3 Using the Connector

After you deploy the connector, you must first reconcile all existing user data from the target system into Oracle Identity Manager. To achieve this:

1. Configure and run the scheduled task for lookup field synchronization.

2. Run the scheduled task for user reconciliation. Full reconciliation is performed, because you are running this scheduled task for the first time. In other words, all existing user data is fetched from the target system into Oracle Identity Manager.

After you perform these two steps, the integration between Oracle Identity Manager and the target system is ready for provisioning operations and reconciliation runs.

This chapter is divided into the following sections:

Note: These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

• Section 3.1, "Scheduled Task for Lookup Field Synchronization"

• Section 3.2, "Configuring Reconciliation"

• Section 3.3, "Configuring Scheduled Tasks"

• Section 3.4, "Provisioning Operations Performed in an SoD-Enabled Environment"

3.1 Scheduled Task for Lookup Field Synchronization

The SAP CUA Lookup Recon scheduled task is used for lookup field synchronization.

Note: The procedure to configure this scheduled task is described later in the guide.

Table 3-1 describes the attributes of this scheduled task. The procedure to configure scheduled tasks is described later in the guide.

Table 3-1 Attributes of the SAP CUA Lookup Recon Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource for setting up the connection to the target system. Default value: SAP CUA IT Resource
Lookup Mapping	This attribute holds the name of the lookup definition that stores mappings between names of lookup definitions to be synchronized and the corresponding BAPI details. Value: Lookup.SAP.CUA.Lookupfields Note: You must not change the default value of this lookup definition.

3.2 Configuring Reconciliation

As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

• Section 3.2.2, "Limited Reconciliation vs. Regular Reconciliation"

• Section 3.2.3, "Batched Reconciliation"

• Section 3.2.4, "Reconciliation Scheduled Tasks"

3.2.1 Full Reconciliation vs. Incremental Reconciliation

The TimeStamp IT resource parameter stores the time stamp at which a reconciliation run begins.

During a reconciliation run, the scheduled task fetches only target system records that are added or modified after the time stamp stored in the parameter for target resource reconciliation. This is incremental reconciliation. If you set the parameter to 0, then full reconciliation is performed. In full reconciliation, all existing target system records are fetched into Oracle Identity Manager for reconciliation.

As mentioned earlier in this chapter, you can switch from incremental to full reconciliation at any time.

3.2.2 Limited Reconciliation vs. Regular Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.

For this connector, you create a filter by specifying values for the CustomizedReconQuery parameter while configuring the IT resource.

The following table lists the SAP CUA attributes, and the corresponding Oracle Identity Manager attributes, that you can use to build the query condition. You specify this query condition as the value of the CustomizedReconQuery parameter.

Oracle Identity Manager Attribute	SAP CUA Attribute
User ID	userid
First Name	firstname
Last Name	lastname
Language	langcomm
User Type	usertype
Department	department
Functions	function
Country	country
User Group	usergroup
User Profile	userprofile
User Role	userrole

The following are sample query conditions:

• firstname=John&lastname=Doe

  With this query condition, records of users whose first name is John and last name is Doe are reconciled.

• firstname=John&lastname=Doe|usergroup=contractors

  With this query condition, records of users who meet either of the following conditions are reconciled:

  • The user's first name is John or last name is Doe.

  • The user belongs to the contractors user group.

If you do not specify values for the CustomizedReconQuery parameter, then all the records in the target system are compared with existing Oracle Identity Manager records during reconciliation.

The following are guidelines to be followed while specifying a value for the CustomizedReconQuery parameter:

• For the SAP CUA attributes, you must use the same case (uppercase or lowercase) as given in the table shown earlier in this section. This is because the attribute names are case-sensitive.

• You must not include unnecessary blank spaces between operators and values in the query condition.

  A query condition with spaces separating values and operators would yield different results as compared to a query condition that does not contain spaces between values and operators. For example, the output of the following query conditions would be different:

  firstname=John&lastname=Doe

  firstname= John&lastname= Doe

  In the second query condition, the reconciliation engine would look for first name and last name values that contain a space at the start.

