Oracle® Identity Manager Connector Guide for PeopleSoft User Management Release 9.1.1 E11206-06 |
|
Previous |
Next |
Oracle Identity Manager automates access rights management, security, and provisioning of resources to various target systems. Oracle Identity Manager Connectors are used to integrate Oracle Identity Manager with target applications. This guide discusses the connector that enables you to use PeopleSoft Enterprise Applications as a managed (target) source of User Profile data for Oracle Identity Manager.
Note: In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.At some places in this guide, PeopleSoft Enterprise Applications has been referred to as the target system. |
The PeopleSoft User Management connector helps you to manage PeopleTools-based PSOPRDEFN User Profile records in PeopleSoft applications including Role and Permission List assignments to these records. This is done through target resource reconciliation and provisioning.
In the target resource configuration, information about user accounts created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.
Note: See Oracle Identity Manager Connector Concepts for detailed information about connector deployment configurations. |
This chapter contains the following sections:
Section 1.5, "Lookup Definitions Used During Connector Operations"
Section 1.8, "Roadmap for Deploying and Using the Connector"
Table 1-1 lists the components certified for use with the connector.
Table 1-1 Certified Components
Item | Requirement |
---|---|
Oracle Identity Manager release 9.1.0.2 BP04 |
|
PeopleTools 8.48 and PeopleTools 8.49 Note: PeopleTools 8.50 is not supported in this release. |
|
Ensure that the following components are installed and configured in the target system environment:
The following standard PeopleSoft messages are available:
|
|
JDK 1.5 or later |
Determining the Version of PeopleTools and the Target System
Before you deploy the connector, you might want to determine the version of PeopleTools and the target system you are using to check whether you are using the combination supported by this connector. To do so, perform the following steps:
Open a Web browser and enter the URL of PeopleSoft Internet Architecture. The URL of PeopleSoft Internet Architecture is in the following format:
http://IPADDRESS:PORT/psp/ps/?cmd=login
For example:
http://172.21.109.69:9080/psp/ps/?cmd=login
Click Change My Password. On the page that is displayed, press Ctrl+J. The version of PeopleTools and the target system that you are using is displayed.
The connector supports the following languages:
Arabic
Chinese Simplified
Chinese Traditional
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish
See Also: Oracle Identity Manager Globalization Guide for information about supported special characters |
Figure 1-1 shows the architecture of the connector.
The architecture of the connector can be explained in terms of the connector operations it supports. They are listed as follows:
PeopleSoft Enterprise Application is configured as a target resource of Oracle Identity Manager. Through reconciliation, account data that is created and updated on the target system is fetched into Oracle Identity Manager and stored against the corresponding OIM Users.
Standard PeopleSoft XML files and messages are the medium of data interchange between PeopleSoft Enterprise Applications and Oracle Identity Manager.
The method by which account data is sent to Oracle Identity Manager depends on the type of reconciliation that you configure. It is listed as follows:
A lookup reconciliation run involves fetching the records of Email Types, Currency Codes, Language Codes, Permission Lists, and Roles from the target system and using them for provisioning into Oracle Identity Manager by .properties files. These files are generated at a user-specific location by running an Application Engine process.
Oracle recommends that you run lookup reconciliation at periodic intervals to ensure that all the lookup data is reconciled into Oracle Identity Manager. See Section 3.3.1, "Performing Lookup Reconciliation" for instructions to perform Lookup reconciliation.
Note: To reconcile all existing target system records into Oracle Identity Manager, you must run full reconciliation the first time you perform a reconciliation run after deploying the connector. This is to ensure that the target system and Oracle Identity Manager contain the same data. |
The standard PeopleSoft message, USER_PROFILE is used for sending user profile data to external applications, such as Oracle Identity Manager. A full reconciliation run involves fetching all the records from the target system and using them for reconciliation in Oracle Identity Manager through XML files. This is implemented using the USER_PROFILE message XML file. See Section 1.4.2, "Support for Standard PeopleSoft Messages" for more information about the message.
Full reconciliation involves the following steps:
See Section 3.3.2, "Performing Full Reconciliation" for instructions to perform full reconciliation.
The PeopleSoft Integration Broker populates the XML files for the USER_PROFILE message with all the user profile data.
Copy these XML files to a directory on the Oracle Identity Manager host computer.
Configure the PeopleSoft User Management Target Reconciliation scheduled task. The XML files are read by this scheduled task to generate reconciliation events.
Incremental reconciliation involves real-time reconciliation of newly created or modified user data. It is achieved by PeopleSoft standard messages, such as USER_PROFILE and DELETE_USER_PROFILE. See Section 1.4.2, "Support for Standard PeopleSoft Messages" for more information about these messages. You use incremental reconciliation to reconcile individual data changes after an initial, full reconciliation run has been performed. Incremental reconciliation is performed using PeopleSoft application messaging.
Incremental reconciliation involves the following steps:
See Section 3.3.3, "Performing Incremental Reconciliation" for instructions to perform incremental reconciliation.
When user data is added, updated, or deleted in the target system, a PeopleCode event is activated.
The Integration Broker generates an XML message, USER_PROFILE or DELETE_USER_PROFILE, which contains the modified or deleted user data and sends it in real time to the PeopleSoft listener over HTTP. The PeopleSoft listener is a Web application that is deployed on the Oracle Identity Manager host computer. If SSL is configured, then the message is sent to the PeopleSoft listener over HTTPS.
The PeopleSoft listener parses the XML message and creates a reconciliation event in Oracle Identity Manager.
PeopleSoft Enterprise Application is configured as a target resource of Oracle Identity Manager. Through provisioning operations performed on Oracle Identity Manager, accounts are created and updated on the target system for OIM Users.
During a provisioning operation, the adapters pass on user data that is created, modified, or deleted in Oracle Identity Manager to PeopleSoft Enterprise Applications.
The connector, by default supports Customer and Vendor ID Types in addition to the Employee ID Type. The connector is enhanced to support new ID Types depending on the PeopleSoft application module being provisioned. The new ID Type can then be linked to a user profile for provisioning. See Section 1.4.8, "Adding New ID Types" for more information.
See Oracle Identity Manager Connector Concepts for conceptual information about provisioning.
