About Deleted Users or Logins"

3.4.5.1 Scheduled Tasks for Reconciling Data About Users and Logins

The following scheduled tasks are used to reconcile user or login data:

• Scheduled tasks for target resource reconciliation

  • For IBM DB2 UDB: DBUM DB2 Target Resource User Reconciliation

  • For the Microsoft SQL Server login entity: DBUM MSSQL Target Resource Login Reconciliation

  • For the Microsoft SQL Server user entity: DBUM MSSQL Target Resource User Reconciliation

  • For Oracle Database: DBUM Oracle Target Resource User Reconciliation

  • For the Sybase login entity: DBUM Sybase Target Resource Login Reconciliation

  • For the Sybase user entity: DBUM Sybase Target Resource User Reconciliation

• Scheduled tasks for trusted source reconciliation

  • For IBM DB2 UDB: DBUM DB2 Trusted Source User Reconciliation

  • For Microsoft SQL Server: DBUM MSSQL Trusted Source User Reconciliation

  • For Oracle Database: DBUM Oracle Trusted Source User Reconciliation

  • For the Sybase user entity: DBUM Sybase Trusted Source User Reconciliation

Table 3-2 describes the attributes of these scheduled tasks.

Note: Values for most attributes are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change. Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation would not be performed. The descriptions of some attributes also instruct you not to change the default values. However, if you create a copy of this scheduled task, then you can enter attribute values specific to the target system installation for which you create the copy of scheduled task. See Section 4.5, "Configuring the Connector for Multiple Installations of the Target System" for more information about creating copies of connector objects.

Table 3-2 Attributes of Scheduled Tasks for Fetching Data About Users or Logins During Target Resource Reconciliation