• You must not include special characters other than the equal sign (=), ampersand (&), and vertical bar (|) in the query condition.

  
  

  Note: An exception is thrown if you include special characters other than the equal sign (=), ampersand (&), and vertical bar (|).

  
  

You specify a value for the CustomizedReconQuery parameter while configuring the IT resource.

3.2.3 Batched Reconciliation

During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Manager. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.

You can configure batched reconciliation to avoid such problems.

To configure batched reconciliation, you must specify values for the following user reconciliation scheduled task attributes:

• StartRecord: Use this attribute to specify the record number from which batched reconciliation must begin.

• BatchSize: Use this attribute to specify the number of records that must be included in each batch.

• NumberOfBatches: Use this attribute to specify the total number of batches that must be reconciled. If you do not want to use batched reconciliation, specify All Available as the value of this attribute.

  
  

  Note: If you specify All Available as the value of this attribute, then the values of the StartRecord and BatchSize attributes are ignored.

  
  

You specify values for these attributes by following the instructions described in the Section 3.2.4, "Reconciliation Scheduled Tasks".

After you configure batched reconciliation, if reconciliation fails during a batched reconciliation run, then refer to the log file for information about the batch at which reconciliation has failed.

3.2.4 Reconciliation Scheduled Tasks

The SAPCUA Target Resource Recon scheduled task is used to reconcile user data.

Note: Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change. Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

Attribute	Description
Organization	Default organization assigned to a new user Default value: Xellerate Users
Role	Default role assigned to a new user Default value: Consultant
Xellerate Type	Default type assigned to a new user Default value: End-user administrator
ITResource	Name of the IT resource for setting up the connection to SAP CUA Default value: SAP CUA
ResourceObject	Name of the target resource object into which users need to be reconciled Default value: SAP CUA Resource Object
Server	Name of the server This is an optional parameter. Sample value: CUA
StartRecord	The start record for the batching process This attribute is also discussed in Section 3.2.3, "Batched Reconciliation". Default value: 1
BatchSize	The number of records that must be there in a batch This attribute is also discussed in Section 3.2.3, "Batched Reconciliation". Default value: 3
NumberOfBatches	The number of batches that must be reconciled This attribute is also discussed in Section 3.2.3, "Batched Reconciliation". Default value: All Available (for reconciling all the users) Sample value: 50
ReconTimeStamp	Name of the IT resource parameter value used to store the reconciliation time stamp. Default value: TimeStamp
CustomizedReconQuery	Query condition on which reconciliation must be based. If you specify a query condition for this parameter, then the target system records are searched based on the query condition. If you want to reconcile all the target system records, then do not specify a value for this parameter. The query can be composed with the AND (&) and OR (|) logical operators. For more information about this parameter, see Section 3.2.2, "Limited Reconciliation vs. Regular Reconciliation".
ReconLookupTable	Do not modify the value of this parameter. It will be removed in a future release.

3.3 Configuring Scheduled Tasks

This section describes the procedure to configure scheduled tasks. You can apply this procedure to configure the scheduled tasks for lookup field synchronization and reconciliation.

Table 3-2 lists the scheduled tasks that you must configure.

Table 3-2 Scheduled Tasks for Lookup Field Synchronization and Reconciliation

Scheduled Task	Description
SAP CUA Lookup Recon	This scheduled task is used for lookup field synchronization.
SAPCUA Target Resource Recon	This scheduled task is used for user data reconciliation.

To configure a scheduled task:

1. Log in to the Administrative and User Console.

2. Expand Resource Management.

3. Click Manage Scheduled Task.

4. On the Scheduled Task Management page, enter the name of the scheduled task as the search criteria and then click Search.

   The following screenshot shows the Scheduled Task Management page:

   
   

5. In the search results table, click the edit icon in the Edit column for the scheduled task. The following screenshot shows the Scheduled Task Details page.