The PeopleSoft Internet Architecture is flexible; this means that you have many options to consider for deploying PeopleSoft across your enterprise. The following section describes a split-deployment scenario where the Jolt listener resides on a different computer than the Integration Broker.
Figure 1-2 shows the architecture of the connector that supports a split-deployment scenario.
Figure 1-2 Architecture of the Connector for a Split-Deployment Scenario
In this configuration:
The Application Engine is run to generate the properties files for lookup reconciliation at a user-specific location on PeopleSoft Application Server. These files are then fed to the respective scheduled tasks in Oracle Identity Manager for lookup reconciliation. See Section 3.2, "Configuring the Scheduled Tasks for Lookup Field Synchronization" for more information.
Similarly, the Integration Broker creates PeopleSoft standard XML files at a user specified location on PeopleSoft Application Server for full reconciliation. These XML files are read by PeopleSoft User Management Target Reconciliation scheduled task to generate reconciliation events.
Incremental reconciliation is achieved by sending in real time standard PeopleSoft XML messages directly from PeopleSoft Integration Broker to the PeopleSoft listener over HTTP. The PeopleSoft listener is a Web application that is deployed on the Oracle Identity Manager host computer.
Provisioning of PeopleSoft user accounts is implemented from Oracle Identity Manager through the PeopleSoft Component Interface-based Java APIs. These APIs connect to the Application Server JOLT port through a limited rights user who has the privilege to add, update, and delete PeopleSoft user accounts.
The following are the features of the connector:
Section 1.4.3, "Support for Resending Messages That Are Not Processed"
Section 1.4.5, "Validation and Transformation of Account Data"
Section 1.4.10, "Specifying Accounts to Be Excluded from Reconciliation and Provisioning Operations"
Section 1.4.11, "Support for Multiple Versions of the Target System"
The connector supports reconciliation in two ways:
In a full reconciliation run, all records are fetched from the target system to Oracle Identity Manager in the form of XML files. In incremental reconciliation, records that are added, modified, or deleted are directly sent to the listener deployed on the Oracle Identity Manager host computer. The listener parses the records and sends reconciliation events to Oracle Identity Manager.
PeopleSoft provides standard messages to synchronize user profiles with external applications, such as Oracle Identity Manager. The connector uses these standard PeopleSoft messages that are delivered as part of PeopleSoft installation to achieve full reconciliation and incremental reconciliation. They are listed as follows:
USER_PROFILE
DELETE_USER_PROFILE
The USER_PROFILE message contains information about user accounts that are created or modified. The DELETE_USER_PROFILE message contains information about user accounts that are deleted.
Fetching all the records present in PeopleSoft to Oracle Identity Manager is implemented by running the USER_PROFILE message. Similarly, when a user profile is updated in PeopleSoft, the USER_PROFILE message is triggered. Oracle Identity Manager uses this message for incremental reconciliation. Similarly, when a user profile is deleted in PeopleSoft, the DELETE_USER_PROFILE message is triggered from PeopleSoft to delete the corresponding provisioned resource in Oracle Identity Manager. The DELETE_USER_PROFILE is supported through incremental reconciliation.
To distinguish between the full and incremental reconciliation USER_PROFILE XML messages, you must identify the number of transaction nodes in the message. In case of full reconciliation, the USER_PROFILE message has multiple transaction nodes. But, in incremental reconciliation, the USER_PROFILE message has a single transaction node for a particular user.
Standard messages provided by PeopleSoft are asynchronous. In other words, if a message is not delivered successfully, the PeopleSoft Integration Broker marks that message as not delivered. The message can then be retried manually.
If the connector is not able to process the message successfully, it sends an error code and PeopleSoft Integration Broker marks that message as Failed. A message marked as Failed can be resent to the listener. See Section 3.4, "Resending Messages That Are Not Received by the PeopleSoft Listener" for details.
See Also: Resubmitting and Canceling Service Operations for Processing topic in the PeopleBook Enterprise PeopleTools 8.49 PeopleBook: PeopleSoft Integration Broker available on Oracle Technology Network:
|
Target authentication is done to validate whether Oracle Identity Manager should accept messages from the target system or not. Target authentication is done by passing the name of the IT resource in the Integration Broker node. You must ensure that the correct value of the IT resource name is specified in the node. See Section 2.2.2.3.1, "Configuring PeopleSoft Integration Broker" for setting up the node. In addition, the flag IsActive is used to verify whether the IT resource is active or not. The value of this flag is Yes,
by default. When this value is Yes, target authentication is carried out. Target authentication fails if it is set to No.
You can configure validation of account data that is brought into or sent from Oracle Identity Manager during reconciliation and provisioning. In addition, you can configure transformation of account data that is brought into Oracle Identity Manager during reconciliation.
Section 4.7, "Configuring Validation of Data During Reconciliation" provides information about setting up the validation feature.
Section 4.8, "Configuring Transformation of Data During Reconciliation" provides information about setting up the transformation feature.
A connection pool is a cache of objects that represent physical connections to the target. Oracle Identity Manager connectors can use these connections to communicate with target systems. At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads such as network latency, memory allocation, and authentication.
One connection pool is created for each IT resource. For example, if you have three IT resources for three installations of the target system, then three connection pools are created, one for each target system installation.
The configuration properties of the connection pool are part of the IT resource definition. Section 2.2.1.3, "Configuring the IT Resource" provides information about setting up the connection pool.
Note: The connector does not support connection pooling for provisioning multiple versions of the target system. In other words, connection pooling is supported only when provisioning is done for one version of the target system. In this case, the Multiple Version Support parameter is set toNo in the Lookup.PSFT.Configuration lookup definition. |
The connector now supports the capability to retrieve data from two servers that exist in the same Lookup definition. This has been made possible by placing IT resource in the lookup Code Key.
You can configure the connector to support additional ID types effortlessly. The connector by default supports the following ID Types other than the Employee (EMP) ID Type:
Customer (CST)
Vendor (VND)
The following additional attributes are provided in the Oracle Identity Manager process form to support these ID Types:
For Customer:
Set ID
Customer ID
For Vendor:
Set ID
Vendor ID
The Section 4.4, "Adding New ID Types for Provisioning" describes the procedure to add a new ID Type.