Attribute	Description
Batch Reconciliation Query Name	Enter the name of the query that you want the connector to apply during batched reconciliation. Note: This attribute is valid only when the Use Batched Reconciliation attribute is set to Yes. This attribute is discussed later in this table.
Batch Size	Enter the number of records that must be included in each batch fetched from the target system.Default value: 100 This attribute is discussed in Section 3.4.3, "Batched Reconciliation.".
Custom Query	Enter the query that you want the connector to apply during reconciliation. See Section 3.4.4, "Configuring Limited Reconciliation" for more information. Default value: NODATA Note: This attribute is valid only when the Use Custom Query attribute is set to Yes. If you enter a value for this attribute, then you must not enter a value for the Reconciliation Query Filter Lookup attribute. The Reconciliation Query Filter Lookup attribute is discussed later in this table.
Is Login Recon	Specifies whether or not reconciliation is to be carried out for the login entity of the target system. Enter Yes if you want to reconcile data about the login entity for your target system. Otherwise, enter No.
Is Trusted Recon	If you want reconciliation to be carried out in trusted mode, then enter Yes. Enter No if you want reconciliation to be carried out in target resource mode.
IT Resource Name	Enter the name of the IT resource that you configure by performing the procedure described in Section 2.3.5, "Configuring the IT Resource". Default value: Value for IBM DB2 UDB: DB2UDB Value for Microsoft SQL Server: MS SQL Server Value for Oracle Database: Oracle Value for Sybase: Sybase
Last Execution Time	This attribute holds the time stamp at which the last reconciliation run started. Default value: 0 See Section 3.4.2, "Reconciliation Time Stamp" for information about setting a value for the Last Execution Time attribute.
Query Name	Enter the name of the query in the reconciliation query file that you want to run. Default value: Value for IBM DB2 UDB: DB2_TARGET_USER_RECON Value for Microsoft SQL Server: SQL_SERVER_LOGIN Value for Oracle Database: ORACLE_TARGET_USER_RECON Value for Sybase: SYBASE_LOGIN
Reconciliation Attribute Mapping Lookup	This attribute holds the name of the lookup definition that maps resource object attributes with column names or column name aliases used in the reconciliation query. For target resource reconciliation Value for IBM DB2 UDB: Lookup.DBUM.DB2.TargetRecon.Mapping Value for Microsoft SQL Server login entity: Lookup.DBUM.MSSQL.TargetRecon.Login.Mapping Value for Microsoft SQL Server user entity: Lookup.DBUM.MSSQL.TargetRecon.User.Mapping Value for Oracle Database: Lookup.DBUM.Oracle.TargetRecon.Mapping Value for Sybase login entity: Lookup.DBUM.Sybase.TargetRecon.Login.Mapping Value for Sybase user entity: Lookup.DBUM.Sybase.TargetRecon.User.Mapping For trusted source reconciliation Value for IBM DB2 UDB: Lookup.DBUM.DB2.TrustedRecon.Mapping Value for Microsoft SQL Server: Lookup.DBUM.MSSQL.TrustedRecon.Mapping Value for Oracle Database: Lookup.DBUM.Oracle.TrustedRecon.Mapping Value for Sybase: Lookup.DBUM.DB2.TrustedRecon.Mapping Note: You must not change this value.
Reconciliation Query Filter Lookup	This attribute holds the name of the lookup definition that contains information about reconciliation filter parameters. For target resource reconciliation Value for IBM DB2 UDB: Lookup.DBUM.DB2.TargetRecon.QueryFilter Value for Microsoft SQL Server: Lookup.DBUM.MSSQL.TargetRecon.QueryFilter Value for Oracle Database: Lookup.DBUM.Oracle.TargetRecon.QueryFilter Value for Sybase: Lookup.DBUM.Sybase.TargetRecon.QueryFilter For trusted source reconciliation Value for IBM DB2 UDB: Lookup.DBUM.DB2.TrustedRecon.QueryFilter Value for Microsoft SQL Server: Lookup.DBUM.MSSQL.TrustedRecon.QueryFilter Value for Oracle Database: Lookup.DBUM.Oracle.TrustedRecon.QueryFilter Value for Sybase: Lookup.DBUM.Sybase.TrustedRecon.QueryFilter Note: You must ensure that the filter parameters in this lookup definition can be applied along with the query specified by the Query Name attribute. An error is encountered if this condition is not met.
Reconciliation Transformation Lookup	This attribute holds the name of the lookup definition that is used to configure transformation of attribute values fetched from the target system during reconciliation. For target resource reconciliation Value for IBM DB2 UDB: Lookup.DBUM.DB2.TargetRecon.Transformation Value for Microsoft SQL Server login entity: Lookup.DBUM.MSSQL.TargetRecon.Login.Transformation Value for Microsoft SQL Server user entity: Lookup.DBUM.MSSQL.TargetRecon.User.Transformation Value for Oracle Database: Lookup.DBUM.Oracle.TargetRecon.Transformation Value for Sybase login entity: Lookup.DBUM.Sybase.TargetRecon.Login.Transformation Value for Sybase user entity: Lookup.DBUM.Sybase.TargetRecon.User.Transformation For trusted source reconciliation Value for IBM DB2 UDB: Lookup.DBUM.DB2.TrustedRecon.Transformation Value for Microsoft SQL Server: Lookup.DBUM.MSSQL.TrustedRecon.Transformation Value for Oracle Database: Lookup.DBUM.Oracle.TrustedRecon.Transformation Value for the Sybase entity: Lookup.DBUM.Sybase.TrustedRecon.Transformation Note: This attribute is valid only when the Use Transformation for Reconciliation attribute is set to Yes. That attribute is discussed later in this table.