6. On the Edit Scheduled Task Details page, you can modify the following details of the scheduled task by clicking Edit:

   • Status: Specify whether or not you want to leave the task in the enabled state. In the enabled state, the task is ready for use.

   • Max Retries: Enter an integer value in this field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task. The default value is 1.

   • Next Start: Use the date editor to specify the date when you want the task to run. After you select a date value in the date editor, you can modify the time value that is automatically displayed in the Next Start field.

   • Frequency: Specify the frequency at which you want the task to run.

   When you click Edit, the Edit Scheduled Task page is displayed.

7. After modifying the values for the scheduled task details listed in the previous step, click Continue.

8. Specify values for the attributes of the scheduled task. To do so, select each attribute from the Attribute list, specify a value in the field provided, and then click Update.

   
   

   Note: Attribute values are predefined in the connector XML file that you import. Specify values only for the attributes that you want to change. Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

   
   

   The attributes of the scheduled task that you select for modification are displayed on this page.

9. Click Save Changes to commit all the changes to the database.

Note: If you want to stop a scheduled task while it is running, then use the Stop Execution feature of the Design Console. See the "The Task Scheduler Form" section in Oracle Identity Manager Design Console Guide for information about this feature.

3.4 Provisioning Operations Performed in an SoD-Enabled Environment

Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a SAP CUA account for the user. The following are types of provisioning operations:

• Direct provisioning

• Request-based provisioning

• Provisioning triggered by policy changes

See Also: Oracle Identity Manager Connector Concepts for information about the types of provisioning

This section discusses the following topics:

• Section 3.4.1, "Overview of the Provisioning Process in an SoD-Enabled Environment"

• Section 3.4.2, "Direct Provisioning in an SoD-Enabled Environment"

• Section 3.4.3, "Request-Based Provisioning in an SoD-Enabled Environment"

3.4.1 Overview of the Provisioning Process in an SoD-Enabled Environment

The following is the sequence of steps that take places during a provisioning operation performed in an SoD-enabled environment:

1. The provisioning operation triggers the appropriate adapter.

2. The user runs the scheduled task (either Resubmit Uninitiated Provisioning SOD Checks or Resubmit Uninitiated Approval SOD Checks).

3. The scheduled task passes the entitlement data to the Web service of SAP GRC.

4. After SAP GRC runs the SoD validation process on the entitlement data, the response from the process is returned to Oracle Identity Manager.

5. The status of the process task that received the response depends on the response itself. If the entitlement data clears the SoD validation process, then then the adapter carries provisioning data to the corresponding BAPI on the target system and the status of the process task changes to Completed. This translates into the entitlement being granted to the user. If the SoD validation process returns the failure response, then status of the process task changes to Canceled.

3.4.2 Direct Provisioning in an SoD-Enabled Environment

To provision a resource by using the direct provisioning approach:

1. Log in to the Administrative and User Console.

2. From the Users menu, select Manage if you want to provision a target system account to an existing OIM User.

3. If you select Create, on the Create User page, enter values for the OIM User fields and then click Create User. The following screenshot shows the Create User page:

   
   

4. If you select Manage, then search for the OIM User and select the link for the user from the list of users displayed in the search results.

5. On the User Detail page, select Resource Profile from the list at the top of the page. The following screenshot shows the User Detail page:

   
   

6. On the Resource Profile page, click Provision New Resource. The following screenshot shows the Resource Profile page:

   
   

7. On the Step 1: Select a Resource page, select SAP CUA Resource Object from the list and then click Continue. The following screenshot shows the Step 1: Select a Resource page:

   
   

8. On the Step 2: Verify Resource Selection page, click Continue. The following screenshot shows the Step 2: Verify Resource Selection page:

   
   

9. On the Step 5: Provide Process Data page for process data, enter the details of the account that you want to create on the target system and then click Continue. If you are setting values for the Terminal Services Profile fields, then you must select the Remote Manager IT resource. The following screenshot shows the user details added:

   
   

10. On the Step 5: Provide Process Data page for role data, search for and select profiles for the user on the target system and then click Continue. The following screenshot shows this page:

    
    

11. On the Step 5: Provide Process Data page for role data, search for and select roles for the user on the target system and then click Continue. The following screenshot shows this page:

    
    

    Note: If two conflicting roles are both assigned to a user in the same system (master or child), then it is an SoD violation. If one of a pair of conflicting roles is assigned in the master system and the other role is assigned in the child system, then it is not considered to be an SoD violation.