When a user profile is deleted from PeopleSoft, a DELETE_USER_PROFILE message is triggered from PeopleSoft that deletes the corresponding provisioned resource in Oracle Identity Manager.
You can specify a list of accounts that must be excluded from all reconciliation and provisioning operations. Accounts whose user IDs you specify in the exclusion list are not affected by reconciliation and provisioning operations. See Section 1.5.2.3.4, "Lookup.PSFT.UM.ExclusionList" for more information.
Note: The connector only supports the PeopleTools 8.48 and PeopleTools 8.49 versions of the target system in the release. See Section 1.1, "Certified Components" for more information about certification. If you are using a PeopleTools version that is not supported, then you are likely to encounter issues that might be difficult to resolve. |
The connector can be configured to work with different versions of the target system at the same time. For example, you can use a single instance of the connector to integrate Oracle Identity Manager with a PeopleTools 8.48 installation and a PeopleTools 8.49 installation.
See Section 2.2.1.4, "Configuring the Connector to Support Multiple Versions of the Target System" for more information.
Lookup definitions used during connector operations can be categorized as follows:
During a provisioning operation, you use a lookup field to specify a single value from a set of values. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.
Note: As an implementation best practice, lookup fields should be synchronized before you perform reconciliation or provisioning operations. |
Table 1-2 lists the lookup fields that are synchronized with their corresponding lookup definitions in Oracle Identity Manager.
Table 1-2 Lookup Fields That Are Synchronized
Lookup Definition | Target System Lookup Field | Synchronization Method |
---|---|---|
Lookup.PSFT.UM.LanguageCode |
Language Code |
You use the Language Code Lookup Reconciliation scheduled task to synchronize this lookup definition. |
Lookup.PSFT.UM.CurrencyCode |
Currency Code |
You use the Currency Code Lookup Reconciliation scheduled task to synchronize this lookup definition. |
Lookup.PSFT.UM.PermissionList |
Permission Lists |
You use the Permission List Lookup Reconciliation scheduled task to synchronize this lookup definition. |
Lookup.PSFT.UM.EmailType |
Email Type |
You use the Email Type Lookup Reconciliation scheduled task to synchronize this lookup definition. |
Lookup.PSFT.UM.Roles |
Role Name |
You use the Roles Lookup Reconciliation scheduled task to synchronize this lookup definition. |
This section describes the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed.
The predefined lookup definitions can be categorized as follows:
Section 1.5.2.1, "Lookup Definitions Used to Process USER_PROFILE Messages"
Section 1.5.2.2, "Lookup Definitions Used to Process DELETE_USER_PROFILE Messages"
The following lookup definitions are used to process the USER_PROFILE messages:
The Lookup.PSFT.Message.UserProfile.Configuration lookup definition provides configuration-related information for the USER_PROFILE message.
The Lookup.PSFT.Message.UserProfile.Configuration lookup definition has the following entries:
Code Key | Decode | Description |
---|---|---|
Attribute Mapping Lookup | Lookup.PSFT.UM.UserProfile.AttributeMapping | Name of the lookup definition that maps Oracle Identity Manager attributes with the attributes in the USER_PROFILE message
See Section 1.5.2.1.2, "Lookup.PSFT.UM.UserProfile.AttributeMapping" for more information about this lookup definition. |
Child Table Lookup Definition | Lookup.PSFT.UM.UserProfile.ChildTables | Name of the lookup definition that maps resource object fields and multivalued target system attributes |
Custom Query | Enter a Value | If you want to implement limited reconciliation, then enter the query condition that you create by following the instructions given in Section 3.3.4, "Limited Reconciliation." |
Data Node Name | Transaction | Name of the node in the XML files to run a transaction
Default value: You must not change the default value. |
IT Resource Name | PSFT Server | Name of the IT resource |
Message Handler Class | oracle.iam.connectors.psft.common.handler.impl.PSFTUserProfileReconMessageHandlerImpl | Name of the Java class that accepts the XML payload, configuration information, and a handle to Oracle Identity Manager. Depending on the message type, it retrieves the appropriate configuration from Oracle Identity Manager and processes the message. To parse a specific message type, it relies on a Message Parser factory.
If you want a customized implementation of the message, then you must extend the |
Message Parser | oracle.iam.connectors.psft.common.parser.impl.UserMessageParser | Name of the parser implementation class that contains the logic for message parsing
If you want a customized implementation of the message, then you must extend the |
Recon Lookup Definition | Lookup.PSFT.UM.UserProfile.Recon | Name of the lookup definition that maps the Oracle Identity Manager attributes with the Resource Object attributes |
Resource Object | Peoplesoft User | Name of the resource object |
Transformation Lookup Definition | Lookup.PSFT.UM.UserProfile.Transformation | Name of the transformation lookup definition
See Section 4.8, "Configuring Transformation of Data During Reconciliation" for more information about adding entries in this lookup definition. |
User Status Lookup | Lookup.PSFT.UM.UserProfile.UserStatus | Name of the lookup definition that provides the user status
See Section 1.5.2.1.4, "Lookup.PSFT.UM.UserProfile.UserStatus" for more information about this lookup definition. |
Use Transformation | No | Use this parameter to perform transformation. |
Use Validation | No | Use this parameter to perform validation. |
Validation Lookup Definition | Lookup.PSFT.UM.UserProfile.Validation | Name of the validation lookup definition
See Section 4.7, "Configuring Validation of Data During Reconciliation" for more information about adding entries in this lookup definition. |