Reconciliation Validation Lookup	This attribute holds the name of the lookup definition that is used to configure validation of attribute values that are fetched from the target system during reconciliation. For target resource reconciliation Value for IBM DB2 UDB: Lookup.DBUM.DB2.TargetRecon.Validation Value for Microsoft SQL Server login entity: Lookup.DBUM.MSSQL.TargetRecon.Login.Validation Value for Microsoft SQL Server user entity: Lookup.DBUM.MSSQL.TargetRecon.Login.Transformation Value for Oracle Database: Lookup.DBUM.Oracle.TargetRecon.Validation Value for Sybase login entity: Lookup.DBUM.Sybase.TargetRecon.Login.Validation Value for Sybase user entity: Lookup.DBUM.Sybase.TargetRecon.User.Validation For trusted source reconciliation Value for IBM DB2 UDB: Lookup.DBUM.DB2.TrustedRecon.Validation Value for Microsoft SQL Server: Lookup.DBUM.MSSQL.TrustedRecon.ValidationValidation Value for Oracle Database: Lookup.DBUM.Oracle.TrustedRecon.Validation Value for the Sybase entity: Lookup.DBUM.Sybase.TrustedRecon.Validation Note: This attribute is valid only when the Use Validation for Reconciliation attribute is set to Yes. That attribute is discussed later in this table.
Recon Time Query Name	Enter the name of the query in the reconciliation query file that is used to fetch the current time of the target system for incremental reconciliation. For IBM DB2 UDB, Microsoft SQL Server, and Sybase, enter the name of the query that you create by performing Step 2 of Section 2.3.1.6, "Configuring the Connector for Incremental Reconciliation." Value for IBM DB2 UDB: NODATA Value for Microsoft SQL Server: NODATA Value for Oracle Database: ORACLE_RECON_TIME Value for Sybase: NODATA
Resource Object Name	This attribute holds the name of the resource object for the target system. Value for IBM DB2 UDB: DB2 DB User Value for Microsoft SQL Server login entity: MSSQL User Login Value for Microsoft SQL Server user entity: MSSQL User Value for Oracle Database: Oracle DB User Value for Sybase login entity: Sybase DB User Login Value for Sybase user entity: Sybase DB User Note: Do not change the default value. However, if you create a copy of the resource object, then you can specify the name of the new resource object as the value of the Resource Object attribute.
Status Reconciliation Primary Key Field	Enter a value for this attribute only if you are writing your own implementation for determining the status of a target system record. While performing the procedure in Section 5.12, "Configuring Status Reconciliation,", you provide a value for the Status Reconciliation Class Name entry. If you are writing your own implementation, then enter the name of the primary key resource object attribute. Otherwise, enter NODATA.
Task Name	This attribute holds the name of the scheduled task. For target resource reconciliation Value for IBM DB2 UDB: DBUM DB2 Target Resource User Reconciliation Value for Microsoft SQL Server login entity: DBUM MSSQL Target Resource Login Reconciliation Value for Microsoft SQL Server user entity: DBUM MSSQL Target Resource User Reconciliation Value for Oracle Database: DBUM Oracle Target Resource User Reconciliation Value for Sybase login entity: DBUM Sybase Target Resource Login Reconciliation Value for Sybase user entity: DBUM Sybase Target Resource User Reconciliation For trusted source reconciliation Value for IBM DB2 UDB: DBUM DB2 Trusted Source User Reconciliation Value for Microsoft SQL Server: DBUM MSSQL Trusted Source User Reconciliation Value for Oracle Database: DBUM Oracle Trusted Source User Reconciliation Value for the Sybase entity: DBUM Sybase Trusted Source User Reconciliation Note: For these scheduled tasks, you must not change the value of this attribute. However, if you create a copy of this scheduled task, then you must enter the unique name of that new scheduled task as the value of the Task Name attribute in that scheduled task.
Use Batched Reconciliation	Enter Yes if you want to enable batched reconciliation. Otherwise, enter No. Default value: No Note: If you set the value of this attribute to Yes, then you must specify values for the Batch Reconciliation Query Name and Batch Size attributes.
Use Custom Query	Enter Yes if you want to use the Custom Query attribute to specify the filter parameter. Otherwise, enter No. Default value: No
Use Resource Exclusion List	Enter Yes if you do not want to perform reconciliation on specified target system accounts. Otherwise, enter No. Default value: No
Use Transformation For Reconciliation	Enter Yes if you want to transform attribute values that are fetched from the target system during reconciliation. Otherwise, enter No. Default value: Yes
Use Validation For Reconciliation	Enter Yes if you want to validate attribute values that are fetched from the target system during reconciliation. Otherwise, enter No. Default value: Yes