    
    
    
    

12. On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue. The following screenshot shows Step 6: Verify Process Data page:

    
    

13. The "Provisioning has been initiated" message is displayed. Click Back to User Resource Profile. The Resource Profile page shows that the resource has been provisioned to the user:

    
    

14. If you click the View link in the Process Form column, then the process form is displayed. The following screenshot shows this page:

    
    

    In this screenshot, the SOD Check Status field shows SODCheckNotInitiated. The value in this field can be SoDCheckNotInitiated, SoDCheckResultPending, or SoDCheckCompleted.

15. If you click the resource, then the Resource Provisioning Details page is displayed. The following screenshot shows this page:

    
    

    This page shows the details of the process tasks that were run. The Holder and SODChecker tasks are in the Pending state. These tasks will change state after the status of the SoD check is returned from the SoD engine. The Add User Role tasks correspond to the two roles selected for assignment to this user.

16. The SODCheckNotInitiated status in the SOD Check Status field indicates that SoD validation has not started. To start SoD validation, you must run the Resubmit Uninitiated Provisioning SOD Checks scheduled task.

    
    

    Note: SoD validation by SAP GRC is synchronous. The validation process returns a result as soon as it is completed. However, if the requested entitlement throws a large number of violations in policies defined on SAP GRC, then the process might take a long time to complete. If that happens, then Oracle Identity Manager might time out. The Resubmit Uninitiated Provisioning SOD Checks scheduled task has been introduced to circumvent this issue.

    
    

    The following screenshot shows the Resubmit Uninitiated Provisioning SOD Checks scheduled task:

    
    

17. After the Resubmit Uninitiated Provisioning SOD Checks scheduled task is run, the results of the SoD validation process are brought to Oracle Identity Manager. If you click the View link in the Process Form column, then the process form is displayed. The following screenshot shows this page:

    In this screenshot, the SOD Check Status field shows SoDCheckCompleted. Because a violation by the SoD engine in this particular example, the SoD Check Violation field shows the details of the violation.

    In addition, the Resource Provisioning Details page shows the status of the SODChecker and Holder tasks as Completed.

    The following screenshot shows this page:

    
    

    In this screenshot, the status of the Add User Role tasks is Canceled because the request failed the SoD validation process.

18. As the administrator assigning a resource to a user, you can either end the process when a violation is detected or modify the assignment data and then resend it. To modify the assignment data, first click the Edit link in the Process Form column on the Resource Profile page.

19. In the Edit Form window that is displayed, you can modify the role and profile data that you had selected earlier.

    
    

    Note: To modify a set of entitlements in the Edit Form window, you must first remove all entitlements and then add the ones that you want to use.

    
    

    In the following screenshot, one of the roles selected earlier has been removed:

    
    

20. Rerun the Resubmit Uninitiated Provisioning SOD Checks scheduled task to initiate the SoD validation process.

21. After the Resubmit Uninitiated Provisioning SOD Checks scheduled task is run, the results of the SoD validation process are brought to Oracle Identity Manager. If you click the View link in the Process Form column, then the process form is displayed. The following screenshot shows this page:

    
    

    In this screenshot, the SOD Check Status field shows SoDCheckCompleted. Because the SoD engine does not detect any violation, the SoD Check Violation field shows Passed.

    In addition, the Resource Provisioning Details page shows the status of the SODChecker and Holder tasks as Completed.