The Lookup.PSFT.UM.UserProfile.AttributeMapping lookup definition maps OIM User attributes with the attributes defined in the USER_PROFILE message XML. The following is the format of the values stored in this lookup definition:
Code Key | Decode |
---|---|
Currency Code | CURRENCY_CD~PSOPRDEFN |
Customer ID | CUST_ID~PSOPRALIAS~OPRALIASTYPE=CST |
Customer Set ID | SETID~PSOPRALIAS~OPRALIASTYPE=CST |
Email ID | EMAILID~PSUSEREMAIL~PRIMARY_EMAIL=N~None~CHILD=Email IDs |
Email Type | EMAILTYPE~PSUSEREMAIL~PRIMARY_EMAIL=N~None~CHILD=Email IDs |
Employee ID | EMPLID~PSOPRALIAS~OPRALIASTYPE=EMP |
Language Code | LANGUAGE_CD~PSOPRDEFN |
Multi Language Code | MULTILANG~PSOPRDEFN |
Navigator Home Permission List | DEFAULTNAVHP~PSOPRDEFN |
Primary Email ID | EMAILID~PSUSEREMAIL~PRIMARY_EMAIL=Y |
Primary Email Type | EMAILTYPE~PSUSEREMAIL~PRIMARY_EMAIL=Y |
Primary Permission List | OPRCLASS~PSOPRDEFN |
Process Profile Permission List | PRCSPRFLCLS~PSOPRDEFN |
Role | ROLENAME~PSROLEUSER_VW~None~None~CHILD=Roles |
Row Security Permission List | ROWSECCLASS~PSOPRDEFN |
Symbolic ID | SYMBOLICID~PSOPRDEFN |
User Description | OPRDEFNDESC~PSOPRDEFN |
User ID | OPRID~PSOPRDEFN~None~None~PRIMARY |
User ID Alias | USERIDALIAS~PSOPRDEFN |
User Status | ACCTLOCK~PSOPRDEFN |
Vendor ID | VENDOR_ID~PSOPRALIAS~OPRALIASTYPE=VND |
Vendor Set ID | SETID~PSOPRALIAS~OPRALIASTYPE=VND |
Code Key: Name of the OIM User field
Decode: Combination of the following elements separated by the tilde (~) character:
NODE~PARENT NODE~TYPE NODE=Value~EFFECTIVE DATED NODE~PRIMARY or CHILD=Multivalued Child Table RO Field
In this format:
NODE: Name of the node in the USER_PROFILE message XML from which the value is read. You must specify the name of the NODE in the lookup definition. It is a mandatory field.
PARENT NODE: Name of the parent node for the NODE. You must specify the name of the parent node in the lookup definition. It is a mandatory field.
TYPE NODE=Value: Type of the node associated with the Node value. Value defines the type of the Node.
EFFECTIVE DATED NODE: Effective-dated node for the NODE, if any.
PeopleSoft supports effective-dated events. The value refers to the name of the node that provides information about the date on which the event becomes effective.
The USER_PROFILE message does not support effective-dated information. Therefore, the value of this parameter in the preceding syntax is None.
PRIMARY or Child=Multivalued Child Table RO Field: Specifies if the node is a mandatory field or a multivalued attribute on Oracle Identity Manager.
In case of multivalued attribute data, CHILD specifies that this is a Child data followed by the name of the table defined in the resource object to which the data corresponds.
The following scenario illustrates how to map the entries in the lookup definition.
You want to retrieve the value for the Email Type Code Key that is defined as a multivalued attribute in Oracle Identity Manager. In PeopleSoft, the rowset PSUSEREMAIL lists the e-mail IDs assigned to a user. The NODE will be EMAILTYPE as depicted in the XML file. See the sample XML file in Figure 1-3 for more information about each node in the USER_PROFILE message.
Figure 1-3 Sample XML File for USER_PROFILE Message
The PARENT NODE for the NODE EMAILTYPE will be PSUSEREMAIL. Now suppose, you have a scenario where want to retrieve the e-mail IDs that are not defined as Primary. In this case, you must identify the TYPE NODE for the PARENT NODE that has the value N. In this example, the TYPE NODE is PRIMARY_EMAIL with the value N.
The effective-dated node will be None, because the USER_PROFILE message does not provide this information.
The Multivalued Child Table RO Field in this scenario is Email IDs. It is the name of the table defined in the Resource Object for the Email ID child attribute.
If you do not want to provide any element in the Decode column, then you must specify None. This is implemented for the User ID attribute.
Now, you can concatenate the various elements of the syntax by using a tilde (~) to create the Decode entry for Email Type, as follows:
NODE: EMAILTYPE
PARENT NODE: PSUSEREMAIL
TYPE NODE=Value: PRIMARY_EMAIL=N
EFFECTIVE DATED NODE: None
Child=Multivalued Child Table RO Field: CHILD=Email IDs
So, the Decode column for Email Type is as follows:
EMAILTYPE~PSUSEREMAIL~PRIMARY_EMAIL=N~None~CHILD=Email IDs
The Lookup.PSFT.UM.UserProfile.Recon lookup definition maps the resource object field name with the value fetched from the Lookup.PSFT.UM.UserProfile.AttributeMapping lookup.
The Lookup.PSFT.UM.UserProfile.Recon lookup definition has the following entries:
Code Key | Decode |
---|---|
Currency Code | Currency Code~None~LKF |
Customer ID | Customer ID |
Customer Set ID | Customer Set ID |
Email Address | Email ID~None~None~Child |
Email Type | Email Type~None~LKF~Child |
Employee ID | Employee ID |
ITResource Name | IT Resource Name |
Language Code | Language Code~None~LKF |
MultiLanguage code | Multi Language Code |
Navigator Home Page | Navigator Home Permission List~None~LKF |
Primary Email Address | Primary Email ID |
Primary Email Type | Primary Email Type~None~LKF |
Primary Permission | Primary Permission List~None~LKF |
Process Profile | Process Profile Permission List~None~LKF |
Role Name | Role~None~LKF~Child |
Row Security | Row Security Permission List~None~LKF |
Symbolic ID | Symbolic ID |
User Description | User Description |
User ID | User ID |
User ID Alias | User ID Alias |
User Status | User Status~User Status Lookup |
Vendor ID | Vendor ID |
Vendor Set ID | Vendor Set ID |
Code Key: Name of the resource object field in Oracle Identity Manager
Decode: Combination of the following elements separated by a tilde (~) character:
ATTRIBUTE ~ LOOKUP DEF ~LKF
In this format:
ATTRIBUTE: Refers to the Code Key of the Lookup.PSFT.UM.UserProfile.AttributeMapping lookup definition
LOOKUP DEF: Name of the lookup definition, if the value of the attribute is retrieved from a lookup. This lookup is specified in the message-specific configuration lookup.
LKF: Specifies that the attribute is a lookup field on the process form.
Consider the scenario discussed in Section 1.5.2.1.2, "Lookup.PSFT.UM.UserProfile.AttributeMapping." In that example, you fetched the Email Type in the Code Key column from the EMAILTYPE node of the XML file.
Now, you must map this Email Type defined in the Lookup.PSFT.UM.UserProfile.AttributeMapping lookup definition with the resource object attribute Email Type defined in the Lookup.PSFT.UM.UserProfile.Recon lookup definition Code Key.
For example, if the name of the Code Key column in the Lookup.PSFT.UM.UserProfile.AttributeMapping lookup definition is E_Type then you define the mapping in the Lookup.PSFT.UM.UserProfile.Recon lookup definition as follows:
Code Key: Email Type
Decode: E_Type~None~LKF
In other words, this implies that the value for Email Type in the Lookup.PSFT.UM.UserProfile.Recon lookup definition is fetched from E_Type defined in the attribute mapping lookup definition.
The same process holds true for other attributes defined in the lookup.
However, to fetch the value of the User Status resource object field, you must consider the User Status lookup definition. User Status
is defined in the message-specific attribute lookup, Lookup.PSFT.UM.UserProfile.AttributeMapping, which has a value 0
that is fetched from the ACCTLOCK
node in the XML.
Now, the User Status Lookup is defined in the message-specific configuration, Lookup.PSFT.Message.UserProfile.Configuration lookup definition. The mapping is as follows:
Code Key: User Status Lookup
Decode: Lookup.PSFT.UM.UserProfile.UserStatus
In other words, you must search for the value 0
in the Lookup.PSFT.UM.UserProfile.UserStatus lookup definition. The mapping in Lookup.PSFT.UM.UserProfile.UserStatus lookup definition is defined as follows:
Code Key: 0
Decode: Enabled
The resource is updated with the user status as Enabled.
The Lookup.PSFT.UM.UserProfile.UserStatus lookup definition maps the value of the ACCTLOCK node in the USER_PROFILE message XML with the status to be shown in Oracle Identity Manager for the user.
The Lookup.PSFT.UM.UserProfile.UserStatus lookup definition has the following entries:
Code Key | Decode |
---|---|
0 | Enabled |
1 | Disabled |
Section 2.3.1.4, "Setting Up the Lookup.PSFT.UM.UserProfile.UserStatus Lookup Definition" describes the procedure to modify the Decode values in this lookup definition.
The Lookup.PSFT.UM.UserProfile.ChildTables lookup definition maps the resource object fields with the multivalued target system attributes.
Code Key: Multivalued Child Table resource object field
Decode Key: Child Table attributes defined in the resource object separated by the tilde (~) character
The following screenshot displays the link between the table and the resource object attribute:
The Lookup.PSFT.UM.UserProfile.ChildTables lookup definition has the following entries:
Code Key | Decode |
---|---|
Email IDs | Email Address~Email Type |
Roles | Role Name |
The Lookup.PSFT.UM.UserProfile.Validation lookup definition is used to store the mapping between the attribute for which validation has to be applied and the validation implementation class.
The Lookup.PSFT.UM.UserProfile.Validation lookup definition is empty by default.
See Section 4.7, "Configuring Validation of Data During Reconciliation" for more information about adding entries in this lookup definition.
The Lookup.PSFT.UM.UserProfile.Transformation lookup definition is used to store the mapping between the attribute for which transformation has to be applied and the transformation implementation class.
The Lookup.PSFT.UM.UserProfile.Transformation lookup definition is empty by default.
See Section 4.8, "Configuring Transformation of Data During Reconciliation" for more information about adding entries in this lookup definition.
The following lookup definitions are used to process DELETE_USER_PROFILE messages:
The Lookup.PSFT.Message.DeleteUserProfile.Configuration lookup definition provides configuration-related information for the DELETE_PROFILE message.
The Lookup.PSFT.Message.DeleteUserProfile.Configuration lookup definition has the following entries:
Code Key | Decode | Description |
---|---|---|
Attribute Mapping Lookup | Lookup.PSFT.UM.DeleteUserProfile.AttributeMapping | Name of the lookup definition that maps Oracle Identity Manager attributes with attributes in the DELETE_PROFILE message
See Section 1.5.2.2.2, "Lookup.PSFT.UM.DeleteUserProfile.AttributeMapping" for more information about this lookup definition. |
Data Node Name | Transaction | Name of the node in the XML files to run a transaction
Default value: You must not change the default value. |
IT Resource Name | PSFT Server | Name of the IT Resource |
Message Handler Class | oracle.iam.connectors.psft.common.handler.impl.PSFTDeleteUserReconMessageHandlerImpl | Name of the Java class that accepts the XML payload, configuration information, and a handle to Oracle Identity Manager. Depending on the message type, it retrieves the appropriate configuration from Oracle Identity Manager and processes the message. To parse a specific message type, it relies on a Message Parser factory.
If you want a customized implementation of the message, then you must extend the |
Message Parser | oracle.iam.connectors.psft.common.parser.impl.DeleteUserMessageParser | Name of the parser implementation class that contains the logic for message parsing
If you want a customized implementation of the message, then you must extend the |
Recon Lookup Definition | Lookup.PSFT.UM.DeleteUserProfile.Recon | Name of the lookup definition that maps the Oracle Identity Manager attributes with the Resource Object attributes
See Section 1.5.2.2.3, "Lookup.PSFT.UM.DeleteUserProfile.Recon" for more information about this lookup definition. |
Resource Object | Peoplesoft User | Name of the resource object |
The Lookup.PSFT.UM.DeleteUserProfile.AttributeMapping lookup definition maps OIM User attributes with the attributes defined in the DELETE_PROFILE message XML.
The following is the format of the values stored in this lookup definition:
Code Key | Decode |
---|---|
User ID | OPRID~PRG_USR_PROFILE~None~None~PRIMARY |
Code Key: Name of the OIM User field
Decode: Combination of the following elements separated by a tilde (~) character:
NODE~PARENT NODE~TYPE NODE=Value~EFFECTIVE DATED NODE~PRIMARY
For more information about the preceding syntax, see Section 1.5.2.1.2, "Lookup.PSFT.UM.UserProfile.AttributeMapping."
The Lookup.PSFT.UM.DeleteUserProfile.Recon lookup definition maps the resource object field name with the value fetched from the Lookup.PSFT.UM.DeleteUserProfile.AttributeMapping lookup definition.
The following is the format of the values stored in this table:
Code Key | Decode |
---|---|
User ID | User ID |
ITResource Name | IT Resource Name |
The following are the predefined generic lookup definitions:
The Lookup.PSFT.Configuration lookup definition is used to store configuration information that is used by the connector. See Section 2.2.1.3, "Configuring the IT Resource" for information about the entries in this lookup definition.
Note: This lookup definition is common to both, Employee Reconciliation and User Management connectors. Therefore, it has entries for both connector features. |
The Lookup.PSFT.Configuration lookup definition has the following entries:
Code Key | Decode | Description |
---|---|---|
Constants Lookup | Lookup.PSFT.UM.Constants | Name of the lookup definition that is used to store constants used by the connector |
DELETE_USER_PROFILE | Lookup.PSFT.Message.DeleteUserProfile.Configuration | Name of the lookup definition for the DELETE_USER_PROFILE message |
Delete User Profile Component Interface Name | DELETE_USER_PROFILE | Component interface that deletes user data in PeopleSoft Enterprise Applications |
HRMS Resource Exclusion List Lookup | Lookup.PSFT.HRMS.ExclusionList | Name of the Resource Exclusion lookup for PeopleSoft Employee Reconciliation
This is used for the Employee Reconciliation functionality, and is not applicable in this context. |
ID Types Attribute Map Lookup | Lookup.PSFT.UM.AttrMap.IDTypes | Name of the lookup definition for ID Type attributes
You must not change this value. See Section 1.5.2.3.5, "Lookup.PSFT.UM.AttrMap.IDTypes" for more information about this lookup definition. |
Ignore Root Audit Action | No | Use this value if the Root PSCAMA audit action is required to be considered while parsing the XML message.
Use Use See Also: Appendix A, "Determining the Root Audit Action Details" |
Multiple Version Support | No | Use this parameter to provision multiple versions of the target system.
If the connector is used for provisioning multiple versions of the target system, then the value of this parameter is set to See Section 2.2.1.4, "Configuring the Connector to Support Multiple Versions of the Target System" for details. |
PERSON_BASIC_FULLSYNC | Lookup.PSFT.Message.PersonBasicSync.Configuration | Name of the lookup definition for the PERSON_BASIC_FULLSYNC message
This is used for the Employee Reconciliation functionality, and is not applicable in this context. |
PERSON_BASIC_SYNC | Lookup.PSFT.Message.PersonBasicSync.Configuration | Name of the lookup definition for the PERSON_BASIC_SYNC message
This is used for the Employee Reconciliation functionality, and is not applicable in this context. |
Provisioning Attribute Map Lookup | Lookup.PSFT.UM.Attr.Map.Prov | Name of the lookup definition that contains provisioning information |
Target Date Format | yyyy-MM-dd | Data format of the Date type data in the XML file and messages
You must not change this value. |
UM Resource Exclusion List Lookup | Lookup.PSFT.UM.ExclusionList | Name of the Resource Exclusion lookup for User Management operations
See Section 2.3.1.3, "Setting Up the Lookup.PSFT.UM.ExclusionList Lookup Definition" for more information about this lookup definition. |
USER_PROFILE | Lookup.PSFT.Message.UserProfile.Configuration | Name of the lookup definition for USER_PROFILE message
See Section 1.5.2.1.1, "Lookup.PSFT.Message.UserProfile.Configuration" for more information about this lookup definition. |
User Profile Component Interface Name | USER_PROFILE | Component interface that loads user data in PeopleSoft Enterprise Applications |
User Profile illegal Characters | ,~;~ ~:~&~(~)~\~[~]~/~PPLSOFT | List of characters or strings that are not supported by PeopleSoft in the value specified for any user profile field |
Use Validation For Prov | No | Validation flag for User Management provisioning |
Validation Lookup For Prov | Lookup.PSFT.UM.Validation | Name of the lookup definition required for performing validation while provisioning |
WORKFORCE_FULLSYNC | Lookup.PSFT.Message.WorkForceSync.Configuration | Name of the lookup definition for the WORKFORCE_FULLSYNC message
This is used for the Employee Reconciliation functionality, and not applicable in this context. |
WORKFORCE_SYNC | Lookup.PSFT.Message.WorkForceSync.Configuration | Name of the lookup definition for the WORKFORCE_SYNC message
This is used for the Employee Reconciliation functionality, and is not applicable in this context. |
You can configure the message names, such as USER_PROFILE and DELETE_USER_PROFILE defined in this lookup definition. See Section 2.3.1.5, "Setting Up the Lookup.PSFT.Configuration Lookup Definition" for instructions on configuring these message names in the lookup definition.
The Lookup.PSFT.UM.Attr.Map.Prov lookup definition maps the process form fields with the target system APIs. The Code Key holds the names of process form fields. The Decode holds the setApi name and the Data type separated by a comma (,).
The Lookup.PSFT.UM.Attr.Map.Prov lookup definition has the following entries:
Code Key | Decode |
---|---|
UD_PSFT_BAS_NAVIGATORHOMELIST | setNavigatorHomePermissionList,String |
UD_PSFT_BAS_LANGUAGE_CD | setLanguageCode,String |
UD_PSFT_BAS_CURRENCYCODE | setCurrencyCode,String |
UD_PSFT_BAS_OPERPSWD | setPassword,String |
UD_PSFT_BAS_USERIDALIAS | setUserIDAlias,String |
UD_PSFT_BAS_MULTILANG_CD | setMultiLanguageEnabled,BigDecimal |
UD_PSFT_BAS_SYMBOLICID | setSymbolicID,String |
UD_PSFT_BAS_ROWPERMISSIONLIST | setRowSecurityPermissionList,String |
UD_PSFT_BAS_OPRDEFNDESC | setUserDescription,String |
UD_PSFT_BAS_PRPERMISSIONLIST | setPrimaryPermissionList,String |
UD_PSFT_BAS_PROCESSPROFILELIST | setProcessProfilePermissionList,String |
The Lookup.PSFT.UM.Validation lookup definition stores the mapping between the process form column name for which validation has to be applied and the validation implementation class.
The Lookup.PSFT.UM.Validation lookup definition is blank by default.
For example, to perform validation on the User ID attribute you must update the Lookup.PSFT.UM.Validation lookup definition with the following values:
Code Key | Decode |
---|---|
UD_PSFT_BAS_OPRID | Complete Package Name of the Implementation Class |
See Section 4.7, "Configuring Validation of Data During Reconciliation" for more information.
The Lookup.PSFT.UM.ExclusionList lookup definition holds user IDs of target system accounts for which you do not want to perform reconciliation and provisioning.
The following is the format of the values stored in this table:
Code Key: User ID resource object field name
Decode Key: List of user IDs separated by the tilde character (~)
Section 2.3.1.3, "Setting Up the Lookup.PSFT.UM.ExclusionList Lookup Definition" describes the procedure to add entries in this lookup definition.
The Lookup.PSFT.UM.AttrMap.IDTypes lookup definition maps the process form fields with target system attributes. The mapping is as follows:
Code Key: Name of process form fields
Decode: ID Type ~ Attribute Name where tilde (~) is used as a separator between the ID type and the attribute name
The format that you must use is as follows:
FORM Column Name=IDType~AttributeName
Section 4.4, "Adding New ID Types for Provisioning" describes the procedure to add ID Types.
The Lookup.PSFT.UM.AttrMap.IDTypes lookup definition has the following entries:
Code Key | Decode |
---|---|
UD_PSFT_BAS_EMPLID | EMP~EMPLID |
UD_PSFT_BAS_CUSTSETID | CST~SetID#1 |
UD_PSFT_BAS_CUSTID | CST~Customer ID#2 |
UD_PSFT_BAS_VNDSETID | VND~SetID#1 |
UD_PSFT_BAS_VNDID | VND~Vendor ID#2 |
Target resource reconciliation involves fetching the data of newly created or modified users on the target system and using this data to add or modify resources assigned to OIM Users.
See Also: "Target Resource Reconciliation" in Oracle Identity Manager Connector Concepts for conceptual information about target resource reconciliation |
This section discusses the following topics:
Table 1-3 lists the target system attributes whose values are fetched during a target resource reconciliation run.
Table 1-3 Attributes Used for Reconciliation
Resource Object Field | Target System Attribute | Description |
---|---|---|
Single-Valued Fields |
||
User Id |
PSOPRDEFN.OPRID |
Login ID of the user profile This is a mandatory field. |
Employee Id |
PSOPRDEFN.EMPLID |
Employee ID of the employee linked with the User Profile |
User Description |
PSOPRDEFN.OPRDEFNDESC |
Description of the user profile |
Multi Language Code |
PSOPRDEFN.MULTILANG |
Multilanguage code |
Language Code |
PSOPRDEFN.LANGUAGE_CD |
Language code |
Currency Code |
PSOPRDEFN.CURRENCY_CD |
Currency code |
User Id Alias |
PSOPRDEFN.USERIDALIAS |
Alias of user login ID |
Row Security Permission List |
PSOPRDEFN.ROWSECCLASS |
Row security parameter |
Process Profile Permission List |
PSOPRDEFN.PRCSPRFLCLS |
Process profile parameter |
Navigator Home Permission List |
PSOPRDEFN.DEFAULTNAVHP |
Navigator home page address |
Primary Permission List |
PSOPRDEFN.OPRCLASS |
Primary permission list |
Primary Email Address |
PSUSEREMAIL.EMAILID |
E-mail address (primary e-mail account) |
Primary Email Type |
PSUSEREMAIL.EMAILTYPE |
Email type (primary e-mail account) |
Multivalued Fields |
||
RoleName |
PSROLEUSER_VW.ROLENAME |
The role name that is assigned to the user profile |
Email Address Email Type Note: To specify the e-mail address for an account, you must also specify the e-mail type of that e-mail address. |
PSUSEREMAIL.EMAILID PSUSEREMAIL.EMAILTYPE |
E-mail address E-mail type |
User Profile Type Note: PeopleSoft stores values corresponding to a User Profile Type, such as Employee ID, Customer ID, and Vendor ID in the |
PSOPRALIAS. OPRALIASTYPE |
A User Profile can be attached to several User Profile Types, such as Employee (EMP), Customer (CST), and Vendor (VND) |
The following sections provide information about the reconciliation rules for this connector:
The following reconciliation rule is used for target resource reconciliation:
Rule Name: PSFT UM Target Recon Rule
Rule Element: User Login Equals User ID
In this rule:
User Login represents the User ID field on the OIM User form.
User ID represents the OPRID field of the user on the target system.
After you deploy the connector, you can view the reconciliation rule by performing the following steps:
Note: Perform the following procedure only after the connector is deployed. |
Log in to the Oracle Identity Manager Design Console.
Expand Development Tools.
Double-click Reconciliation Rules.
Search for and open PSFT UM Target Recon Rule. Figure 1-4 shows this reconciliation rule.
See Also: Oracle Identity Manager Design Console Guide for information about modifying reconciliation rules |
Application of the matching rule on reconciliation events would result in one of multiple possible outcomes. The action rules for reconciliation define the actions to be taken for these outcomes.
Note: For any rule condition that is not predefined for this connector, no action is performed and no error message is logged. |
The following sections provide information about the reconciliation action rules for this connector:
Section 1.6.3.1, "Overview of the Reconciliation Action Rules"
Section 1.6.3.2, "Viewing the Reconciliation Action Rules in the Design Console"
Table 1-4 lists the reconciliation action rules for this connector.
After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:
Note: Perform the following procedure only after the connector is deployed. |
Log in to the Oracle Identity Manager Design Console.
Expand Resource Management.
Double-click Resource Objects.
Search for and open the Peoplesoft User resource object.
Click the Object Reconciliation tab and then the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector.
Figure 1-5 shows these reconciliation action rules.
See Also: Oracle Identity Manager Design Console Guide for information about modifying reconciliation action rules |
Provisioning involves creating, modifying, or deleting a user's account information on the target system through Oracle Identity Manager.
See Also: "Deployment Configurations of Oracle Identity Manager" in Oracle Identity Manager Connector Concepts for conceptual information about provisioning |
This section discusses the following topics:
Table 1-5 lists the supported user provisioning functions and the adapters that perform these functions. The functions listed in the table correspond to either a single or a multiple process tasks.
See Also: Oracle Identity Manager Connector Concepts for generic information about process tasks and adapters |
Table 1-5 User Provisioning Functions Supported by the Connector
Function | Adapter |
---|---|
Create a user |
PSFT UM Create User |
Update the password of a user |
PSFT UM Update Password |
Update the description of a user |
PSFT UM Update User |
Update the multilanguage code of a user |
PSFT UM UpdateUser |
Update the primary e-mail address of a user |
PSFT UM Update Primary Email |
Update the primary e-mail address type of a user |
PSFT UM Update Primary Email |
Update the language code of a user |
PSFT UM Update User |
Update the currency code of a user |
PSFT UM UpdateUser |
Update the Id type of a user |
PSFT UM Update ID Types |
Update the Primary Permission list of a user |
PSFT UM UpdateUser |
Update the Process Profile Permission list of a user |
PSFT UM UpdateUser |
Update the Navigator Home Permission list of a user |
PSFT UM UpdateUser |
Update the Row Security Permission list of a user |
PSFT UM UpdateUser |
Update the User Id alias of a user |
PSFT UM UpdateUser |
Add a role to a user |
PSFT UM Modify User Role |
Delete a role from a user |
PSFT UM Modify User Role |
Add an e-mail address to a user |
PSFT UM Modify Email Address |
Delete the e-mail address of a user |
PSFT UM Modify Email Address |
Unlock a user |
PSFT UM Modify Lock Unlock User |
Lock a user |
PSFT UM Modify Lock Unlock User |
Delete a user at the target system |
PSFT UM Delete User |
Prepopulate the User Id on the process form with the User Id of the OIM User Note: If the PeopleSoft Employee Reconciliation and the PeopleSoft User Management connectors are deployed on a single Oracle Identity Manager installation, then the User Id field of the OIM User is populated with the value of the Employee ID of the employee reconciled from PeopleSoft. |
PSFT UM Prepopulate UserID |
Prepopulate the Employee ID on the process form with the User Id of the OIM User Note: The Employee ID is used to link a user profile to the employee. |
PSFT UM Prepopulate EmployeeID |
Table 1-6 lists the user attributes for which you can specify or modify values during provisioning operations.
Table 1-6 User Attributes for Provisioning
OIM PeopleSoft UM Resources Process Form Field | Target System Attribute | Description | Adapter |
---|---|---|---|
Single-Valued Fields |
|||
User ID |
PSOPRDEFN.OPRID |
Login Id of the user profile |
PSFT UM Create User |
User Description |
PSOPRDEFN.OPRDEFNDESC |
Description of the user profile |
PSFT UM Create User |
Employee ID |
PSOPRDEFN.EMPLID |
Employee Id of the employee to which the user profile is assigned |
PSFT UM Create User |
Symbolic ID |
PSOPRDEFN.SYMBOLICID |
Symbolic ID of the target system |
PSFT UM Create User |
Multi Language Code |
PSOPRDEFN.MULTILANG |
Multilanguage code |
PSFT UM Create User |
Language Code |
PSOPRDEFN.LANGUAGE_CD |
Language code |
PSFT UM Create User |
Currency Code |
PSOPRDEFN.CURRENCY_CD |
Currency code |
PSFT UM Create User |
User Id Alias |
PSOPRDEFN.USERIDALIAS |
Alias of user login Id |
PSFT UM Create User |
Row Security Permission List |
PSOPRDEFN.ROWSECCLASS |
Row security parameter |
PSFT UM Create User |
Process Profile Permission List |
PSOPRDEFN.PRCSPRFLCLS |
Process profile parameter |
PSFT UM Create User |
Navigator Home Permission List |
PSOPRDEFN.DEFAULTNAVHP |
Navigator home page address |
PSFT UM Create User |
Primary Permission List |
PSOPRDEFN.OPRCLASS |
Primary permission list |
PSFT UM Create User |
Primary Email Address |
PSUSEREMAIL.EMAILID |
E-mail address (primary e-mail account) |
PSFT UM Create User |
Primary Email Type |
PSUSEREMAIL.EMAILTYPE |
E-mail type (primary e-mail account) |
PSFT UM Create User |
Customer ID |
PSOPRALIAS.CUST_ID |
Customer ID Note: A user profile can be attached to several ID Types, such as None (NON), Employee (EMP), Customer (CST), and Vendor (VND). |
PSFT UM Create User |
Customer Set ID |
PSOPRALIAS.SETID |
Customer's SetID |
PSFT UM Create User |
Vendor ID |
PSOPRALIAS.VENDOR_ID |
Vendor ID |
PSFT UM Create User |
Vendor Set ID |
PSOPRALIAS.SETID |
Vendor's Set ID |
PSFT UM Create User |
Multivalued Fields |
|||
Role Name |
PSROLEUSER_VW.ROLENAME |
The role name that is assigned to the user profile |
PSFT UM Modify User Role |
Email Address |
PSUSEREMAIL.EMAILID |
E-mail address (e-mail account) |
PSFT UM Modify Email Address |
Email Type |
PSUSEREMAIL.EMAILTYPE |
Email type (e-mail account) |
PSFT UM Modify Email Address |
Note: The name of the process form in the first column of the preceding table is UD_PSFT_BAS. |
The following shows how information is organized in the rest of the guide:
Chapter 2, "Deploying the Connector" describes procedures that you must perform on Oracle Identity Manager and the target system during each stage of connector deployment.
Chapter 3, "Using the Connector" describes guidelines on using the connector and the procedure to configure reconciliation runs.
Chapter 4, "Extending the Functionality of the Connector" describes procedures that you can perform to extend the functionality of the connector.
Chapter 5, "Testing and Troubleshooting" describes the procedure to use the connector testing utility for testing the connector.
Chapter 6, "Known Issues" lists known issues associated with this release of the connector.