3.4.5.2 Scheduled Tasks for Reconciling Data About Deleted Users or Logins

Depending on whether you want to run target resource reconciliation or trusted source reconciliation, the following are the scheduled tasks that are used to reconcile data about deleted users or logins:

• Scheduled tasks for target resource reconciliation

  • For IBM DB2 UDB: DBUM DB2 Target Delete Reconciliation

  • For the Microsoft SQL Server login entity: DBUM MSSQL Target Delete Login Reconciliation

  • For the Microsoft SQL Server user entity: DBUM MSSQL Target Delete User Reconciliation

  • For Oracle Database: DBUM Oracle Target Delete Reconciliation

  • For the Sybase login entity: DBUM Sybase Target Delete Login Reconciliation

  • For the Sybase user entity: DBUM Sybase Target Delete User Reconciliation

• Scheduled tasks for trusted source reconciliation

  • For IBM DB2 UDB: DBUM DB2 Trusted Delete Reconciliation

  • For Microsoft SQL Server: DBUM MSSQL Trusted Delete Reconciliation

  • For Oracle Database: DBUM Oracle Trusted Delete Reconciliation

  • For Sybase: DBUM Sybase Trusted Delete Reconciliation

Table 3-3 describes the attributes of these scheduled tasks.

Note: Values for most attributes are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change. Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value was left empty, then reconciliation would not be performed. The descriptions of some attributes also instruct you not to change the default values. However, if you create a copy of this scheduled task, then you can enter attribute values specific to the target system installation for which you create the copy of scheduled task. See Section 4.5, "Configuring the Connector for Multiple Installations of the Target System" for more information about creating copies of connector objects.

Table 3-3 Attributes of Scheduled Tasks for Fetching Data About Deleted Users or Logins During Target Resource Reconciliation

Attribute	Description
Delete Reconciliation Attribute Mapping Lookup	This attribute holds the name of the lookup definition that holds mappings between the target system and the process form fields. Default value for target resource reconciliation: Value for IBM DB2 UDB: Lookup.DBUM.DB2.TargetRecon.Delete.Mapping Value for Microsoft SQL Server login entity: Lookup.DBUM.MSSQL.TargetRecon.Delete.Login.Mapping Value for Microsoft SQL Server user entity: Lookup.DBUM.MSSQL.TargetRecon.Delete.User.Mapping Value for Oracle Database: Lookup.DBUM.Oracle.TargetRecon.Delete.Mapping Value for Sybase login entity: Lookup.DBUM.Sybase.TargetRecon.Delete.Login.Mapping Value for Sybase user entity: Lookup.DBUM.Sybase.TargetRecon.Delete.User.Mapping Default value for trusted source reconciliation: Value for IBM DB2 UDB: Lookup.DBUM.DB2.TrustedRecon.Delete.Mapping Value for Microsoft SQL Server: Lookup.DBUM.MSSQL.TrustedRecon.Delete.Mapping Value for Oracle Database: Lookup.DBUM.Oracle.TrustedRecon.Delete.Mapping Value for Sybase: Lookup.DBUM.Sybase.TrustedRecon.Delete.Mapping Note: You must not change this value.
Is Login Recon	Set the value of this attribute to Yes if you want to reconcile login data. Otherwise, enter No.
IT Resource Name	Enter the name of the IT resource that you configure by performing the procedure described in Section 2.3.5, "Configuring the IT Resource". Value for IBM DB2 UDB: DB2UDB Value for Microsoft SQL Server: MS SQL Server Value for Oracle Database: Oracle Value for Sybase: Sybase
Query Name	This attribute holds the name of the query for reconciliation of deleted records. Value for IBM DB2 UDB: DB2_DELETE_USER Value for Microsoft SQL Server: SQL_SERVER_DELETE_USER Value for Oracle Database: ORACLE_DELETE_USER Value for Sybase: SYBASE_LOGIN_DELETE
Resource Object Name	This attribute holds the name of the resource object for the target system. Value for IBM DB2 UDB: DB2 DB User Value for Microsoft SQL Server login entity: MSSQL User Login Value for Microsoft SQL Server user entity: MSSQL User Value for Oracle Database: Oracle DB User Value for Sybase login entity: Sybase DB User Login Value for Sybase user entity: Sybase DB User Note: Do not change the default value. However, if you create a copy of the resource object, then you can specify the name of the new resource object as the value of the Resource Object attribute.
Task Name	This attribute holds the name of the scheduled task. For target resource reconciliation Value for IBM DB2 UDB: DBUM DB2 Target Delete Reconciliation Value for Microsoft SQL Server login entity: DBUM MSSQL Target Delete Login Reconciliation Value for Microsoft SQL Server user entity: DBUM MSSQL Target Delete User Reconciliation Value for Oracle Database: DBUM Oracle Target Delete Reconciliation Value for Sybase login entity: DBUM Sybase Target Delete Login Reconciliation Value for Sybase user entity: DBUM Sybase Target Delete User Reconciliation For trusted source reconciliation Value for IBM DB2 UDB: DBUM DB2 Trusted Delete Reconciliation Value for Microsoft SQL Server: DBUM MSSQL Trusted Delete Reconciliation Value for Oracle Database: DBUM Oracle Trusted Delete Reconciliation Value for Sybase: DBUM Sybase Trusted Delete Reconciliation Note: For this scheduled task, you must not change the value of this attribute. However, if you create a copy of this scheduled task, then you must enter the unique name of that new scheduled task as the value of the Task Name attribute in that scheduled task.

3.5 Configuring Scheduled Tasks

This section describes the procedure to configure scheduled tasks. You can apply this procedure to configure the scheduled tasks for lookup field synchronization and reconciliation.

The following is a list of scheduled tasks that you must configure:

• For lookup field synchronization

  DBUM Lookup reconciliation

• For target resource user or login data reconciliation

  • For IBM DB2 UDB: DBUM DB2 Target Resource User Reconciliation

  • For the Microsoft SQL Server login entity: DBUM MSSQL Target Resource Login Reconciliation

  • For the Microsoft SQL Server user entity: DBUM MSSQL Target Resource User Reconciliation

  • For Oracle Database: DBUM Oracle Target Resource User Reconciliation

  • For the Sybase login entity: DBUM Sybase Target Resource Login Reconciliation

  • For the Sybase user entity: DBUM Sybase Target Resource User Reconciliation

• For target resource reconciliation of deleted users or logins

  • For IBM DB2 UDB: DBUM DB2 Target Delete Reconciliation

  • For the Microsoft SQL Server login entity: DBUM MSSQL Target Delete Login Reconciliation

  • For the Microsoft SQL Server user entity: DBUM MSSQL Target Delete User Reconciliation

  • For Oracle Database: DBUM Oracle Target Delete Reconciliation

  • For the Sybase login entity: DBUM Sybase Target Delete Login Reconciliation

  • For the Sybase user entity: DBUM Sybase Target Delete User Reconciliation

• For trusted source reconciliation of deleted users or logins

  • For IBM DB2 UDB: DBUM DB2 Trusted Delete Reconciliation

  • For Microsoft SQL Server: DBUM MSSQL Trusted Delete Reconciliation

  • For Oracle Database: DBUM Oracle Trusted Delete Reconciliation

  • For the Sybase: DBUM Sybase Trusted Delete Reconciliation

To configure a scheduled task:

1. Log in to the Administrative and User Console.

2. Expand Resource Management.

3. Click Manage Scheduled Task.

4. On the Scheduled Task Management page, enter the name of the scheduled task as the search criteria and then click Search.

   The following screenshot shows the Scheduled Task Management page:

   
   

5. In the search results table, click the edit icon in the Edit column for the scheduled task. The following screenshot shows the Scheduled Task Details page:

   
   

6. On the Edit Scheduled Task Details page, you can modify the following details of the scheduled task by clicking Edit:

   • Status: Specify whether or not you want to leave the task in the enabled state. In the enabled state, the task is ready for use.

   • Max Retries: Enter an integer value in this field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task. The default value is 1.

   • Next Start: Use the date editor to specify the date when you want the task to run. After you select a date value in the date editor, you can modify the time value that is automatically displayed in the Next Start field.

   • Frequency: Specify the frequency at which you want the task to run.

7. After modifying the values for the scheduled task details listed in the previous step, click Continue.

8. Specify values for the attributes of the scheduled task. To do so, select each attribute from the Attribute list, specify a value in the field provided, and then click Update. See Section 3.4.5, "Reconciliation Scheduled Tasks" for information about attributes of the scheduled task.

   
   

   Note: Attribute values are predefined in the connector XML file that you import. Specify values only for the attributes that you want to change.

   
   

   The following screenshot shows the Attributes page. The attributes of the scheduled task that you select for modification are displayed on this page.

   
   

9. Click Save Changes to commit the changes.

Note: If you want to stop a scheduled task while it is running, then use the Stop Execution feature of the Design Console. See "The Task Scheduler Form" in Oracle Identity Manager Design Console Guide for information about this feature.

3.6 Guidelines on Performing Provisioning Operations

The following sections discuss guidelines that you must apply while performing provisioning operations:

• Section 3.6.1, "Guidelines Common to Performing Provisioning Operations on Any Target System"

• Section 3.6.2, "Guidelines on Performing Provisioning Operations in IBM DB2 UDB"

• Section 3.6.3, "Guidelines on Performing Provisioning Operations in Microsoft SQL Server"

• Section 3.6.4, "Guidelines on Performing Provisioning Operations in Oracle Database"

• Section 3.6.5, "Guidelines on Performing Provisioning Operations in Sybase"

3.6.1 Guidelines Common to Performing Provisioning Operations on Any Target System

The following are guidelines that you must apply while performing provisioning operations on any target system:

• Before you perform provisioning operations, lookup definitions must be synchronized with the lookup fields of the target system. In other words, the scheduled task for lookup field synchronization DBUM Lookup reconciliation must be run before provisioning operations.

• Passwords for user accounts provisioned from Oracle Identity Manager must adhere to the password policy set in the target system.

• The character length of target system fields must be taken into account when specifying values for the corresponding Oracle Identity Manager fields.

• During an updated password provisioning operation, ensure that you clear the existing text in the Password field, and then enter the new password. If you modify the password by appending new characters to the existing value, then the newly added characters are displayed in clear text. This has been mentioned in Chapter 7, "Known Issues."

3.6.2 Guidelines on Performing Provisioning Operations in IBM DB2 UDB

The following are guidelines that you must apply while performing provisioning operations on IBM DB2 UDB:

• Authentication on IBM DB2 UDB is performed through the operating system. Therefore, the user that you want to provision must exist in the account database of the operating system.

  For example, if you want to provision the domain, then the target (IBM DB2 UDB server) must exist on the domain server and the user that you want to provision must exist in the domain.

• IBM DB2 UDB performs authentication externally and authorization internally. Authentication is performed through an accountID and password pair that is passed on to an external certifier. By default, the operating system performs the authentication. However, other programs can be used for this purpose. Authorization is done by mapping the accountID internally to various permissions at the database, index, package, schema, server, table, and/or table space level. When you perform provisioning operations on IBM DB2 UDB, keep in mind the following points:

  • Granting authorization does not automatically authenticate the accountID. You can, for example, authorize nonexistent accounts.

  • Revoking authorization does not remove publicly available authority from an accounted.

3.6.3 Guidelines on Performing Provisioning Operations in Microsoft SQL Server

The following are guidelines that you must apply while performing provisioning operations on Microsoft SQL Server:

• Before you provision a Microsoft SQL Server account that uses Microsoft Windows authentication, you must ensure that the account you want to provision exists in the account database of the operation system.

• If you are creating users accounts, then you must specify a value for the Database Name parameter of the IT resource. See Table 2-7 for more information about the Database Name parameter.

• If you are provisioning a Microsoft SQL Server login account that uses Microsoft Windows authentication, then you must specify values for the following fields:

  • Default Database: Select the name of the default database that the user must connect to.

  • Default Language: Select the default language for the login.

  • Login Name: Enter the login name in the following format:

    DOMAIN_NAME\LOGIN_NAME

    In this format:

    • DOMAIN_NAME is the name of the domain to which the login account must belong.

    • LOGIN_NAME is the name of the login that you are creating in the target system.

    The following is a sample value that you can enter in the Login Name field:

    MyDomain\jdoe

• If you are provisioning a Microsoft SQL Server login account that uses SQL Server authentication, then you must specify values for the following mandatory fields:

  • Login Name: Enter the name of the login account.

  • Password: Enter the password for the login account.

3.6.4 Guidelines on Performing Provisioning Operations in Oracle Database

The following are guidelines that you must apply while performing provisioning operations on Oracle Database:

• Before you provision an externally-authenticated user account, you must ensure that the account you want to provision must exist in the account database of the operation system.

• For creating password-authenticated database user, you must specify values for the following fields:

  • IT Resource: Specify Oracle as the value of this lookup field.

  • Username: Enter the name of the database user.

  • Password: Enter the password for the database user.

  • Authentication Type: Specify PASSWORD as the value of this lookup field.

• For creating globally-authenticated database users, you must specify a value for the following mandatory fields:

  • IT Resource: Specify Oracle as the value of this lookup field.

  • Username: Enter the name of the database user.

  • Authentication Type: Specify GLOBAL as the value of this lookup field.

  • Global DN: Enter the distinguished name (DN) for your organization.

    Sample value: cn=ajones,cn=users,dc=oracle,dc=vm

  After you submit the data required, the adapter runs the following query to create a globally-authenticated database user:

  CREATE USER :ora_user_id IDENTIFIED GLOBALLY AS :ora_global_dn

• For creating externally-authenticated database users, you must specify a value for the following mandatory fields:

  • IT Resource: Specify Oracle as the value of this lookup field.

  • Username: Enter the name of the database user in the following format:

    OS_Authent_PrefixDomain_Name\User_Name

    In this format:

    • OS_Authent_Prefix is a prefix that Oracle adds to every user's operating system account name.

    • Domain_Name is the name of the domain to which the user account being created must belong.

    • User_Name is the name of the user account existing in the operating system database.

    Sample value: OPS$my_domain\jdoe

  • Authentication Type: Specify EXTERNAL as the value of this lookup field.

  After you submit the data required, the adapter runs the following query to create a externally-authenticated database user:

  CREATE USER :ora_user_id_external IDENTIFIED EXTERNALLY

• If you specify values for the Default Tablespcase Quota (in MB) or Temporary Tablespcase Quota (in MB) fields, then enter values in the following format:

  TABLESPACE_QUOTA M

  In this format, TABLESPACE_QUOTA is the tablespace quota allocated to the user and M indicates that megabytes is the unit of measurement of quota. The following is a sample value: 300 M

  If you want to allocate to a user unlimited quota on a tablespace, then specify the following as the value of the Default Tablespcase Quota (in MB) or Temporary Tablespcase Quota (in MB) fields:

  UNLIMITED

3.6.5 Guidelines on Performing Provisioning Operations in Sybase

If you are using Sybase for creating users accounts, then you must specify a value for the Database Name parameter of the IT resource. See Table 2-7 for more information about the Database Name parameter.

3.7 Performing Provisioning Operations

Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a target system account for the user. To provision a resource:

Note: The following procedure is performed using the direct provisioning approach.

1. Log in to the Administrative and User Console.

2. From the Users menu:

   • Select Create if you want to first create the OIM User and then provision a database account to the user.

   • Select Manage if you want to provision a database account to an existing OIM User.

3. If you select Create, on the Create User page, enter values for the OIM User fields, and then click Create User.

   
   

4. If you select Manage, then search for the OIM User and select the link for the user from list of users displayed in the search results.

   
   

5. On the User Detail page, select Resource Profile from the list at the top of the page.

   
   

6. On the Resource Profile page, click Provision New Resource.

   
   

7. On the Step 1: Select a Resource page, depending on the target system that you are using, select the appropriate resource from the list, and then click Continue.

   
   

8. On the Verify Resource Selection page, click Continue.

   
   

9. On the Provide Process Data page, enter the details of the account that you want to create on the target system and then click Continue.

   
   

10. On the Step 2: Verify Process Data page, verify the data that you entered and then click Continue.

    
    

11. On Step 5: Provide Process Data page, for process data, enter the details of the account that you want to create on the target system and then click Continue.

12. If you want to provide child data, then on the Step 5: Provide Process Data page for child data, search for and select the child data for the user on the target system and then click Continue. Repeat the same step if you have more than one child data and you want to provision them.

    
    

13. On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.

14. The "Provisioning has been initiated" message is displayed. Click Back to User Resource Profile. The Resource Profile page shows that the resource has been provisioned to the user.

    
    

15. If you click the View link in the Process Form column, then the process form is displayed.

    
    

16. If you click the resource, then the Resource Provisioning Details page is displayed.

    
    

See Also: Section 1.7, "Connector Objects Used During Provisioning" for more information about the provisioning functions supported by this connector and the process form fields used for provisioning