    The following screenshot shows this page:

    
    

    On the Resource Provisioning Details page, the state of the Add User Role task is Completed.

3.4.3 Request-Based Provisioning in an SoD-Enabled Environment

See Also: Section 2.3.3, "Configuring SoD"

The request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The request-based provisioning process described in this section covers steps to be performed by both entities.

In the example used in this section, the end user creates a request for two roles on the target system. The request clears the SoD validation process and is approved by the approver.

End-User's Role in Request-Based Provisioning

The following are types of request-based provisioning:

Request-based provisioning of accounts: OIM Users are created but not provisioned target system resources when they are created. Instead, the users themselves raise requests for provisioning accounts.

Request-based provisioning of entitlements: OIM Users who have been provisioned target system resources (either through direct or request-based provisioning) raise requests for provisioning entitlements.

The end user in a request-based provisioning operation performs the following steps:

Note: The procedure is almost the same for request-based provisioning of both accounts and entitlements. Differences have been called out in the following sequence of steps.

1. Log in to the Administrative and User Console.

2. Expand My Resources, and then click Request New Resources.

3. On the Step 1: Provide resources page, use the Add button to move one of the following:

   • SAP CUA Resource Object, if you want to create a request for a target system account

   • SAP CUA Roles and SAP CUA Profiles, if you want to create a request for an entitlement on the target system

   The following screenshot shows the SAP CUA resource object selected:

   
   

4. On the Step 2: Provide resource data page, and click Continue.

   The following screenshot shows this page:

   
   

5. On the second Step 2: Provide resource data page, select the IT resource corresponding to the target system installation and other attribute values on which you want the selected account.

   The following screenshot shows this page:

   
   

6. On the third Step 2: Provide resource data page, select the entitlements that you want to request.

   The following screenshot shows two roles selected on this page:

   
   

7. On the Step 3: Verify information page, review the information that you have provided and then submit the request.

   The following screenshot shows this page:

   
   

8. If you click Submit Now, then the Request Submitted page shows the request ID.

   The following screenshot shows this page:

   
   

9. If you click the request ID, then the Request Details page is displayed.

   The following screenshot shows this page:

   
   

   The SOD Status field shows SODCheckNotInitiated. The value in this field can be SoDCheckNotInitiated, SoDCheckResultPending, or SoDCheckCompleted.

10. To view details of the approval, select Approval Tasks from the list at the top of the page. The Approval Tasks page is displayed. The following screenshot shows this page:

    
    

    On this page, the status of the SODChecker task is Pending.

11. To initiate SoD validation of pending entitlement requests, an administrator must run the Resubmit Uninitiated Approval SOD Checks scheduled task.

    
    

12. After the Resubmit Uninitiated Approval SOD Checks scheduled task is run, on the Approvals Task page, the status of the SODChecker task is Completed and the Approval task status is Pending. This page also shows details of the administrator who must now approve the request.

    The following screenshot shows the Approvals Task page after the request passes the SoD validation process:

    
    

Approver's Role in Request-Based Provisioning

This section discusses the role of the approver in a request-based provisioning operation.

The approver to whom the request is assigned can use the Pending Approvals feature to view details of the request.

In addition, the approver can click the View link to view details of the SoD validation process.

The approver can decide whether to approve or deny the request, regardless of whether the SoD engine accepted or rejected the request. The approver can also modify entitlements in the request.

The following are steps that the approver can perform:

1. As the approver, to edit and approve a request, click the Edit link.

2. In the Edit Form window, select the entitlement request data that you want to modify from the list at the top of the window and then make the required change. In the following screenshot, one of the roles that the requester had included in the request has been removed:

   
   

3. Close the Edit Form window, select the check box for the task that you want to approve, and then click Approve.

4. On the Confirmation page, click Confirm.

   The following screenshot shows this page:

   
   

5. On the Request Details page, the SOD Status column shows SODCheckCompleted.

   If you search for and open the requester's profile, the SAP CUA resource object is shown in the Provisioned state. This is shown in the following screenshot: