Oracle® Identity Manager Connector Guide for Database User Management Release 9.1.0 E11193-04 |
|
Previous |
Next |
This appendix discusses the following topics:
This section provides information about the following lookup definitions:
Appendix A, "Lookup.DBUM.DB2.TargetRecon.Schema.Configuration"
Appendix A, "Lookup.DBUM.DB2.TargetRecon.Schema.QueryFilter"
Appendix A, "Lookup.DBUM.DB2.TargetRecon.Tablespace.Configuration"
Appendix A, "Lookup.DBUM.DB2.TargetRecon.Tablespace.Mapping"
Appendix A, "Lookup.DBUM.DB2.TargetRecon.Tablespace.QueryFilter"
The Lookup.DBUM.DB2.Configuration lookup definition holds connector configuration entries that are used during target resource reconciliation and provisioning operations.
Note: You cannot add entries to this lookup definition. However, you can modify the Decode values of the existing entries. |
Table A-1 lists the default entries in this lookup definition.
Table A-1 Entries in the Lookup.DBUM.DB2.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Error Mapping Lookup |
See Appendix A, "Lookup.DBUM.DB2.Error.Mapping" for information about this lookup definition. |
|
Parameter Configuration Lookup |
See Appendix A, "Lookup.DBUM.DB2.Parameter.Configuration" for information about this lookup definition. |
|
Provisioning Validation Lookup |
See Appendix A, "Lookup.DBUM.DB2.Provisioning.Validation" for information about this lookup definition. |
|
Query Configuration Lookup |
See Appendix A, "Lookup.DBUM.DB2.Query.Configuration" for information about this lookup definition. |
|
Reconciliation Class Name |
oracle.iam.connectors.dbum.tasks.impl.DBUMQueryReconciliationImpl.java |
Name of the class that implements the logic for target resource reconciliation. |
Reconciliation Query Property File |
Enter a value |
Enter the full path and name of the file containing queries that must be run during reconciliation. |
Reconciliation SQL Injection Keywords |
NODATA |
List of SQL keywords (separated by tilde (~) character) that must not be used in the reconciliation query. The connector does not run a query (used for target resource reconciliation) that contains any of the keywords listed in the Decode column. |
Reserved Words List |
GRANT ~REVOKE ~OF ~ON ~TO ~DATABASE ~TABLESPACE ~SCHEMA ~CREATEIN ~ALTERIN ~DROPIN ~FROM ~USE ~GRANT\t~REVOKE\t~OF\t~ON\t~TO\t~DATABASE\t~TABLESPACE\t~SCHEMA\t~CREATEIN\t~ALTERIN\t~DROPIN\t~FROM\t~USE\t |
List of reserve words that are not supported in the OIM User process form fields during provisioning operations. |
Resource Exclusion Column Key |
UD_DB_DB2_U_USERNAME |
Name of the process form field that is excluded during provisioning operations. |
Resource Exclusion List Lookup |
See Appendix A, "Lookup.DBUM.DB2.ExclusionList" for more information about this lookup definition. |
|
Status Reconciliation Class Name |
NODATA |
Name of the class that implements the logic for deriving the status of a target system user account. |
SSL Keystore Properties |
NODATA |
If you want to configure secure communication between the target system and Oracle Identity Manager, then enter the SSL keystore details in the following format: javax.net.ssl.trustStore=truststore~javax.net.ssl.trustStorePassword=password |
Target Date Format |
NODATA |
Enter the format in which date values are stored on the target system. |
Unsupported Special Characters |
NODATA |
Enter the list of special characters that are not supported in the process form fields during provisioning operations. |
Use Status Reconciliation |
No |
Specifies whether you wan to run reconciliation for the status of a target system user account. |
Use Validation For Provisioning |
No |
Specifies whether you want to enable validation of user attributes during provisioning operations. |
When an error is encountered during a provisioning operation, an error message is displayed on the Administrative and User Console.
The Lookup.DBUM.DB2.Error.Mapping lookup definition maps error codes displayed by the database with error messages to be displayed on the process form in the Administrative and User Console during provisioning operations.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: SQL error code returned by the database
Decode: Corresponding error message to be displayed on the process form
To add or modify entries in this lookup definition, you must enter values in the format specified in the preceding paragraph.
Table A-2 lists the default entries in this lookup definition.
The Lookup.DBUM.DB2.ExclusionList lookup definition holds user attributes of the target system accounts for which you do not want to perform target resource reconciliation and provisioning.
For target system accounts on which you do not want to perform provisioning operations, the following is the format of the Code Key and Decode values:
Code Key: Name of the process form field
Decode: Process form field values separated by the tilde (~) character
For target system accounts that must not be reconciled during a target resource reconciliation run, the following is the format of the Code Key and Decode values:
Code Key: Resource object field name
Decode: Resource object field values separated by the tilde (~) character
Table A-3 lists the default entry in this lookup definition.
See Also: Section 3.1.3, "Setting Up the ExclusionList Lookup Definition" for information about adding or modifying entries in this lookup definition |
The Lookup.DBUM.DB2.Parameter.Configuration lookup definition maps identifiers in a SQL statement or SQL fragment (defined in the Lookup.DBUM.DB2.Query.Configuration lookup definition) with names of the process form fields.
During provisioning operations, the data that you enter on the OIM User form is stored in the corresponding fields of the process form in the Design Console. The fields of the process form are mapped to the identifiers of SQL statements or SQL fragments used for provisioning. In other words, the SQL statements use the data present in the process form to run SQL statements. These SQL statements or SQL fragments are defined in the Lookup.DBUM.DB2.Query.Configuration lookup definition.
See Also: Appendix A, "Lookup.DBUM.DB2.Query.Configuration" for more information about the Lookup.DBUM.DB2.Query.Configuration lookup definition |
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Identifier in a SQL statement or SQL fragment used for provisioning operations
Decode: Combination of the following elements separated by the tilde (~) character:
PF_FIELD_NAME~PF_DATA_TYPE~PARAMETER_TYPE~QUOTE_TYPE~EXCLUDE_VALIDATION~UPPERCASE
Note: The sequence of elements in the Decode value must not be changed. |
In this format:
PF_FIELD_NAME is name of the process form field.
PF_DATA_TYPE is the data type of the process form field.
PARAMETER_TYPE specifies whether the value in the process form field is of type input of output.
If the value in the process form field is used as an input parameter, for example, as an input to a variable in the SQL statement, then use IN. Otherwise, OUT.
QUOTE_TYPE specifies whether the value from the process form field that is passed to the SQL statement must be enclosed in a single quotation mark or double quotation mark. The QUOTE_TYPE element is optional.
If you want the value in the process form field to be enclosed in single quotation marks, then use SINGLE_QUOTE. If you want the value in the process form field to be enclosed in double quotation marks, then use DOUBLE_QUOTE.
EXCLUDE_VALIDATION element is optional. This element is used in the following scenario:
Suppose you specify values for the Reserved Words List or Unsupported Special Characters entries of the Lookup.DBUM.DB2.Configuration lookup definition. During provisioning operations, the connector checks whether the fields on the OIM User form contain any of the values specified in the Reserved Words List or Unsupported Special Characters entries. If such values are found, then no provisioning operations are performed on that record. If you do not want the connector to perform this check on a particular field of the OIM User form, then include EXCLUDE_VALIDATION along with the name of the process form field.
For example, the UD_DB_DB2_T_TABLESPACE~varchar2~IN~EXCLUDE_VALIDATION Decode value specifies that during a particular provisioning operation, the connector does not check whether the Tablespace field contains any of the values specified in the Reserved Words List or Unsupported Special Characters entries of the Lookup.DBUM.DB2.Configuration lookup definition.
UPPERCASE element is an optional element. You use this element if you want to save on the target system the value entered in the process form field in upper case.
If you want to add or modify entries in this lookup definition, then you must enter values in the format specified earlier in this section. Note that changes that you make in the Code Key column of this lookup definition must be duplicated in the Lookup.DBUM.DB2.Query.Configuration lookup definition. This is illustrated by the following example:
Suppose, in Table A-4, if you change the db2_user_name Code Key value to db2_usrname, then in the Lookup.DBUM.DB2.Query.Configuration lookup definition, you must change all occurrences of db2_user_name to db2_usrname.
Table A-4 lists the default entries in this lookup definition.
Table A-4 Entries in the Lookup.DBUM.DB2.Parameter.Configuration Lookup Definition
Code Key | Decode |
---|---|
db2_s_grant_option |
UD_DB_DB2_S_GRANT_OPTION~varchar2~IN~EXCLUDE_VALIDATION |
db2_schema |
UD_DB_DB2_S_SCHEMA~varchar2~IN~EXCLUDE_VALIDATION |
db2_t_grant_option |
UD_DB_DB2_T_GRANT_OPTION~varchar2~IN~EXCLUDE_VALIDATION |
db2_tablespace |
UD_DB_DB2_T_TABLESPACE~varchar2~IN~EXCLUDE_VALIDATION |
db2_user_name |
UD_DB_DB2_U_USERNAME~varchar2~IN |
db2_user_type |
UD_DB_DB2_U_USERTYPE~varchar2~IN~EXCLUDE_VALIDATION |
The Lookup.DBUM.DB2.Provisioning.Validation lookup definition is used to store the mapping between the attribute for which validation has to be applied (during provisioning) and the validation implementation class.
The Lookup.DBUM.DB2.Provisioning.Validation lookup definition is empty by default.
See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about adding entries to this lookup definition.
As mentioned earlier in this guide, the Database User Management connector uses SQL statements for provisioning operations. These SQL statements are defined in the Lookup.DBUM.DB2.Query.Configuration lookup definition. Depending on the provisioning operations that you are performing, adapters run the appropriate SQL statements on the target system.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the SQL statement or SQL fragment
Decode: Corresponding SQL statement or SQL fragment. The SQL statement is a combination of the following entries:
SQL Keywords
This is a mandatory element. Examples of SQL keywords are GRANT and REVOKE.
Identifiers
This is a mandatory element.
In Table A-5, db2_user_name, db2_user_type, db2_tablespace, and db2_schema are identifiers. The actual values for these identifiers are determined at run time.
Name of the SQL fragment
In Table A-5, WITH_GRANT_OPTION_S and WITH_GRANT_OPTION_T are names of SQL fragments.
For example, in the Decode value of the DB2_ASSIGN_SCHEMA Code Key in Table A-5, it is optional to include WITH_GRANT_OPTION_S in the SQL statement that is used to grant schema to a user account on the target system. The name of the SQL fragment, WITH_GRANT_OPTION_S, has been specified as optional as you may not want to grant to all user accounts on the target system privileges to grant schemas to other users.
Table A-5 lists the default entries in this lookup definition.
If you want to add or modify entries in this lookup definition, then you must enter values in the format specified earlier in this section. Note that changes that you make to identifiers in this lookup definition must be duplicated in the corresponding Code Key value of the Lookup.DBUM.DB2.Parameter.Configuration lookup definition. In addition, you must also duplicate this change in all occurrences of the identifier in this lookup definition.
Table A-5 Entries in the Lookup.DBUM.DB2.Query.Configuration Lookup Definition
Code Key | Decode |
---|---|
DB2_ASSIGN_SCHEMA |
GRANT CREATEIN,DROPIN,ALTERIN ON SCHEMA :db2_schema TO :db2_user_type :db2_user_name~WITH_GRANT_OPTION_S |
DB2_ASSIGN_TABLESPACE |
GRANT USE OF TABLESPACE :db2_tablespace TO :db2_user_type :db2_user_name~WITH_GRANT_OPTION_T |
DB2_CREATE_USER |
GRANT CONNECT,DBADM,CREATETAB,BINDADD,CREATE_NOT_FENCED_ROUTINE,IMPLICIT_SCHEMA,LOAD,CREATE_EXTERNAL_ROUTINE,QUIESCE_CONNECT ON DATABASE TO :db2_user_type :db2_user_name |
DB2_DELETE_USER |
REVOKE CONNECT,DBADM ON DATABASE FROM :db2_user_type :db2_user_name |
DB2_REVOKE_SCHEMA |
REVOKE CREATEIN,DROPIN,ALTERIN ON SCHEMA :db2_schema FROM :db2_user_type :db2_user_name |
DB2_REVOKE_TABLESPACE |
REVOKE USE OF TABLESPACE :db2_tablespace FROM :db2_user_type :db2_user_name |
WITH_GRANT_OPTION_S |
:db2_s_grant_option |
WITH_GRANT_OPTION_T |
:db2_t_grant_option |
DB2_GET_USER |
select GRANTEE from SYSIBM.SYSDBAUTH where GRANTEE=:db2_user_name |
The Lookup.DBUM.DB2.TargetRecon.Delete.Mapping lookup definition maps the resource object attribute with the primary key column name used in the reconciliation query. Note that this resource object attribute is the key field for reconciliation matching.
The Lookup.DBUM.DB2.TargetRecon.Delete.Mapping lookup definition is used during delete user target reconciliation runs.
During a delete user reconciliation run, the resource object attribute that you specify in this lookup definition is used for comparing target system user records with existing target system resource assigned to OIM Users. During this comparison process, if no match is found between the target system user record and the resource provisioned to the OIM User, then the database user resource is revoked from the OIM User.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the resource object attribute, which is the key field for reconciliation matching
Decode: Primary key column name used in the reconciliation query for performing delete user reconciliation
Table A-6 lists the default entry in this lookup definition.
Note: You cannot add entries to this lookup definition. However, you can modify values of the existing Code Key and Decode values. |
The Lookup.DBUM.DB2.TargetRecon.Mapping lookup definition maps resource object attributes with column names or column name aliases used in the reconciliation query. This lookup definition is used for performing target resource user reconciliation runs.
In this lookup definition, the Code Key contains the reconciliation attribute of the resource object.
For Code Key columns that store single-valued attributes, the Decode value can be in one of the following formats:
COL_NAME
or COL_NAME_ALIAS
In this format, COL_NAME is the target system column name used in the reconciliation query. COL_NAME_ALIAS is the alias of the target system column names used in the reconciliation query.
You use this format if the target system contains a column corresponding to the resource object attribute.
For example, consider the User Name attribute, which is a single-valued attribute on the resource object. The target system contains GRANTEE, which is a column corresponding to the User Name attribute. Therefore, the mapping is as follows:
Code Key: User Name
Decode: GRANTEE
CONSTANT~
CONSTANT_VALUE
In this format, CONSTANT specifies that the data in this column is constant. CONSTANT_VALUE is the value to be displayed in the corresponding field of the OIM User form in the Administrative and User Console.
You use this format if you want to set a constant value for a particular field on the OIM User form.
COLUMN_NAME
~
LOOKUP_NAME
In this format, COLUMN_NAME is the target system column name from which value is fetched. LOOKUP_NAME is the name of the lookup definition that maps values fetched from the target system with values to be displayed in the OIM User form field.
You use this format if you want values fetched from the target system to be displayed in a format that is accepted by Oracle Identity Manager.
For example, consider the User Type attribute of the resource object. This is a single valued attribute. The target system contains GRANTEETYPE, which is a column corresponding to the User Type attribute of the resource object. However, we do not map the User Type resource object attribute to the GRANTEETYPE column for the following reason:
The GRANTEETYPE columns stores values such as U and G. Therefore, during reconciliation, this connector fetches a value of U or G from the GRANTEETYPE target system column. A value of U means that the grantee is a user account. A value of G means that the grantee is a group account.
However, the values U or G cannot be displayed in the User Type field of the OIM User form. This is because Oracle Identity Manager accepts only one of the following values as the type of a user account:
User
Group
Therefore, in order to display the status retrieved from the GRANTEETYPE column in a format that is accepted by Oracle Identity Manager, the User Type attribute of the resource object has been mapped to GRANTEETYPE~Lookup.DBUM.DB2.TargetRecon.UserTypeMapping
.
This implies that in the Code Key column of the Lookup.DBUM.DB2.TargetRecon.UserTypeMapping lookup definition, the connector searches for the value that is fetched from the GRANTEETYPE column of the target system. Then, the corresponding Decode value is displayed as the type of the user account in Oracle Identity Manager. This is illustrated by the following example:
Suppose the value fetched from the GRANTEETYPE column for a particular user account on the target system is U. In the Code Key column of the Lookup.DBUM.DB2.TargetRecon.UserTypeMapping lookup definition, the connector searches for the value U. The Decode value of the U Code Key is User. Therefore, in Oracle Identity Manager, the connector displays User as the status of the User Type field.
LOOKUP~
COL_NAME
In this format:
LOOKUP specifies that the data retrieved from the target system is lookup data.
COL_NAME is the corresponding column name or column name alias used in the reconciliation query
You use this format if the process form field corresponding to the Code Key value is a lookup type field.
For Code Key columns that store multivalued attributes, the Decode value is specified in the following format:
CHILD~
MULTIVALUED_ATTR_CONFIG_LOOKUP
In this format:
CHILD specifies that the data in this column is the child attribute data
MULTIVALUED_ATTR_CONFIG_LOOKUP is name of the lookup definition that holds configurable entries for the multivalued attribute.
For example, Schema List is a multivalued attribute. The Decode value of the Schema List Code Key value is CHILD~Lookup.DBUM.DB2.TargetRecon.Schema.Configuration
. The Lookup.DBUM.DB2.TargetRecon.Schema.Configuration lookup definition contains configurable entries for the Schema List attribute.
You can add or remove entries in the Lookup.DBUM.DB2.TargetRecon.Mapping lookup definition. See Section 4.2, "Adding or Removing Attributes for Reconciliation" for information about adding or modifying entries in this lookup definition.
Table A-7 lists the default entries in this lookup definition.
The Lookup.DBUM.DB2.TargetRecon.QueryFilter lookup definition holds information about the filter parameters that you want to use while running the SQL query for target resource reconciliation.
The Lookup.DBUM.DB2.TargetRecon.QueryFilter lookup definition is empty by default.
See Section 3.4.4.2, "Adding a Filter Parameter in the Reconciliation Query" for information about adding entries to this lookup definition.
The Lookup.DBUM.DB2.TargetRecon.Schema.Configuration lookup definition holds configuration entries related to the Schema List multivalued attribute.
Table A-8 lists the default entries in this lookup definition.
Note: You cannot add entries to this lookup definition. However, you can modify the Decode values of existing entries. |
Table A-8 Entries in the Lookup.DBUM.DB2.TargetRecon.Schema.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Child Attribute Mapping Lookup |
See Appendix A, "Lookup.DBUM.DB2.TargetRecon.Schema.Mapping" for information about this lookup definition. |
|
Child Query Name |
DB2_TARGET_USER_SCHEMA |
Name of the query in the reconciliation query file that you want to run for reconciling data about the child attribute. |
Child Reconciliation Query Filter Lookup |
Name of the lookup definition that contains information about reconciliation filter parameters for the child attribute. See Appendix A, "Lookup.DBUM.DB2.TargetRecon.Schema.QueryFilter" for more information about this lookup definition. |
|
Parent Attribute |
GRANTEE |
Primary key column of the query used for running target resource user reconciliation. |
The Lookup.DBUM.DB2.TargetRecon.Schema.Mapping lookup definition maps the attributes of the Schema List multivalued attribute with column names used in the reconciliation query. This lookup definition is used to retrieve data about the Schema List attribute during target resource reconciliation.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Attribute name of the multivalued attribute
Decode: The value is specified in one of the following formats:
LOOKUP~
COL_NAME
In this format:
LOOKUP specifies that the data retrieved from the target system is lookup data.
COL_NAME is the corresponding column name or column name alias used in the reconciliation query
You use this format if the process form field corresponding to the Code Key value is a lookup type field.
COL_NAME
This is the column name used in the reconciliation query corresponding to the value in the code key column.
If you want to add or modify the entries in this lookup definition, then you must specify values in the format described in this section.
Table A-9 lists the default entry in this lookup definition.
The Lookup.DBUM.DB2.TargetRecon.Schema.QueryFilter lookup definition holds information about the filter parameters that you want to use while running the SQL query for retrieving data about the Schema List multivalued attribute during target resource reconciliation.
The Lookup.DBUM.DB2.TargetRecon.Schema.QueryFilter lookup definition is empty by default.
See Section 3.4.4.2, "Adding a Filter Parameter in the Reconciliation Query" for information about adding entries to this lookup definition.
The Lookup.DBUM.DB2.TargetRecon.Tablespace.Configuration lookup definition holds configuration entries related to the Tablespace List multivalued attribute.
Table A-10 lists the default entries in this lookup definition.
Note: You cannot add entries to this lookup definition. However, you can modify the Decode values of existing entries. |
Table A-10 Entries in the Lookup.DBUM.DB2.TargetRecon.Tablespace.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Child Attribute Mapping Lookup |
See Appendix A, "Lookup.DBUM.DB2.TargetRecon.Tablespace.Mapping" for information about this lookup definition. |
|
Child Query Name |
DB2_TARGET_USER_TABLESPACE |
Name of the query in the reconciliation query file that you want to run for reconciling data about the child attribute. |
Child Reconciliation Query Filter Lookup |
Name of the lookup definition that contains information about reconciliation filter parameters for the child attribute. See Appendix A, "Lookup.DBUM.DB2.TargetRecon.Tablespace.QueryFilter" for more information about this lookup definition. |
|
Parent Attribute |
GRANTEE |
Primary key column of the query used for running target resource user reconciliation. |
The Lookup.DBUM.DB2.TargetRecon.Tablespace.Mapping lookup definition maps the attributes of the Tablespace List multivalued attribute with column names used in the reconciliation query. This lookup definition is used to retrieve data about the Tablespace List attribute during target resource reconciliation.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Attribute name of the multivalued attribute
Decode: The value is specified in one of the following formats:
LOOKUP~
COL_NAME
In this format:
LOOKUP specifies that the data retrieved from the target system is lookup data.
COL_NAME is the corresponding column name or column name alias used in the reconciliation query
You use this format if the process form field corresponding to the Code Key value is a lookup type field.
COL_NAME
This is the column name used in the reconciliation query corresponding to the value in the code key column.
If you want to add or modify the entries in this lookup definition, then you must specify values in the format described in this section.
Table A-11 lists the default entry in this lookup definition.
The Lookup.DBUM.DB2.TargetRecon.Tablespace.QueryFilter lookup definition holds information about the filter parameters that you want to use while running the SQL query for retrieving data about the Tablespace List multivalued attribute during target resource reconciliation.
The Lookup.DBUM.DB2.TargetRecon.Tablespace.QueryFilter lookup definition is empty by default.
See Section 3.4.4.2, "Adding a Filter Parameter in the Reconciliation Query" for information about adding entries to this lookup definition.
The Lookup.DBUM.DB2.TargetRecon.Transformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during target resource reconciliation.
The Lookup.DBUM.DB2.TargetRecon.Transformation lookup definition is empty by default.
See Section 4.9, "Configuring Transformation of Data During Reconciliation" for information about adding entries to this lookup definition.
The Lookup.DBUM.DB2.TargetRecon.UserTypeMapping maps user account types in the target system with corresponding user types to be displayed in the User Type field of the OIM User form.
During target resource reconciliation, this connector fetches a value of U or G from the GRANTEETYPE target system column. A value of U means that the grantee is a user account. A value of G means that the grantee is a group account.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Character in the GRANTEETYPE target system column
Decode: Corresponding value to be displayed in the User Type field of the OIM User form.
If you want to add or modify entries in this lookup definition, then you must specify entries in the format described in the preceding paragraph.
Table A-12 lists the entries in this lookup definition.
The Lookup.DBUM.DB2.TargetRecon.Validation lookup definition is used to configure validation of attribute values that are fetched from the target system during target resource reconciliation.
The Lookup.DBUM.DB2.TargetRecon.Validation lookup definition is empty by default.
See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about adding entries to this lookup definition.
The Lookup.DBUM.DB2.TrustedRecon.Configuration lookup definition holds connector configuration entries that are used during trusted source reconciliation.
Table A-13 lists the default entries in this lookup definition.
Note: You cannot add entries to this lookup definition. However, you can modify the Decode values of existing entries. |
Table A-13 Entries in the Lookup.DBUM.DB2.TrustedRecon.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Reconciliation Class Name |
oracle.iam.connectors.dbum.tasks.impl.DBUMQueryReconciliationImpl |
Name of the class that implements the logic for trusted source reconciliation. |
Reconciliation Query Property File |
Enter a value |
Enter the full path and name of the file containing queries that must be run during reconciliation. |
Reconciliation SQL Injection Keywords |
DROP ~DROP\t~INSERT ~INSERT\t~ALTER ~ALTER\t~CREATE ~CREATE\t~DELETE ~DELETE\t~UPDATE ~UPDATE\t~TRUNCATE ~TRUNCATE\t~EXEC ~EXEC\t~/*~--~; |
List of SQL keywords that must not be used in the reconciliation query. The connector does not run a query (used for trusted source reconciliation) that contains any of the keywords listed in the Decode column. |
Resource Exclusion List Lookup |
See Appendix A, "Lookup.DBUM.DB2.TrustedRecon.ExclusionList" for more information about this lookup definition. |
|
Status Reconciliation Class Name |
NODATA |
Name of the class that implements the logic for deriving the status of a target system user account. You must enter a value for this entry only if you want to retrieve the status of a target system account. See Section 5.13, "Configuring Status Reconciliation" if you want to reconcile the status of an account on the target system |
Target Date Format |
NODATA |
Enter the format in which date values are stored on the target system. |
Use Status Reconciliation |
No |
Specifies whether you wan to run reconciliation for the status of a target system user account. |
The Lookup.DBUM.DB2.TrustedRecon.Delete.Mapping lookup definition maps the resource object attribute with the primary key column name used in the reconciliation query (for retrieving all users from the target system). Note that this resource object attribute is the key field for reconciliation matching.
The Lookup.DBUM.DB2.TrustedRecon.Delete.Mapping lookup definition is used during delete user trusted reconciliation runs.
During a delete user reconciliation run, the resource object attribute that you specify in this lookup definition is used for comparing target system user records with existing OIM Users. During this comparison process, if no match is found between the target system user record and OIM User, then the OIM User is deleted.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the resource object attribute, which is the key field for reconciliation matching
Decode: Primary key column name used in the reconciliation query for performing delete user reconciliation
Table A-14 lists the default entry in this lookup definition.
Note: You cannot add entries to this lookup definition. However, you can modify values of the existing Code Key and Decode values. |
The Lookup.DBUM.DB2.TrustedRecon.ExclusionList lookup definition holds user attributes of target system accounts that must not be reconciled during trusted source reconciliation.
The following is the format of the Code Key and Decode values for this lookup definition:
Code Key: Resource object field name
Decode: Resource object field values separated by the tilde (~) character
Table A-15 lists the default entry in this lookup definition.
See Also: Section 3.1.3, "Setting Up the ExclusionList Lookup Definition" for information about adding or modifying entries in this lookup definition |
The Lookup.DBUM.DB2.TrustedRecon.Mapping lookup definition maps the fields of the OIM User form with corresponding column names used in the reconciliation query. This lookup definition is used for performing trusted source reconciliation.
In this lookup definition, the Code Key contains names of the fields on the OIM User form. The Decode value can be in one of the following formats:
COL_NAME
or COL_NAME_ALIAS
In this format, COL_NAME is the target system column name used in the reconciliation query. COL_NAME_ALIAS is the alias of the target system column name used in the reconciliation query.
You use this format if the target system contains a column corresponding to the resource object attribute.
For example, consider the User Login attribute on the resource object. The target system contains GRANTEE, which is a column corresponding to the User Login attribute. Therefore, the mapping is as follows:
Code Key: User Login
Decode: GRANTEE
CONSTANT~
CONSTANT_VALUE
In this format:
CONSTANT specifies that the data in this column is constant.
CONSTANT_VALUE is the value to be displayed in the corresponding field of the OIM User form in the Administrative and User Console.
You use this format if you want to set a constant value for a particular field on the OIM User form.
For example, the Employee Type field is a mandatory field on the OIM User form. However, on the target system, there is no information about the employee type for a user account. During reconciliation, as the Employee Type field cannot be left empty, you must specify a value for this field. Therefore, the Decode value of the Employee Type Code Key has been set to CONSTANT~Full-Time
. This implies that the value of the Employee Type field on the OIM User form displays Full-Time for all user accounts reconciled from the target system.
By default, in this lookup definition, the Decode values for the Employee Type, Organization, and User Type Code Key columns have been set to constant values Full-Time, Xellerate Users, and End-User, respectively. However, depending on your requirement, you can change these values to one of the following:
For the Employee Type Code Key, you can set one of the following constant values:
Full-Time
Part-Time
Temp
Intern
Consultant
For the Organization Code Key, you can set one of the following constant values:
Xellerate Users
Requests
For the User Type Code Key, you can set one of the following constant values:
End-User
End-User Administrator
COLUMN_NAME
~
LOOKUP_NAME
In this format:
COLUMN_NAME is the target system column name from which value is fetched.
LOOKUP_NAME is the name of the lookup definition that maps values fetched from the target system with values to be displayed in the OIM User form field.
You use this format if you want values fetched from the target system to be displayed in a format that is accepted by Oracle Identity Manager. By default, the Lookup.DBUM.DB2.TrustedRecon.Mapping lookup definition does not contain any entry in this format. See Appendix A, "Lookup.DBUM.Oracle.TrustedRecon.Mapping" for an example on using this format.
You can add to or remove entries in the Lookup.DBUM.DB2.TrustedRecon.Mapping lookup definition. See Section 4.2, "Adding or Removing Attributes for Reconciliation" for information about adding or modifying entries in this lookup definition.
Table A-16 lists the default entries in this lookup definition.
The Lookup.DBUM.DB2.TrustedRecon.QueryFilter lookup definition is used for configuring limited reconciliation if your target system is configured as a trusted source. This lookup definition holds information about the filter parameters that you want to use while running the SQL query for trusted source reconciliation.
The Lookup.DBUM.DB2.TrustedRecon.QueryFilter lookup definition is empty by default.
See Section 3.4.4.2, "Adding a Filter Parameter in the Reconciliation Query" for information about adding entries to this lookup definition.
The Lookup.DBUM.DB2.TrustedRecon.Transformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during trusted source reconciliation.
The Lookup.DBUM.DB2.TrustedRecon.Transformation lookup definition is empty by default.
See Section 4.9, "Configuring Transformation of Data During Reconciliation" for information about adding entries to this lookup definition.
The Lookup.DBUM.DB2.TrustedRecon.Validation lookup definition is used to configure validation of attribute values that are fetched from the target system during trusted source reconciliation.
The Lookup.DBUM.DB2.TrustedRecon.Validation lookup definition is empty by default.
See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about adding entries to this lookup definition.
During a provisioning operation, you use the Lookup.DBUM.DB2.UserType lookup definition to specify a value for the User Type field. A value of GROUP specifies that the account being created is a group account. A value of USER specifies that the account being created is a user account.
Table A-17 lists the default entries in this lookup definition.
During a provisioning operation, you use this lookup definition to specify whether target system user record being created has the option to grant tablespaces or schemas for other user records.
Note: You cannot add or modify entries in this lookup definition. |
Table A-18 lists the default entry in this lookup definition.
This section provides information about the following lookup definitions
Appendix A, "Lookup.DBUM.MSSQL.AuthType.KeyMapping.CreateLogin"
Appendix A, "Lookup.DBUM.MSSQL.AuthType.KeyMapping.CreateUser"
Appendix A, "Lookup.DBUM.MSSQL.AuthType.KeyMapping.DeleteLogin"
Appendix A, "Lookup.DBUM.MSSQL.AuthType.KeyMapping.DeleteUser"
Appendix A, "Lookup.DBUM.MSSQL.AuthType.KeyMapping.DisableLogin"
Appendix A, "Lookup.DBUM.MSSQL.AuthType.KeyMapping.EnableLogin"
Appendix A, "Lookup.DBUM.MSSQL.TargetRecon.Delete.Login.Mapping"
Appendix A, "Lookup.DBUM.MSSQL.TargetRecon.Delete.User.Mapping"
Appendix A, "Lookup.DBUM.MSSQL.TargetRecon.Login.Transformation"
Appendix A, "Lookup.DBUM.MSSQL.TargetRecon.Login.Validation"
Appendix A, "Lookup.DBUM.MSSQL.TargetRecon.User.Transformation"
In Microsoft SQL server, you can create an account (login or user) that uses either Windows authentication or SQL server authentication.
The Lookup.DBUM.MSSQL.AuthType lookup definition holds information about authentication types that you can select for a target system account (login or user) that you create through Oracle Identity Manager.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Type of authentication
Decode: Description of the type of authentication
Table A-19 lists the default entries in this lookup definition.
The Lookup.DBUM.MSSQL.AuthType.KeyMapping.CreateLogin lookup definition holds mapping between authentication types and stored procedure names used for creating login entities.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Type of authentication
Decode: Stored procedure name used to create the login entity or combination of stored procedure names separated by a tilde (~) character.
Table A-20 lists the default entries in this lookup definition.
Table A-20 Entries in the Lookup.DBUM.MSSQL.AuthType.KeyMapping.CreateLogin Lookup Definition
Code Key | Decode |
---|---|
SQL_SERVER_AUTHENTICATION |
MSSQL_CREATE_SQLAUTHTYPE_LOGIN |
WINDOWS_AUTHENTICATION |
MSSQL_CREATE_WINDOWSAUTHTYPE_LOGIN~MSSQL_GRANT_WINAUTHTYPE_DEFAULTDB~MSSQL_GRANT_WINAUTHTYPE_DEFAULTLANG |
The following scenario illustrates how to add entries to this lookup definition.
Suppose you want to add an entry for creating a login entity that uses Windows authentication. Therefore, in the Code Key column, you enter WINDOWS_AUTHENTICATION
, which is the authentication type for the login entity.
In the Decode column, enter the name of the stored procedure that is used for creating the login entity. If more than one stored procedure is required to create the login entity, then enter the names of all those stored procedures separated by a tilde (~) character. In this scenario, creating a login entity requires running three stored procedures. Therefore, enter MSSQL_CREATE_WINDOWSAUTHTYPE_LOGIN~MSSQL_GRANT_WINAUTHTYPE_DEFAULTDB~MSSQL_GRANT_WINAUTHTYPE_DEFAULTLANG
as the value of the Decode column.
In the Decode column:
MSSQL_CREATE_WINDOWSAUTHTYPE_LOGIN is the name of the stored procedure that creates the login.
MSSQL_GRANT_WINAUTHTYPE_DEFAULTDB is the name of the stored procedure that sets the default database for the login when the login is added to the Microsoft SQL Server.
MSSQL_GRANT_WINAUTHTYPE_DEFAULTLANG is the name of the stored procedure that sets the default language for the login when the login is added to the Microsoft SQL Server.
The Lookup.DBUM.MSSQL.AuthType.KeyMapping.CreateUser lookup definition holds mapping between authentication types and stored procedure names used for creating user entities.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Type of authentication
Decode: Corresponding stored procedure name used to create the user entity
Table A-21 lists the default entries in this lookup definition.
The Lookup.DBUM.MSSQL.AuthType.KeyMapping.DeleteLogin lookup definition holds mapping between authentication types and stored procedure names used for deleting login entities from Microsoft SQL Server.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Type of authentication
Decode: Corresponding stored procedure name used to delete the login entity
Table A-22 lists the default entries in this lookup definition.
The Lookup.DBUM.MSSQL.AuthType.KeyMapping.DeleteUser lookup definition holds mapping between authentication types and stored procedure names used for deleting user entities from Microsoft SQL Server.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Type of authentication
Decode: Corresponding stored procedure name used to delete the user entity
Table A-23 lists the default entries in this lookup definition.
The Lookup.DBUM.MSSQL.AuthType.KeyMapping.DisableLogin lookup definition holds mapping between authentication types and stored procedure names used to disable login entities in Microsoft SQL Server.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Type of authentication
Decode: Corresponding stored procedure name used to disable the login entity
Table A-24 lists the default entries in this lookup definition.
The Lookup.DBUM.MSSQL.AuthType.KeyMapping.EnableLogin lookup definition holds mapping between authentication types and stored procedure names used to enable login entities in Microsoft SQL Server.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Type of authentication
Decode: Corresponding stored procedure name used to enable the login entity
Table A-25 lists the default entries in this lookup definition.
The Lookup.DBUM.MSSQL.Configuration lookup definition holds connector configuration entries that are used during target resource reconciliation and provisioning operations.
Note: You cannot add entries to this lookup definition. However, you can modify the Decode values of the existing entries. |
Table A-26 lists the default entries in this lookup definition.
Table A-26 Entries in the Lookup.DBUM.MSSQL.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
AuthType QueryCodeKey Mapping Lookup For CreateLogin |
See Appendix A, "Lookup.DBUM.MSSQL.AuthType.KeyMapping.CreateLogin" for information about this lookup definition. |
|
AuthType QueryCodeKey Mapping Lookup For CreateUser |
See Appendix A, "Lookup.DBUM.MSSQL.AuthType.KeyMapping.CreateUser" for information about this lookup definition. |
|
AuthType QueryCodeKey Mapping Lookup For DeleteLogin |
See Appendix A, "Lookup.DBUM.MSSQL.AuthType.KeyMapping.DeleteLogin" for information about this lookup definition. |
|
AuthType QueryCodeKey Mapping Lookup For DeleteUser |
See Appendix A, "Lookup.DBUM.MSSQL.AuthType.KeyMapping.DeleteUser" for information about this lookup definition. |
|
AuthType QueryCodeKey Mapping Lookup For DisableLogin |
See Appendix A, "Lookup.DBUM.MSSQL.AuthType.KeyMapping.DisableLogin" for information about this lookup definition. |
|
AuthType QueryCodeKey Mapping Lookup For EnableLogin |
See Appendix A, "Lookup.DBUM.MSSQL.AuthType.KeyMapping.EnableLogin" for information about this lookup definition. |
|
Error Mapping Lookup |
See Appendix A, "Lookup.DBUM.MSSQL.Error.Mapping" for information about this lookup definition. |
|
Parameter Configuration Lookup |
See Appendix A, "Lookup.DBUM.MSSQL.Parameter.Configuration" for information about this lookup definition. |
|
Provisioning Validation Lookup |
See Appendix A, "Lookup.DBUM.MSSQL.Provisioning.Validation" for information about this lookup definition. |
|
Query Configuration Lookup |
See Appendix A, "Lookup.DBUM.MSSQL.Query.Configuration" for information about this lookup definition. |
|
Reconciliation Class Name |
oracle.iam.connectors.dbum.tasks.impl.DBUMSQLServerReconciliationImpl |
Name of the class that implements the logic for target resource reconciliation. |
Reconciliation Query Property File |
Enter a value |
Enter the full path and name of the file containing queries that must be run during reconciliation. |
Reconciliation SQL Injection Keywords |
NODATA |
Enter the SQL keywords (separated by a tilde (~) character) that must not be used in the reconciliation query. The connector does not run a query (used for target resource reconciliation) that contains any of the keywords listed in the Decode column. |
Reserved Words List |
NODATA |
List of reserve words that are not supported in the OIM User process form fields during provisioning operations. |
Resource Exclusion Column Key |
UD_DB_SQL_L_LOGIN |
Name of the process form field that is excluded during provisioning operations. |
Resource Exclusion List Lookup |
See for more information about this lookup definition. |
|
Status Reconciliation Class Name |
NODATA |
You must enter a value for this entry only if your target system does not contain a column from which you can retrieve the status of a target system account. In Microsoft SQL server, the is_disabled column holds the status of the target system account. Therefore, do not enter any value for this entry. |
Target Date Format |
NODATA |
Enter the format in which date values are stored on the target system. |
Unsupported Special Characters |
NODATA |
Enter the list of special characters that are not supported in the process form fields during provisioning operations. |
Use Status Reconciliation |
No |
Specifies whether you wan to run reconciliation for the status of a target system user account. Note: Do not change the value of this entry. |
Use Validation For Provisioning |
No |
Specifies whether you want to enable validation of user attributes during provisioning operations. See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about configuring data validation during provisioning operations. |
When an error is encountered during a provisioning operation, an error message is displayed on the Administrative and User Console.
The Lookup.DBUM.MSSQL.Error.Mapping lookup definition maps error codes displayed by the database with error messages that must be displayed on the OIM User process form during provisioning operations.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: SQL error code returned by the database
Decode: Corresponding error message to be displayed on the OIM User process form
To add or modify entries in this lookup definition, you must enter values in the format specified in the preceding paragraph.
Table A-27 lists the default entries in this lookup definition.
The Lookup.DBUM.MSSQL.ExclusionList lookup definition holds user attributes of the target system accounts for which you do not want to perform target resource reconciliation and provisioning.
For target system accounts on which you do not want to perform provisioning operations, the following is the format of the Code Key and Decode values:
Code Key: Name of the process form field
Decode: Process form field values separated by the tilde (~) character
For target system accounts that must not be reconciled during a target resource reconciliation run, the following is the format of the Code Key and Decode values:
Code Key: Resource object field name
Decode: Resource object field values separated by the tilde (~) character
Table A-28 lists the default entry in this lookup definition.
See Also: Section 3.1.3, "Setting Up the ExclusionList Lookup Definition" for information about adding or modifying entries in this lookup definition |
The Lookup.DBUM.MSSQL.Parameter.Configuration lookup definition maps identifiers of stored procedures and SQL statements (defined in the Lookup.DBUM.MSSQL.Query.Configuration lookup definition) with names of the process form fields.
This connector uses stored procedures and SQL statements to perform provisioning operations. The data that you enter on the process form while performing provisioning operations are stored in the corresponding process form fields in the Design Console. The process form field is mapped to the identifiers of stored procedures or SQL statements that are defined in the Lookup.DBUM.MSSQL.Query.Configuration lookup definition.
See Also: Appendix A, "Lookup.DBUM.MSSQL.Query.Configuration" for more information about the Lookup.DBUM.MSSQL.Query.Configuration lookup definition |
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Identifier in the stored procedure or SQL statement used for provisioning operations
Decode: Combination of the following elements separated by the tilde (~) character:
PF_FIELD_NAME~PF_DATA_TYPE~PARAMETER_TYPE~QUOTE_TYPE~EXCLUDE_VALIDATION~UPPERCASE
Note: The sequence of elements in this format must not be changed |
In this format:
PF_FIELD_NAME is process form field name
PF_DATA_TYPE is process form field data type
PARAMETER_TYPE specifies whether the value in the process form field is of type input of output.
If the value in the process form field is used as an input parameter, for example, as an input to a variable in the SQL statement, then use IN. Otherwise, use OUT.
QUOTE_TYPE specifies whether the value from the process form field that is passed to the SQL statement must be enclosed in a single quotation mark or double quotation mark. The QUOTE_TYPE element is optional.
If you want the value in the process form field to be enclosed in single quotation marks, then use SINGLE_QUOTE. If you want the value in the process form field to be enclosed in double quotation marks, then use DOUBLE_QUOTE.
EXCLUDE_VALIDATION is an optional element. It is used in the following scenario:
Suppose you specify values for the Reserved Words List or Unsupported Special Characters entries of the Lookup.DBUM.MSSQL.Configuration lookup definition. During provisioning operations, the connector checks whether the OIM User process form fields contain any of the values specified in the Reserved Words List or Unsupported Special Characters entries. If such values are found, then no provisioning operations are performed on that record. If you do not want the connector to perform this check on a particular field on the OIM User process form, then include EXCLUDE_VALIDATION along with the name of that process form field.
For example, the UD_DB_SQL_L_LOGIN~varchar2~IN~DOUBLE_QUOTE~EXCLUDE_VALIDATION Decode values specifies that during a particular provisioning operation, the connector does not check whether the Login Name field contains any of the values specified in the Reserved Words List or Unsupported Special Characters entries of the Lookup.DBUM.MSSQL.Configuration lookup definition.
UPPERCASE element is an optional element. You use this element if you want to save on the target system the value entered in the process form field in upper case.
Table A-29 lists the default entries in this lookup definition.
Table A-29 Entries in the Lookup.DBUM.MSSQL.Parameter.Configuration Lookup Definition
Code Key | Decode |
---|---|
mssql_dbdefaultlang |
UD_DB_SQL_L_DEFLANG~varchar2~IN~EXCLUDE_VALIDATION |
mssql_dbname |
UD_DB_SQL_L_DEFDB~varchar2~IN~EXCLUDE_VALIDATION |
mssql_login |
UD_DB_SQL_L_LOGIN~varchar2~IN |
mssql_parent_login |
UD_DB_SQL_U_LOGINNAME~varchar2~IN |
mssql_pass |
UD_DB_SQL_L_PASSWORD~varchar2~IN |
mssql_role |
UD_DB_SQL_R_ROLE~varchar2~IN~EXCLUDE_VALIDATION |
mssql_user_id |
UD_DB_SQL_U_USERNAME~varchar2~IN |
mssql_win_login |
UD_DB_SQL_L_LOGIN~varchar2~IN~DOUBLE_QUOTE~EXCLUDE_VALIDATION |
The Lookup.DBUM.MSSQL.Provisioning.Validation lookup definition is used to store the mapping between the attribute for which validation has to be applied and the validation implementation class.
The Lookup.DBUM.MSSQL.Provisioning.Validation lookup definition is empty by default.
See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about adding entries to this lookup definition.
As mentioned in one of the sections in this chapter, this connector uses stored procedures and SQL statements to perform provisioning operations.
The Lookup.DBUM.MSSQL.Query.Configuration lookup definition contains stored procedures and SQL statements that are used to perform provisioning operations.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the stored procedure or SQL statement
Decode: Corresponding stored procedure or SQL statement
Depending on the provisioning operations that you are performing, adapters run the appropriate stored procedures or SQL statements on the target system.
Table A-30 lists the default entries in this lookup definition.
Table A-30 Entries in the Lookup.DBUM.MSSQL.Query.Configuration Lookup Definition
Code Key | Decode |
---|---|
MSSQL_ADD_ROLE |
{CALL sp_addrolemember(:mssql_role,:mssql_user_id)} |
MSSQL_CREATE_SQLAUTHTYPE_LOGIN |
{CALL sp_addlogin(:mssql_login,:mssql_pass,:mssql_dbname,:mssql_dbdefaultlang)} |
MSSQL_CREATE_SQLAUTHTYPE_USER |
{CALL sp_adduser(:mssql_parent_login,:mssql_user_id,null)} |
MSSQL_CREATE_WINDOWSAUTHTYPE_LOGIN |
{CALL sp_grantlogin(:mssql_login)} |
MSSQL_CREATE_WINDOWSAUTHTYPE_USER |
{CALL sp_grantdbaccess(:mssql_parent_login,:mssql_user_id)} |
MSSQL_DELETE_ROLE |
{CALL sp_droprolemember(:mssql_role,:mssql_user_id)} |
MSSQL_DELETE_SQLAUTHTYPE_LOGIN |
{CALL sp_droplogin(:mssql_login)} |
MSSQL_DELETE_SQLAUTHTYPE_USER |
{CALL sp_dropuser(:mssql_user_id)} |
MSSQL_DELETE_WINDOWSAUTHTYPE_LOGIN |
{CALL sp_revokelogin(:mssql_login)} |
MSSQL_DELETE_WINDOWSAUTHTYPE_USER |
{CALL sp_revokedbaccess(:mssql_user_id)} |
MSSQL_DISABLE_SQL_LOGIN |
ALTER LOGIN :mssql_login DISABLE |
MSSQL_DISABLE_WINDOWS_LOGIN |
ALTER LOGIN :mssql_win_login DISABLE |
MSSQL_ENABLE_SQL_LOGIN |
ALTER LOGIN :mssql_login ENABLE |
MSSQL_ENABLE_WINDOWS_LOGIN |
ALTER LOGIN :mssql_win_login ENABLE |
MSSQL_GRANT_WINAUTHTYPE_DEFAULTDB |
{CALL sp_defaultdb(:mssql_login,:mssql_dbname)} |
MSSQL_GRANT_WINAUTHTYPE_DEFAULTLANG |
{CALL sp_defaultlanguage(:mssql_login,:mssql_dbdefaultlang)} |
MSSQL_UPDATE_DEFAULTDB |
{CALL sp_defaultdb(:mssql_login,:mssql_dbname)} |
MSSQL_UPDATE_DEFAULTLANG |
{CALL sp_defaultlanguage(:mssql_login,:mssql_dbdefaultlang)} |
MSSQL_UPDATE_LOGIN_PASSWORD |
{call sp_password(null,:mssql_pass,:mssql_login)} |
The Lookup.DBUM.MSSQL.TargetRecon.Auth.Mapping lookup definition maps authentication types on the target system with corresponding values to be displayed in the User Type field of the OIM User process form. This lookup definition is used during target resource reconciliation.
During reconciliation, this connector fetches values such as WINDOWS_LOGIN or SQL_LOGIN from the type_desc target system column. A value of WINDOWS_LOGIN means that the target system account uses Windows authentication. A value of SQL_LOGIN means that the target system account uses SQL Server authentication.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Value in the type_desc target system column
Decode: Corresponding value to be displayed in the User Type process form field
To add or modify entries in this lookup definition, you must enter values in the format specified in the preceding paragraph.
Table A-12 lists the entries in this lookup definition.
The Lookup.DBUM.MSSQL.TargetRecon.Delete.Login.Mapping lookup definition maps the resource object attribute with the primary key column name used in the reconciliation query. Note that this resource object attribute is the key field for reconciliation matching.
The Lookup.DBUM.MSSQL.TargetRecon.Delete.Login.Mapping lookup definition is used during delete login target reconciliation runs.
During a delete login reconciliation run, the resource object field that you specify in this lookup definition is used for comparing target system login entity records with existing target system resource assigned to OIM Users. During this comparison process, if no match is found between the target system login entity record and the resource provisioned to the OIM User, then the database user resource is revoked from the OIM User.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the resource object attribute, which is the key field for reconciliation matching
Decode: Primary key column name used in the reconciliation query for performing delete user reconciliation
Table A-32 lists the default entry in this lookup definition.
Note: You cannot add entries to this lookup definition. However, you can modify values of the existing Code Key and Decode values. |
The Lookup.DBUM.MSSQL.TargetRecon.Delete.User.Mapping lookup definition maps the resource object attribute with the primary key column name used in the reconciliation query. Note that this resource object attribute is the key field for reconciliation matching.
The Lookup.DBUM.MSSQL.TargetRecon.Delete.User.Mapping lookup definition is used during delete user target reconciliation runs.
During a delete user reconciliation run, the resource object field that you specify in this lookup definition is used for comparing target system user entity records with existing target system resource assigned to OIM Users. During this comparison process, if no match is found between the target system user entity record and the resource provisioned to the OIM User, then the database user resource is revoked from the OIM User.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the resource object attribute, which is the key field for reconciliation matching
Decode: Primary key column name used in the reconciliation query for performing delete user reconciliation
Table A-33 lists the default entry in this lookup definition.
Note: You cannot add entries to this lookup definition. However, you can modify values of the existing Code Key and Decode values. |
The Lookup.DBUM.MSSQL.TargetRecon.Login.Mapping lookup definition maps resource object attributes with column names used in the stored procedure or SQL query for reconciliation. This lookup definition is used for performing target resource login reconciliation runs.
In this lookup definition, the Code Key contains the reconciliation attribute of the resource object.
For Code Key columns that store single-valued attributes, the Decode value can be in one of the following formats:
COL_NAME
or COL_NAME_ALIAS
In this format, COL_NAME is the target system column name used in the reconciliation query. COL_NAME_ALIAS is the alias of the target system column names used in the reconciliation query.
You use this format if the target system contains a column corresponding to the resource object attribute.
For example, consider the Login Name attribute, which is a single-valued attribute on the resource object. The target system contains LoginName, which is a column corresponding to the Login Name attribute. Therefore, the mapping is as follows:
Code Key: Login Name
Decode: LoginName
CONSTANT~
CONSTANT_VALUE
In this format, CONSTANT specifies that the data in this column is constant. CONSTANT_VALUE is the value to be displayed in the corresponding field of the OIM User form in the Administrative and User Console.
You use this format if you want to set a constant value for a particular field on the OIM User form.
For example, consider the Password attribute of the resource object. The Decode value of this attribute is set to CONSTANT~Dummy. This implies that the Password field on the OIM User form displays Dummy for all records reconciled from the target system.
COLUMN_NAME
~
LOOKUP_NAME
In this format, COLUMN_NAME is the target system column name from which value is fetched. LOOKUP_NAME is the name of the lookup definition that maps values fetched from the target system with values to be displayed in the OIM User form field.
You use this format if you want values fetched from the target system to be displayed in a format that is accepted by Oracle Identity Manager.
For example, consider the Authentication Type attribute of the resource object. This is a single valued attribute. The target system contains type_desc, which is a column corresponding to the Authentication Type attribute of the resource object. However, we do not map the Authentication Type resource object attribute to the type_desc column for the following reason:
The type_desc columns stores values such as SQL_LOGIN and WINDOWS_LOGIN. Therefore, during reconciliation, this connector fetches values such as SQL_LOGIN or WINDOWS_LOGIN from the type_desc target system column. However, these values cannot be displayed in the Authentication Type field of the OIM User form. This is because Oracle Identity Manager accepts only one of the following values as the authentication type of an account:
SQL_SERVER_AUTHENTICATION
WINDOWS_AUTHENTICATION
Therefore, in order to display the value retrieved from the type_desc column in a format that is accepted by Oracle Identity Manager, the Authentication Type attribute of the resource object has been mapped to TYPE_DESC~Lookup.DBUM.MSSQL.TargetRecon.Auth.Mapping
.
This implies that in the Code Key column of the Lookup.DBUM.MSSQL.TargetRecon.Auth.Mapping lookup definition, the connector searches for the value that is fetched from the type_desc column of the target system. Then, the corresponding Decode value is displayed as the type of the user account in Oracle Identity Manager. This is illustrated by the following example:
Suppose the value fetched from the type_desc column for a particular user account on the target system is WINDOWS_LOGIN. In the Code Key column of the Lookup.DBUM.MSSQL.TargetRecon.Auth.Mapping lookup definition, the connector searches for the value WINDOWS_LOGIN. The Decode value of the WINDOWS_LOGIN Code Key is WINDOWS_AUTHENTICATION. Therefore, in Oracle Identity Manager, the connector displays WINDOWS_AUTHENTICATION as the values of the Authentication Type field.
LOOKUP~
COL_NAME
In this format:
LOOKUP specifies that the data retrieved from the target system is lookup data.
COL_NAME is the corresponding column name or column name alias used in the reconciliation query
You use this format if the process form field corresponding to the Code Key value is a lookup type field.
For Code Key columns that store multivalued attributes, the Decode value is specified in the following format:
CHILD~
MULTIVALUED_ATTR_CONFIG_LOOKUP
In this format:
CHILD specifies that the data in this column is the child attribute data
MULTIVALUED_ATTR_CONFIG_LOOKUP is name of the lookup definition that holds configurable entries for the multivalued attribute.
By default, the Lookup.DBUM.MSSQL.TargetRecon.Login.Mapping lookup definition does not contain an entry for this format. See Appendix A, "Lookup.DBUM.Oracle.TargetRecon.Mapping" for an example on using this format.
You can add or remove entries in the Lookup.DBUM.MSSQL.TargetRecon.Login.Mapping lookup definition. See Section 4.2, "Adding or Removing Attributes for Reconciliation" for information about adding or modifying entries in this lookup definition.
Table A-34 lists the default entries in this lookup definition.
The Lookup.DBUM.MSSQL.TargetRecon.Login.Transformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during target resource reconciliation of login entities.
The Lookup.DBUM.MSSQL.TargetRecon.Login.Transformation lookup definition is empty by default.
See Section 4.9, "Configuring Transformation of Data During Reconciliation" for information about adding entries to this lookup definition.
The Lookup.DBUM.MSSQL.TargetRecon.Login.Validation lookup definition is used to configure validation of login entity attribute values that are fetched from the target system during target resource reconciliation.
The Lookup.DBUM.MSSQL.TargetRecon.Login.Validation lookup definition is empty by default.
See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about adding entries to this lookup definition.
The Lookup.DBUM.MSSQL.TargetRecon.QueryFilter lookup definition holds information about the filter parameters that you want to use while running the SQL query for target resource reconciliation.
The Lookup.DBUM.MSSQL.TargetRecon.QueryFilter lookup definition is empty by default.
See Section 3.4.4.2, "Adding a Filter Parameter in the Reconciliation Query" for information about adding entries to this lookup definition.
The Lookup.DBUM.MSSQL.TargetRecon.Role.Mapping lookup definition holds mapping between the Role multivalued attribute and the corresponding column name used in the stored procedure for target resource reconciliation.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the multivalued attribute
Decode: The value can be specified in one the following formats:
LOOKUP~
COL_NAME
In this format:
LOOKUP specifies that the data retrieved from the target system is lookup data.
COL_NAME is the corresponding column name or column name alias used in the reconciliation query
You use this format if the process form field corresponding to the Code Key value is a lookup type field.
COL_NAME
This is the column name used in the reconciliation query corresponding to the value in the code key column.
If you want to add or modify the entries in this lookup definition, then you must specify values in the format described in this section.
Table A-35 lists the default entry in this lookup definition.
The Lookup.DBUM.MSSQL.TargetRecon.User.Mapping lookup definition maps resource object fields with column names used in the stored procedure or SQL query for reconciliation. This lookup definition is used for performing target resource user reconciliation runs.
In this lookup definition, the Code Key contains the reconciliation field of the resource object.
For Code Key columns that store single-valued attributes, the Decode value can be one of the following formats:
COL_NAME
or COL_NAME_ALIAS
In this format, COL_NAME is the target system column name used in the reconciliation query. COL_NAME_ALIAS is the alias of the target system column names used in the reconciliation query.
You use this format if the target system contains a column corresponding to the resource object attribute that you added.
CONSTANT~
CONSTANT_VALUE
In this format, CONSTANT specifies that the data in this column is constant. CONSTANT_VALUE is value that you want to be displayed in the corresponding OIM User form field in the Administrative and User Console.
You use this format if you want to display in a particular OIM User form field, a constant value for all records.
COLUMN_NAME
~
LOOKUP_NAME
In this format, COLUMN_NAME is the target system column name from which value is fetched. LOOKUP_NAME is the name of the lookup definition that maps values fetched from the target system with values that must be displayed in the OIM User form field.
You use this format if you want to specify the format in which values fetched from the target system must be displayed in the OIM User form field.
LOOKUP~
COL_NAME
In this format:
LOOKUP specifies that the data retrieved from the target system is lookup data.
COL_NAME is the corresponding column name or column name alias used in the reconciliation query
You use this format if the process form field corresponding to the Code Key value is a lookup type field.
For Code Key columns that store multivalued attributes, the Decode value is specified in the following format:
CHILD~
MULTIVALUED_ATTR_CONFIG_LOOKUP
In this format:
CHILD specifies that the data in this column is the child attribute data
MULTIVALUED_ATTR_CONFIG_LOOKUP is name of the lookup definition that holds configurable entries for the multivalued attribute.
Table A-36 lists the default entries in this lookup definition, and the descriptions for most of the lookup entries.
The Lookup.DBUM.MSSQL.TargetRecon.User.Transformation lookup definition is used to configure transformation of user entity attribute values that are fetched from the target system during target resource reconciliation.
The Lookup.DBUM.MSSQL.TargetRecon.User.Transformation lookup definition is empty by default.
See Section 4.9, "Configuring Transformation of Data During Reconciliation" for information about adding entries to this lookup definition.
The Lookup.DBUM.MSSQL.TargetRecon.User.Validation lookup definition is used to configure validation of user entity attribute values that are fetched from the target system during target resource reconciliation.
The Lookup.DBUM.MSSQL.TargetRecon.User.Validation lookup definition is empty by default.
See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about adding entries to this lookup definition.
The Lookup.DBUM.MSSQL.TrustedRecon.Configuration lookup definition holds connector configuration entries that are used during trusted source reconciliation.
Table A-37 lists the default entries in this lookup definition.
Note: You cannot add entries to this lookup definition. However, you can modify the Decode values of the existing entries. |
Table A-37 Entries in the Lookup.DBUM.MSSQL.TrustedRecon.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Reconciliation Class Name |
oracle.iam.connectors.dbum.tasks.impl.DBUMSQLServerReconciliationImpl |
Name of the class that implements the logic for trusted source reconciliation. |
Reconciliation Query Property File |
Enter a value |
Enter the full path and name of the file containing queries that must be run during reconciliation. |
Reconciliation SQL Injection Keywords |
NODATA |
Enter the list of SQL keywords (separated by the tilde (~) character) that must not be used in the reconciliation query. The connector does not run a query (used for trusted source reconciliation) that contains any of the keywords listed in the Decode column. |
Resource Exclusion List Lookup |
See Appendix A, "Lookup.DBUM.MSSQL.TrustedRecon.ExclusionList" for more information about this lookup definition. |
|
Status Reconciliation Class Name |
NODATA |
You must enter a value for this entry only if your target system does not contain a column from which you can retrieve the status of a target system account. In Microsoft SQL server, the is_disabled column holds the status of the target system account. Therefore, do not enter any value for this entry. |
Target Date Format |
NODATA |
Enter the format in which date values are stored on the target system. |
Use Status Reconciliation |
No |
Specifies whether you wan to run reconciliation for the status of a target system user account. Note: Do not change the value of this entry. |
The Lookup.DBUM.MSSQL.TrustedRecon.Delete.Mapping lookup definition maps the resource object attribute with the primary key column name used in the reconciliation query (for retrieving all login entities from the target system). Note that this resource object attribute is the key field for reconciliation matching.
The Lookup.DBUM.MSSQL.TrustedRecon.Delete.Mapping lookup definition is used during delete login trusted reconciliation runs.
During a delete login reconciliation run, the resource object attribute that you specify in this lookup definition is used for comparing target system accounts with existing OIM Users. During this comparison process, if no match is found between the target system account and OIM User, then the OIM User is deleted.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the resource object attribute, which is the key field for reconciliation matching
Decode: Primary key column name used in the reconciliation query for performing delete login reconciliation
Table A-38 lists the default entry in this lookup definition.
Note: You cannot add entries to this lookup definition. However, you can modify values of the existing Code Key and Decode values. |
The Lookup.DBUM.MSSQL.TrustedRecon.ExclusionList lookup definition holds user attributes of target system accounts that must not be reconciled during trusted source reconciliation.
The following is the format of the Code Key and Decode values for this lookup definition:
Code Key: Resource object field name
Decode: Resource object field values separated by the tilde (~) character
Table A-39 lists the default entry in this lookup definition.
See Also: Section 3.1.3, "Setting Up the ExclusionList Lookup Definition" for information about adding or modifying entries in this lookup definition |
The Lookup.DBUM.MSSQL.TrustedRecon.Mapping lookup definition maps the fields of the OIM User form with corresponding column names used in the reconciliation query. This lookup definition is used for performing trusted source reconciliation.
In this lookup definition, the Code Key contains names of the fields on the OIM User form. The Decode value can be in one of the following formats:
COL_NAME
or COL_NAME_ALIAS
In this format, COL_NAME is the target system column name used in the reconciliation query. COL_NAME_ALIAS is the alias of the target system column name used in the reconciliation query.
You use this format if the target system contains a column corresponding to the resource object attribute.
For example, consider the User Login attribute on the resource object. The target system contains Loginname, which is a column corresponding to the User Login attribute. Therefore, the mapping is as follows:
Code Key: User Login
Decode: Loginname
CONSTANT~
CONSTANT_VALUE
In this format:
CONSTANT specifies that the data in this column is constant.
CONSTANT_VALUE is the value to be displayed in the corresponding field of the OIM User form in the Administrative and User Console.
You use this format if you want to set a constant value for a particular field on the OIM User form.
For example, the Employee Type field is a mandatory field on the OIM User form. However, on the target system, there is no information about the employee type for a user account. During reconciliation, as the Employee Type field cannot be left empty, you must specify a value for this field. Therefore, the Decode value of the Employee Type Code Key has been set to CONSTANT~Full-Time
. This implies that the value of the Employee Type field on the OIM User form displays Full-Time for all user accounts reconciled from the target system.
By default, in this lookup definition, the Decode values for the Employee Type, Organization, and User Type Code Key columns have been set to constant values Full-Time, Xellerate Users, and End-User, respectively. However, depending on your requirement, you can change these values to one of the following:
For the Employee Type Code Key, you can set one of the following constant values:
Full-Time
Part-Time
Temp
Intern
Consultant
For the Organization Code Key, you can set one of the following constant values:
Xellerate Users
Requests
For the User Type Code Key, you can set one of the following constant values:
End-User
End-User Administrator
COLUMN_NAME
~
LOOKUP_NAME
In this format:
COLUMN_NAME is the target system column name from which value is fetched.
LOOKUP_NAME is the name of the lookup definition that maps values fetched from the target system with values to be displayed in the OIM User form field.
You use this format if you want values fetched from the target system to be displayed in a format that is accepted by Oracle Identity Manager.
You can add or remove entries in the Lookup.DBUM.Oracle.TrustedRecon.Mapping lookup definition. See Section 4.2, "Adding or Removing Attributes for Reconciliation" for more information.
Table A-40 lists the default entries in this lookup definition.
The Lookup.DBUM.MSSQL.TrustedRecon.QueryFilter lookup definition is used for configuring limited reconciliation if your target system is configured as a trusted source. This lookup definition holds information about the filter parameters that you want to use while running the SQL query or stored procedure for trusted source reconciliation.
The Lookup.DBUM.MSSQL.TrustedRecon.QueryFilter lookup definition is empty by default.
See Section 3.4.4.2, "Adding a Filter Parameter in the Reconciliation Query" for information about adding entries to this lookup definition.
The Lookup.DBUM.MSSQL.TrustedRecon.Transformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during trusted source reconciliation.
The Lookup.DBUM.MSSQL.TrustedRecon.Transformation lookup definition is empty by default.
See Section 4.9, "Configuring Transformation of Data During Reconciliation" for information about adding entries to this lookup definition.
The Lookup.DBUM.MSSQL.TrustedRecon.Validation lookup definition is used to configure validation of attribute values that are fetched from the target system during trusted source reconciliation.
The Lookup.DBUM.MSSQL.TrustedRecon.Validation lookup definition is empty by default.
See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about adding entries to this lookup definition.
This section provides information about the following lookup definitions:
Appendix A, "Lookup.DBUM.MySQL.TargetRecon.SchemaPrivilege.Configuration"
Appendix A, "Lookup.DBUM.MySQL.TargetRecon.SchemaPrivilege.Mapping"
Appendix A, "Lookup.DBUM.MySQL.TargetRecon.SchemaPrivilege.QueryFilter"
The Lookup.DBUM.MySQL.Configuration lookup definition holds connector configuration entries that are used during target resource reconciliation and provisioning operations.
Note: You cannot add entries to this lookup definition. However, you can modify the Decode values of the existing entries. |
Table A-41 lists the default entries in this lookup definition.
Table A-41 Entries in the Lookup.DBUM.MySQL.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Error Mapping Lookup |
See Appendix A, "Lookup.DBUM.MySQL.Error.Mapping" for information about this lookup definition. |
|
Parameter Configuration Lookup |
See Appendix A, "Lookup.DBUM.MySQL.Parameter.Configuration" for information about this lookup definition. |
|
Provisioning Validation Lookup |
See Appendix A, "Lookup.DBUM.MySQL.Provisioning.Validation" for information about this lookup definition. |
|
Query Configuration Lookup |
See Appendix A, "Lookup.DBUM.MySQL.Query.Configuration" for information about this lookup definition. |
|
Reconciliation Class Name |
oracle.iam.connectors.dbum.tasks.impl.DBUMQueryReconciliationImpl.java |
Name of the class that implements the logic for target resource reconciliation. |
Reconciliation Query Property File |
Enter a value |
Enter the full path and name of the file containing queries that must be run during reconciliation. |
Reconciliation SQL Injection Keywords |
NODATA |
List of SQL keywords (separated by tilde (~) character) that must not be used in the reconciliation query. The connector does not run a query (used for target resource reconciliation) that contains any of the keywords listed in the Decode column. |
Reserved Words List |
GRANT ~REVOKE ~OF ~ON ~TO ~DATABASE ~TABLESPACE ~SCHEMA ~CREATEIN ~ALTERIN ~DROPIN ~FROM ~USE ~GRANT\t~REVOKE\t~OF\t~ON\t~TO\t~DATABASE\t~TABLESPACE\t~SCHEMA\t~CREATEIN\t~ALTERIN\t~DROPIN\t~FROM\t~USE\t |
List of reserve words that are not supported in the OIM User process form fields during provisioning operations. |
Resource Exclusion Column Key |
UD_DB_MYS_U_USERNAME |
Name of the process form field that is excluded during provisioning operations. |
Resource Exclusion List Lookup |
See Appendix A, "Lookup.DBUM.MySQL.ExclusionList" for more information about this lookup definition. |
|
Status Reconciliation Class Name |
NODATA |
Name of the class that implements the logic for deriving the status of a target system user account. |
SSL Keystore Properties |
NODATA |
If you want to configure secure communication between the target system and Oracle Identity Manager, then enter the SSL keystore details in the following format:
|
Target Date Format |
NODATA |
Enter the format in which date values are stored on the target system. |
Unsupported Special Characters |
NODATA |
Enter the list of special characters that are not supported in the process form fields during provisioning operations. |
Use Status Reconciliation |
No |
Specifies whether you wan to run reconciliation for the status of a target system user account. |
Use Validation For Provisioning |
No |
Specifies whether you want to enable validation of user attributes during provisioning operations. |
When an error is encountered during a provisioning operation, an error message is displayed on the Administrative and User Console.
The Lookup.DBUM.MySQL.Error.Mapping lookup definition maps error codes displayed by the database with error messages to be displayed on the process form in the Administrative and User Console during provisioning operations.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: SQL error code returned by the database
Decode: Corresponding error message to be displayed on the process form
To add or modify entries in this lookup definition, you must enter values in the format specified in the preceding paragraph.
Table A-42 lists the default entries in this lookup definition.
The Lookup.DBUM.MySQL.ExclusionList lookup definition holds user attributes of the target system accounts for which you do not want to perform target resource reconciliation and provisioning.
For target system accounts on which you do not want to perform provisioning operations, the following is the format of the Code Key and Decode values:
Code Key: Name of the process form field
Decode: Process form field values separated by the tilde (~) character
For target system accounts that must not be reconciled during a target resource reconciliation run, the following is the format of the Code Key and Decode values:
Code Key: Resource object field name
Decode: Resource object field values separated by the tilde (~) character
Table A-43 lists the default entry in this lookup definition.
See Also: Section 3.1.3, "Setting Up the ExclusionList Lookup Definition" for information about adding or modifying entries in this lookup definition |
The Lookup.DBUM.MySQL.Parameter.Configuration lookup definition maps identifiers in a SQL statement or SQL fragment (defined in the Lookup.DBUM.MySQL.Query.Configuration lookup definition) with names of the process form fields.
During provisioning operations, the data that you enter on the OIM User form is stored in the corresponding fields of the process form in the Design Console. The fields of the process form are mapped to the identifiers of SQL statements or SQL fragments used for provisioning. In other words, the SQL statements use the data present in the process form to run SQL statements. These SQL statements or SQL fragments are defined in the Lookup.DBUM.MySQL.Query.Configuration lookup definition.
See Also: Appendix A, "Lookup.DBUM.MySQL.Query.Configuration" for more information about the Lookup.DBUM.MySQL.Query.Configuration lookup definition |
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Identifier in a SQL statement or SQL fragment used for provisioning operations
Decode: Combination of the following elements separated by the tilde (~) character:
PF_FIELD_NAME~PF_DATA_TYPE~PARAMETER_TYPE~QUOTE_TYPE~EXCLUDE_VALIDATION~UPPERCASE
Note: The sequence of elements in the Decode value must not be changed. |
In this format:
PF_FIELD_NAME is name of the process form field.
PF_DATA_TYPE is the data type of the process form field.
PARAMETER_TYPE specifies whether the value in the process form field is of type input of output.
If the value in the process form field is used as an input parameter, for example, as an input to a variable in the SQL statement, then use IN. Otherwise, OUT.
QUOTE_TYPE specifies whether the value from the process form field that is passed to the SQL statement must be enclosed in a single quotation mark or double quotation mark. The QUOTE_TYPE element is optional.
If you want the value in the process form field to be enclosed in single quotation marks, then use SINGLE_QUOTE. If you want the value in the process form field to be enclosed in double quotation marks, then use DOUBLE_QUOTE.
EXCLUDE_VALIDATION element is optional. This element is used in the following scenario:
Suppose you specify values for the Reserved Words List or Unsupported Special Characters entries of the Lookup.DBUM.MySQL.Configuration lookup definition. During provisioning operations, the connector checks whether the fields on the OIM User form contain any of the values specified in the Reserved Words List or Unsupported Special Characters entries. If such values are found, then no provisioning operations are performed on that record. If you do not want the connector to perform this check on a particular field of the OIM User form, then include EXCLUDE_VALIDATION along with the name of the process form field.
For example, the UD_DB_MySQL_T_TABLESPACE~varchar2~IN~EXCLUDE_VALIDATION Decode value specifies that during a particular provisioning operation, the connector does not check whether the Tablespace field contains any of the values specified in the Reserved Words List or Unsupported Special Characters entries of the Lookup.DBUM.MySQL.Configuration lookup definition.
UPPERCASE element is an optional element. You use this element if you want to save on the target system the value entered in the process form field in upper case.
If you want to add or modify entries in this lookup definition, then you must enter values in the format specified earlier in this section. Note that changes that you make in the Code Key column of this lookup definition must be duplicated in the Lookup.DBUM.MySQL.Query.Configuration lookup definition. This is illustrated by the following example:
Suppose, in Table A-44, if you change the mysql_user_name Code Key value to mysql_usrname, then in the Lookup.DBUM.MySQL.Query.Configuration lookup definition, you must change all occurrences of mysql_user_name to mysql_usrname.
Table A-44 lists the default entries in this lookup definition.
Table A-44 Entries in the Lookup.DBUM.MySQL.Parameter.Configuration Lookup Definition
Code Key | Decode |
---|---|
privilege_name |
UD_DB_MYS_P_PRIVILEGE~varchar2~IN~EXCLUDE_VALIDATION |
schema_name |
UD_DB_MYS_P_SCHEMA_NAME~varchar2~IN~EXCLUDE_VALIDATION |
mysql_user_name_pwd |
UD_DB_MYS_U_USER_NAME~varchar2~IN~EXCLUDE_VALIDATION |
mysql_user_password_pwd |
UD_DB_MYS_U_PASSWORD~varchar2~IN~EXCLUDE_VALIDATION |
mysql_user_name |
UD_DB_MYS_U_USER_NAME~varchar2~IN~SINGLE_QUOTE |
mysql_user_password |
UD_DB_MYS_U_PASSWORD~varchar2~IN~SINGLE_QUOTE~EXCLUDE_VALIDATION |
The Lookup.DBUM.MySQL.Provisioning.Validation lookup definition is used to store the mapping between the attribute for which validation has to be applied (during provisioning) and the validation implementation class.
The Lookup.DBUM.MySQL.Provisioning.Validation lookup definition is empty by default.
See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about adding entries to this lookup definition.
As mentioned earlier in this guide, the Database User Management connector uses SQL statements for provisioning operations. These SQL statements are defined in the Lookup.DBUM.MySQL.Query.Configuration lookup definition. Depending on the provisioning operations that you are performing, adapters run the appropriate SQL statements on the target system.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the SQL statement or SQL fragment
Decode: Corresponding SQL statement or SQL fragment. The SQL statement is a combination of the following entries:
SQL Keywords
This is a mandatory element. Examples of SQL keywords are GRANT and REVOKE.
Identifiers
This is a mandatory element.
In Table A-45, mysql_user_name, mysql_user_password, and mysql_user_password_pwd are examples of identifiers. The actual values for these identifiers are determined at run time.
Name of the SQL fragment
This is an optional element. By default, this lookup definition does not contain any entries with names of SQL fragments. See Section A.4.9, "Lookup.DBUM.Oracle.Query.Configuration" for examples of names of SQL fragments.
Table A-45 lists the default entries in this lookup definition.
If you want to add or modify entries in this lookup definition, then you must enter values in the format specified earlier in this section. Note that changes that you make to identifiers in this lookup definition must be duplicated in the corresponding Code Key value of the Lookup.DBUM.MySQL.Parameter.Configuration lookup definition. In addition, you must also duplicate this change in all occurrences of the identifier in this lookup definition.
Table A-45 Entries in the Lookup.DBUM.MySQL.Query.Configuration Lookup Definition
Code Key | Decode |
---|---|
MYSQL_CREATE_USER |
CREATE USER :mysql_user_name IDENTIFIED BY :mysql_user_password |
MYSQL_DROP_USER |
DROP USER :mysql_user_name |
MYSQL_GRANT_PRIVILEGE |
GRANT :privilege_name ON :schema_name.* TO :mysql_user_name |
MYSQL_REVOKE_PRIVILEGE |
REVOKE :privilege_name ON :schema_name.* FROM :mysql_user_name |
MYSQL_UPDATE_PASSWORD |
SET PASSWORD FOR :mysql_user_name_pwd = PASSWORD(:mysql_user_password_pwd) |
The Lookup.DBUM.MySQL.TargetRecon.Delete.Mapping lookup definition maps the resource object attribute with the primary key column name used in the reconciliation query. Note that this resource object attribute is the key field for reconciliation matching.
The Lookup.DBUM.MySQL.TargetRecon.Delete.Mapping lookup definition is used during delete user target reconciliation runs.
During a delete user reconciliation run, the resource object attribute that you specify in this lookup definition is used for comparing target system user records with existing target system resource assigned to OIM Users. During this comparison process, if no match is found between the target system user record and the resource provisioned to the OIM User, then the database user resource is revoked from the OIM User.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the resource object attribute, which is the key field for reconciliation matching
Decode: Primary key column name used in the reconciliation query for performing delete user reconciliation
Table A-46 lists the default entry in this lookup definition.
Note: You cannot add entries to this lookup definition. However, you can modify values of the existing Code Key and Decode values. |
The Lookup.DBUM.MySQL.TargetRecon.Mapping lookup definition maps resource object attributes with column names or column name aliases used in the reconciliation query. This lookup definition is used for performing target resource user reconciliation runs.
In this lookup definition, the Code Key contains the reconciliation attribute of the resource object.
For Code Key columns that store single-valued attributes, the Decode value can be in one of the following formats:
COL_NAME
or COL_NAME_ALIAS
In this format, COL_NAME is the target system column name used in the reconciliation query. COL_NAME_ALIAS is the alias of the target system column names used in the reconciliation query.
You use this format if the target system contains a column corresponding to the resource object attribute.
For example, consider the User Name attribute, which is a single-valued attribute on the resource object. The target system contains User, which is the column corresponding to the User Name attribute. Therefore, the mapping is as follows:
Code Key: User Name
Decode: User
CONSTANT~
CONSTANT_VALUE
In this format, CONSTANT specifies that the data in this column is constant. CONSTANT_VALUE is the value to be displayed in the corresponding field of the OIM User form in the Administrative and User Console.
You use this format if you want to set a constant value for a particular field on the OIM User form.
COLUMN_NAME
~
LOOKUP_NAME
In this format, COLUMN_NAME is the target system column name from which value is fetched. LOOKUP_NAME is the name of the lookup definition that maps values fetched from the target system with values to be displayed in the OIM User form field.
You use this format if you want to specify the format in which values fetched from the target system must be displayed in the process form field. By default, this lookup definition does not contain entries in this format. See Appendix A, "Lookup.DBUM.Oracle.TargetRecon.Mapping" for an example on using this format.
LOOKUP~
COL_NAME
In this format:
LOOKUP specifies that the data retrieved from the target system is lookup data.
COL_NAME is the corresponding column name or column name alias used in the reconciliation query
You use this format if the process form field corresponding to the Code Key value is a lookup type field. By default, this lookup definition does not contain entries in this format. See Appendix A, "Lookup.DBUM.Oracle.TargetRecon.Mapping" for an example on using this format.
For Code Key columns that store multivalued attributes, the Decode value is specified in the following format:
CHILD~
MULTIVALUED_ATTR_CONFIG_LOOKUP
In this format:
CHILD specifies that the data in this column is the child attribute data
MULTIVALUED_ATTR_CONFIG_LOOKUP is name of the lookup definition that holds configurable entries for the multivalued attribute.
For example, Privilege List is a multivalued attribute. The Decode value of the Privilege List Code Key value is CHILD~Lookup.DBUM.MySQL.TargetRecon.SchemaPrivilege.Configuration
. The Lookup.DBUM.MySQL.TargetRecon.SchemaPrivilege.Configuration lookup definition contains configurable entries for the Privilege List attribute.
You can add or remove entries in the Lookup.DBUM.MySQL.TargetRecon.Mapping lookup definition. See Section 4.2, "Adding or Removing Attributes for Reconciliation" for information about adding or modifying entries in this lookup definition.
Table A-47 lists the default entries in this lookup definition.
The Lookup.DBUM.MySQL.TargetRecon.QueryFilter lookup definition holds information about the filter parameters that you want to use while running the SQL query for target resource reconciliation.
The Lookup.DBUM.MySQL.TargetRecon.QueryFilter lookup definition is empty by default.
See Section 3.4.4.2, "Adding a Filter Parameter in the Reconciliation Query" for information about adding entries to this lookup definition.
The Lookup.DBUM.MySQL.TargetRecon.SchemaPrivilege.Configuration lookup definition holds configuration entries related to the Privilege List multivalued attribute.
Table A-48 lists the default entries in this lookup definition.
Note: You cannot add entries to this lookup definition. However, you can modify the Decode values of existing entries. |
Table A-48 Entries in the Lookup.DBUM.MySQL.TargetRecon.SchemaPrivilege.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Child Attribute Mapping Lookup |
See Appendix A, "Lookup.DBUM.MySQL.TargetRecon.SchemaPrivilege.Configuration" for information about this lookup definition. |
|
Child Query Name |
MYSQL_TARGET_USER_PRIVILEGE |
Name of the query in the reconciliation query file that you want to run for reconciling data about the child attribute. |
Child Reconciliation Query Filter Lookup |
Name of the lookup definition that contains information about reconciliation filter parameters for the child attribute. See Appendix A, "Lookup.DBUM.MySQL.TargetRecon.SchemaPrivilege.QueryFilter" for more information about this lookup definition. |
|
Parent Attribute |
User |
Primary key column of the query used for running target resource user reconciliation. |
The Lookup.DBUM.MySQL.TargetRecon.SchemaPrivilege.Mapping lookup definition maps the attributes of the Privilege List multivalued attribute with column names used in the reconciliation query. This lookup definition is used to retrieve data about the Privilege List attribute during target resource reconciliation.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Attribute name of the multivalued attribute
Decode: The value is specified in one of the following formats:
LOOKUP~
COL_NAME
In this format:
LOOKUP specifies that the data retrieved from the target system is lookup data.
COL_NAME is the corresponding column name or column name alias used in the reconciliation query
You use this format if process form field corresponding to the Code Key value is a lookup type field.
COL_NAME
This is the column name used in the reconciliation query corresponding to the value in the code key column.
If you want to add or modify the entries in this lookup definition, then you must specify values in the format described in this section.
Table A-49 lists the default entry in this lookup definition.
The Lookup.DBUM.MySQL.TargetRecon.SchemaPrivilege.QueryFilter lookup definition holds information about the filter parameters that you want to use while running the SQL query for retrieving data about the Privilege List multivalued attribute during target resource reconciliation.
The Lookup.DBUM.MySQL.TargetRecon.SchemaPrivilege.QueryFilter lookup definition is empty by default.
See Section 3.4.4.2, "Adding a Filter Parameter in the Reconciliation Query" for information about adding entries to this lookup definition.
The Lookup.DBUM.MySQL.TargetRecon.Transformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during target resource reconciliation.
The Lookup.DBUM.MySQL.TargetRecon.Transformation lookup definition is empty by default.
See Section 4.9, "Configuring Transformation of Data During Reconciliation" for information about adding entries to this lookup definition.
The Lookup.DBUM.MySQL.TargetRecon.Validation lookup definition is used to configure validation of attribute values that are fetched from the target system during target resource reconciliation.
The Lookup.DBUM.MySQL.TargetRecon.Validation lookup definition is empty by default.
See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about adding entries to this lookup definition.
The Lookup.DBUM.MySQL.TrustedRecon.Configuration lookup definition holds connector configuration entries that are used during trusted source reconciliation.
Table A-50 lists the default entries in this lookup definition.
Note: You cannot add entries to this lookup definition. However, you can modify the Decode values of existing entries. |
Table A-50 Entries in the Lookup.DBUM.MySQL.TrustedRecon.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Reconciliation Class Name |
oracle.iam.connectors.dbum.tasks.impl.DBUMQueryReconciliationImpl |
Name of the class that implements the logic for trusted source reconciliation. |
Reconciliation Query Property File |
Enter a value |
Enter the full path and name of the file containing queries that must be run during reconciliation. |
Reconciliation SQL Injection Keywords |
DROP ~DROP\t~INSERT ~INSERT\t~ALTER ~ALTER\t~CREATE ~CREATE\t~DELETE ~DELETE\t~UPDATE ~UPDATE\t~TRUNCATE ~TRUNCATE\t~EXEC ~EXEC\t~/*~--~; |
List of SQL keywords that must not be used in the reconciliation query. The connector does not run a query (used for trusted source reconciliation) that contains any of the keywords listed in the Decode column. |
Resource Exclusion List Lookup |
See Appendix A, "Lookup.DBUM.MySQL.TrustedRecon.ExclusionList" for more information about this lookup definition. |
|
Status Reconciliation Class Name |
NODATA |
Name of the class that implements the logic for deriving the status of a target system user account. You must enter a value for this entry only if you want to retrieve the status of a target system account. See Section 5.13, "Configuring Status Reconciliation" if you want to reconcile the status of an account on the target system |
Target Date Format |
NODATA |
Enter the format in which date values are stored on the target system. |
Use Status Reconciliation |
No |
Specifies whether you wan to run reconciliation for the status of a target system user account. |
The Lookup.DBUM.MySQL.TrustedRecon.Delete.Mapping lookup definition maps the resource object attribute with the primary key column name used in the reconciliation query (for retrieving all users from the target system). Note that this resource object attribute is the key field for reconciliation matching.
The Lookup.DBUM.MySQL.TrustedRecon.Delete.Mapping lookup definition is used during delete user trusted reconciliation runs.
During a delete user reconciliation run, the resource object attribute that you specify in this lookup definition is used for comparing target system user records with existing OIM Users. During this comparison process, if no match is found between the target system user record and OIM User, then the OIM User is deleted.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the resource object attribute, which is the key field for reconciliation matching
Decode: Primary key column name used in the reconciliation query for performing delete user reconciliation
Table A-51 lists the default entry in this lookup definition.
Note: You cannot add entries to this lookup definition. However, you can modify values of the existing Code Key and Decode values. |
The Lookup.DBUM.MySQL.TrustedRecon.ExclusionList lookup definition holds user attributes of target system accounts that must not be reconciled during trusted source reconciliation.
The following is the format of the Code Key and Decode values for this lookup definition:
Code Key: Resource object field name
Decode: Resource object field values separated by the tilde (~) character
Table A-52 lists the default entry in this lookup definition.
See Also: Section 3.1.3, "Setting Up the ExclusionList Lookup Definition" for information about adding or modifying entries in this lookup definition |
The Lookup.DBUM.MySQL.TrustedRecon.Mapping lookup definition maps the fields of the OIM User form with corresponding column names used in the reconciliation query. This lookup definition is used for performing trusted source reconciliation.
In this lookup definition, the Code Key contains names of the fields on the OIM User form. The Decode value can be in one of the following formats:
COL_NAME
or COL_NAME_ALIAS
In this format, COL_NAME is the target system column name used in the reconciliation query. COL_NAME_ALIAS is the alias of the target system column name used in the reconciliation query.
You use this format if the target system contains a column corresponding to the resource object attribute.
For example, consider the User Login attribute on the resource object. The target system contains User, which is a column corresponding to the User Login attribute. Therefore, the mapping is as follows:
Code Key: User Login
Decode: User
CONSTANT~
CONSTANT_VALUE
In this format:
CONSTANT specifies that the data in this column is constant.
CONSTANT_VALUE is the value to be displayed in the corresponding field of the OIM User form in the Administrative and User Console.
You use this format if you want to set a constant value for a particular field on the OIM User form.
For example, the Employee Type field is a mandatory field on the OIM User form. However, on the target system, there is no information about the employee type for a user account. During reconciliation, as the Employee Type field cannot be left empty, you must specify a value for this field. Therefore, the Decode value of the Employee Type Code Key has been set to CONSTANT~Full-Time
. This implies that the value of the Employee Type field on the OIM User form displays Full-Time for all user accounts reconciled from the target system.
By default, in this lookup definition, the Decode values for the Employee Type, Organization, and User Type Code Key columns have been set to constant values Full-Time, Xellerate Users, and End-User, respectively. However, depending on your requirement, you can change these values to one of the following:
For the Employee Type Code Key, you can set one of the following constant values:
Full-Time
Part-Time
Temp
Intern
Consultant
For the Organization Code Key, you can set one of the following constant values:
Xellerate Users
Requests
For the User Type Code Key, you can set one of the following constant values:
End-User
End-User Administrator
COLUMN_NAME
~
LOOKUP_NAME
In this format:
COLUMN_NAME is the target system column name from which value is fetched.
LOOKUP_NAME is the name of the lookup definition that maps values fetched from the target system with values to be displayed in the OIM User form field.
You use this format if you want values fetched from the target system to be displayed in a format that is accepted by Oracle Identity Manager. By default, the Lookup.DBUM.MySQL.TrustedRecon.Mapping lookup definition does not contain any entry in this format. See Appendix A, "Lookup.DBUM.Oracle.TrustedRecon.Mapping" for an example on using this format.
You can add to or remove entries in the Lookup.DBUM.MySQL.TrustedRecon.Mapping lookup definition. See Section 4.2, "Adding or Removing Attributes for Reconciliation" for information about adding or modifying entries in this lookup definition.
Table A-53 lists the default entries in this lookup definition.
The Lookup.DBUM.MySQL.TrustedRecon.QueryFilter lookup definition is used for configuring limited reconciliation if your target system is configured as a trusted source. This lookup definition holds information about the filter parameters that you want to use while running the SQL query for trusted source reconciliation.
The Lookup.DBUM.MySQL.TrustedRecon.QueryFilter lookup definition is empty by default.
See Section 3.4.4.2, "Adding a Filter Parameter in the Reconciliation Query" for information about adding entries to this lookup definition.
The Lookup.DBUM.MySQL.TrustedRecon.Transformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during trusted source reconciliation.
The Lookup.DBUM.MySQL.TrustedRecon.Transformation lookup definition is empty by default.
See Section 4.9, "Configuring Transformation of Data During Reconciliation" for information about adding entries to this lookup definition.
The Lookup.DBUM.MySQL.TrustedRecon.Validation lookup definition is used to configure validation of attribute values that are fetched from the target system during trusted source reconciliation.
The Lookup.DBUM.MySQL.TrustedRecon.Validation lookup definition is empty by default.
See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about adding entries to this lookup definition.
This section provides information about the following lookup definitions:
Appendix A, "Lookup.DBUM.Oracle.AuthType.KeyMapping.CreateUser"
Appendix A, "Lookup.DBUM.Oracle.AuthType.KeyMapping.UpdateUser"
Appendix A, "Lookup.DBUM.Oracle.TargetRecon.Privilege.Configuration"
Appendix A, "Lookup.DBUM.Oracle.TargetRecon.Privilege.Mapping"
Appendix A, "Lookup.DBUM.Oracle.TargetRecon.Privilege.QueryFilter"
Appendix A, "Lookup.DBUM.Oracle.TargetRecon.Role.Configuration"
Appendix A, "Lookup.DBUM.Oracle.TargetRecon.Role.QueryFilter"
Appendix A, "Lookup.DBUM.Oracle.TrustedRecon.Delete.Mapping"
Appendix A, "Lookup.DBUM.Oracle.TrustedRecon.Transformation"
The Database User Management connector enables you to create user accounts in the target system that can access the database by being authenticated by using a password. In addition, this connector enables you to create global user accounts that can be authenticated by an enterprise directory, and external users that can be authenticated by an external service.
The Lookup.DBUM.Oracle.AuthType lookup definition holds information about authentication types that you can select for a target system account that you create through Oracle Identity Manager.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Type of authentication
Decode: Description of the type of authentication
Table A-54 lists the default entries in this lookup definition.
The Lookup.DBUM.Oracle.AuthType.KeyMapping.CreateUser lookup definition maps each authentication type (in the Lookup.DBUM.Oracle.AuthType lookup definition) with names of SQL statements used for creating users on the target system.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Type of authentication
Decode: Name of the SQL statement used to create a target system user account
Note: The Decode column contains just the name of the SQL statement that must be run. The complete SQL statement that must be run is specified in the Lookup.DBUM.Oracle.Query.Configuration lookup definition. See Appendix A, "Lookup.DBUM.Oracle.Query.Configuration" for more information about this lookup definition. |
Table A-55 lists the default entries in this lookup definition.
Table A-55 Entries in the Lookup.DBUM.Oracle.AuthType.KeyMapping.CreateUser Lookup Definition
Code Key | Decode |
---|---|
EXTERNAL |
ORA_CREATE_EXTERNAL_USER |
GLOBAL |
ORA_CREATE_GLOBAL_USER |
PASSWORD |
ORA_CREATE_USER |
If you want to add or modify entries in this lookup definition, then you must enter values in the format specified earlier in this section. Note that changes that you make in the Code Key column of this lookup definition must be duplicated in the Lookup.DBUM.Oracle.AuthType lookup definition. Similarly, changes that you make in the Decode column of this lookup definition must be duplicated in the Lookup.DBUM.Oracle.Query.Configuration and Lookup.DBUM.Oracle.Parameter.Configuration lookup definitions. These lookup definitions are discussed later in this Appendix.
The Lookup.DBUM.Oracle.AuthType.KeyMapping.UpdateUser lookup definition maps each authentication type (in the Lookup.DBUM.Oracle.AuthType lookup definition) with names of SQL statements used for updating users on the target system.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Type of authentication
Decode: Name of the SQL statement used to update a target system user account
Table A-56 lists the default entries in this lookup definition.
Table A-56 Entries in the Lookup.DBUM.Oracle.AuthType.KeyMapping.UpdateUser Lookup Definition
Code Key | Decode |
---|---|
EXTERNAL |
ORA_UPDATE_USER_AUTHTYPE_EXTERNALLY |
GLOBAL |
ORA_UPDATE_USER_AUTHTYPE_GLOBALLY |
PASSWORD |
ORA_UPDATE_PASSWORD |
If you want to add or modify entries in this lookup definition, then you must enter values in the format specified earlier in this section. Note that changes that you make in the Code Key column of this lookup definition must be duplicated in the Lookup.DBUM.Oracle.AuthType lookup definition. Similarly, changes that you make in the Decode column of this lookup definition must be duplicated in the Lookup.DBUM.Oracle.Query.Configuration and Lookup.DBUM.Oracle.Parameter.Configuration lookup definitions. These lookup definitions are discussed later in this Appendix.
The Lookup.DBUM.Oracle.Configuration lookup definition holds connector configuration entries that are used during target resource reconciliation and provisioning operations.
Note: You cannot add entries to this lookup definition. However, you can modify the Decode values of the existing entries. |
Table A-57 lists the default entries in this lookup definition.
Table A-57 Entries in the Lookup.DBUM.Oracle.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
AuthType QueryCodeKey Mapping Lookup For CreateUser |
See Appendix A, "Lookup.DBUM.Oracle.AuthType.KeyMapping.CreateUser" for information about this lookup definition. |
|
AuthType QueryCodeKey Mapping Lookup For UpdateUser |
See Appendix A, "Lookup.DBUM.Oracle.AuthType.KeyMapping.UpdateUser" for information about this lookup definition. |
|
Error Mapping Lookup |
See Appendix A, "Lookup.DBUM.Oracle.Error.Mapping" for information about this lookup definition. |
|
Parameter Configuration Lookup |
See Appendix A, "Lookup.DBUM.Oracle.Parameter.Configuration" for information about this lookup definition. |
|
Provisioning Validation Lookup |
SeeAppendix A, "Lookup.DBUM.Oracle.Provisioning.Validation" for information about this lookup definition. |
|
Query Configuration Lookup |
See Appendix A, "Lookup.DBUM.Oracle.Query.Configuration" for information about this lookup definition. |
|
Reconciliation Class Name |
oracle.iam.connectors.dbum.tasks.impl.DBUMQueryReconciliationImpl |
Name of the class that implements the logic for target resource reconciliation. |
Reconciliation Query Property File |
Enter a value |
Enter the full path and name of the file containing queries that must be run during reconciliation. |
Reconciliation SQL Injection Keywords |
DROP ~DROP\t~INSERT ~INSERT\t~ALTER ~ALTER\t~CREATE ~CREATE\t~DELETE ~DELETE\t~UPDATE ~UPDATE\t~TRUNCATE ~TRUNCATE\t~EXEC ~EXEC\t~/*~--~; |
List of SQL keywords (separated by a tilde (~) character) that modify or can be used to modify data in the database. The connector does not run a query (used for target resource reconciliation) that contains any of the keywords listed in the Decode column. You can add to or remove from the list of SQL keywords. See Section 3.1.1, "Setting Up the Configuration Lookup Definition for a Target Resource" for information about setting a value for this entry. |
Reserved Words List |
DROP ~INSERT ~ALTER ~CREATE ~DELETE ~UPDATE ~GRANT ~TRUNCATE ~EXEC ~TEMPORARY ~TABLESPACE ~DEFAULT ~QUOTA ~PROFILE ~IDENTIFIED ~EXTERNALLY ~AS ~GLOBALLY ~REVOKE ~ACCOUNT ~UNLOCK ~LOCK ~CASCADE ~DROP\t~INSERT\t~ALTER\t~CREATE\t~DELETE\t~UPDATE\t~GRANT\t~TRUNCATE\t~EXEC\t~TEMPORARY\t~TABLESPACE\t~DEFAULT\t~QUOTA\t~PROFILE\t~IDENTIFIED\t~EXTERNALLY\t~AS\t~GLOBALLY\t~REVOKE\t~ACCOUNT\t~UNLOCK\t~LOCK\t~CASCADE\t |
List of reserve words that are not supported in the OIM User process form fields during provisioning operations. You can add to or remove from the list of reserve words. |
Resource Exclusion Column Key |
UD_DB_ORA_U_USERNAME |
Name of the process form field that is excluded during provisioning operations. |
Resource Exclusion List Lookup |
See for more information about this lookup definition. |
|
Status Reconciliation Class Name |
NODATA |
Name of the class that implements the logic for deriving the status of a target system user account. You must enter a value for this entry only if your target system does not contain a column from which you can retrieve the status of a target system account. In Oracle Database, the ACCOUNT_STATUS column holds the status of the user in the target system. Therefore, do not enter any value for this entry. |
Target Date Format |
NODATA |
Enter the format in which date values are stored on the target system. |
Unsupported Special Characters |
--~/*~; |
The Decode column contains a list of special characters that are not supported in the process form fields during provisioning operations. You can add to or remove from the list of unsupported special characters. |
Use Status Reconciliation |
No |
Specifies whether you wan to run reconciliation for the status of a target system user account. Note: Do not change the value of this entry. |
Use Validation For Provisioning |
No |
Specifies whether you want to enable validation of user attributes during provisioning operations. See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about configuring data validation during provisioning operations. |
The Lookup.DBUM.Oracle.Error.Mapping lookup definition maps error codes displayed by the database with error messages to be displayed on the OIM User form during provisioning operations.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: SQL error code returned by the database
Decode: Corresponding error message to be displayed on the OIM User form
To add or modify entries in this lookup definition, you must enter values in the format specified in the preceding paragraph.
Table A-58 lists the default entries in this lookup definition.
The Lookup.DBUM.Oracle.ExclusionList lookup definition holds user attributes of the target system accounts for which you do not want to perform target resource reconciliation and provisioning.
For target system accounts on which you do not want to perform provisioning operations, the following is the format of the Code Key and Decode values:
Code Key: Name of the process form field
Decode: Process form field values separated by the tilde (~) character
For target system accounts that must not be reconciled during a target resource reconciliation run, the following is the format of the Code Key and Decode values:
Code Key: Resource object field name
Decode: Resource object field values separated by the tilde (~) character
Table A-59 lists the default entries in this lookup definition.
See Also: Section 3.1.3, "Setting Up the ExclusionList Lookup Definition" for information about adding or modifying entries in this lookup definition |
Table A-59 Entries in the Lookup.DBUM.Oracle.ExclusionList Lookup Definition
Code Key | Decode |
---|---|
UD_DB_ORA_U_USERNAME |
sys~system |
User Name |
sys~system |
The first row in Table A-59 specifies that no provisioning operations must be performed on target system accounts whose user name is sys and system. Similarly, the second row specifies that target system accounts with user name sys and system must not be fetched in to Oracle Identity Manager.
The Lookup.DBUM.Oracle.Parameter.Configuration lookup definition maps identifiers of the SQL statement or SQL fragment (defined in the Lookup.DBUM.Oracle.Query.Configuration lookup definition) with names of the process form fields.
During provisioning operations, the data that you enter on the OIM User form is stored in the corresponding fields of the process form in the Design Console. The fields of the process form are mapped to the identifiers of SQL statements or SQL fragments used for provisioning. In other words, the SQL statements use the data present in the process form to run SQL statements. These SQL statements or SQL fragments are defined in the Lookup.DBUM.Oracle.Query.Configuration lookup definition.
See Also: Appendix A, "Lookup.DBUM.DB2.Query.Configuration" for more information about the Lookup.DBUM.Oracle.Query.Configuration lookup definition |
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Identifier in a SQL statement or SQL fragment used for provisioning operations
Decode: Combination of the following elements separated by the tilde (~) character:
PF_FIELD_NAME~PF_DATA_TYPE~PARAMETER_TYPE~QUOTE_TYPE~EXCLUDE_VALIDATION~UPPERCASE
In this format:
PF_FIELD_NAME is the name of the process form field
PF_DATA_TYPE is the data type of the process form field
PARAMETER_TYPE specifies whether the value in the process form field is of type input of output.
If the value in the process form field is used as an input parameter, for example as an input to an identifier in a SQL statement, then use IN. Otherwise, OUT.
QUOTE_TYPE element is optional. This element specifies whether the value from the process form field that is passed to the SQL statement must be enclosed in a single quotation mark or double quotation mark.
If you want the value in the process form field to be enclosed in single quotation marks, then use SINGLE_QUOTE. If you want the value in the process form field to be enclosed in double quotation marks, then use DOUBLE_QUOTE.
EXCLUDE_VALIDATION element is optional. It is used in the following scenario:
Suppose you specify values for the Reserved Words List or Unsupported Special Characters entries of the Lookup.DBUM.Oracle.Configuration lookup definition. During provisioning operations, the connector checks whether the fields on the OIM User form contain any of the values specified in the Reserved Words List or Unsupported Special Characters entries. If such values are found, then no provisioning operations are performed on that record. If you do not want the connector to perform this check on a particular field on the OIM User form, then include EXCLUDE_VALIDATION along with the name of the process form field.
For example, in Table A-60, the UD_DB_ORA_R_ROLE~varchar2~IN~EXCLUDE_VALIDATION Decode value specifies that during a particular provisioning operation, the connector does not check whether the Role Name field contains any of the values specified in the Reserved Words List or Unsupported Special Characters entries of the Lookup.DBUM.Oracle.Configuration lookup definition. In other words, a provisioning operation is not interrupted if the connector finds in the Role Name field, any of the values specified in the Reserved Words List or Unsupported Special Characters entries of the Lookup.DBUM.Oracle.Configuration lookup definition
UPPERCASE element is an optional element. You use this element if you want to save on the target system the value entered in the process form field in upper case.
If you want to add or modify entries in this lookup definition, then you must enter values in the format specified earlier in this section. Note that changes that you make in the Code Key column of this lookup definition must be duplicated in the Lookup.DBUM.Oracle.Query.Configuration lookup definition. This is illustrated by the following example:
Suppose, in Table A-60, if you change the ora_password Code Key value to ora_pwd, then in the Lookup.DBUM.Oracle.Query.Configuration lookup definition, you must change all occurrences of ora_password to ora_pwd.
Table A-60 lists the default entries in this lookup definition.
Table A-60 Entries in the Lookup.DBUM.Oracle.Parameter.Configuration Lookup Definition
Code Key | Decode |
---|---|
ora_default_tablespace |
UD_DB_ORA_U_TABLESPACE~varchar2~IN~EXCLUDE_VALIDATION |
ora_defaultts_quota_size |
UD_DB_ORA_U_QUOTASIZE~varchar2~IN |
ora_global_dn |
UD_DB_ORA_U_GLOBAL_DN~varchar2~IN~SINGLE_QUOTE |
ora_password |
UD_DB_ORA_U_PASSWORD~varchar2~IN |
ora_privilege_admin_option |
UD_DB_ORA_P_ADMIN_OPTION~varchar2~IN~EXCLUDE_VALIDATION |
ora_privilege_name |
UD_DB_ORA_P_PRIVILEGE~varchar2~IN~EXCLUDE_VALIDATION |
ora_profile |
UD_DB_ORA_U_PROFILE~varchar2~IN~EXCLUDE_VALIDATION |
ora_role_admin_option |
UD_DB_ORA_R_ADMIN_OPTION~varchar2~IN~EXCLUDE_VALIDATION |
ora_role_name |
UD_DB_ORA_R_ROLE~varchar2~IN~EXCLUDE_VALIDATION |
ora_temp_tablespace |
UD_DB_ORA_U_TEMPTABLESPACE~varchar2~IN~EXCLUDE_VALIDATION |
ora_tempts_quota_size |
UD_DB_ORA_U_TEMP_QUOTASIZE~varchar2~IN |
ora_user_id |
UD_DB_ORA_U_USERNAME~varchar2~IN~UPPERCASE |
ora_user_id_external |
UD_DB_ORA_U_USERNAME~varchar2~IN~DOUBLE_QUOTE~EXCLUDE_VALIDATION~UPPERCASE |
The Lookup.DBUM.Oracle.Provisioning.Validation lookup definition maps the attribute for which validation has to be applied with the validation implementation class.
The Lookup.DBUM.Oracle.Provisioning.Validation lookup definition is empty by default.
See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about adding entries to this lookup definition.
As mentioned earlier in this chapter, the Database User Management connector uses SQL statements for provisioning operations. These SQL statements are defined in the Lookup.DBUM.Oracle.Query.Configuration lookup definition. Depending on the provisioning operations that you are performing, adapters run the appropriate SQL statements on the target system.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the SQL statement or SQL fragment
Decode: Corresponding SQL statement or SQL fragment. A SQL statement in this lookup definition is a combination of the following elements:
SQL Keywords:
This is a mandatory element. Examples of SQL keywords are GRANT, CREATE, REVOKE, and ALTER.
Identifiers:
This is a mandatory element.
In Table A-61, ora_user_id, ora_password, ora_default_tablespace, and ora_profile are identifiers. The actual values for these identifiers are determined at run time.
Name of the SQL fragment:
This is an optional element.
In Table A-61, PROFILE_QUERY, ROLE_WITH_ADMIN_OPTION, DEFAULTTS_QUOTA_QUERY, and TEMP_TABLESPACE_QUERY are names of SQL fragments.
For example, in the Decode value of the ORA_ADD_PRIVILEGE Code Key in Table A-61, it is optional to include PRIVILEGE_WITH_ADMIN_OPTION in the SQL statement that is used to grant privileges to a user account on the target system. The name of the SQL fragment, PRIVILEGE_WITH_ADMIN_OPTION, has been specified as optional as you may not want to grant to all user accounts on the target system privileges with the admin option.
Table A-61 lists the default entries in this lookup definition.
If you want to add or modify entries in this lookup definition, then you must enter values in the format specified earlier in this section. Note that changes that you make to identifiers in this lookup definition must be duplicated in the corresponding Code Key value of the Lookup.DBUM.Oracle.Parameter.Configuration lookup definition. In addition, you must also duplicate this change in all occurrences of the identifier in this lookup definition.
Table A-61 Entries in the Lookup.DBUM.Oracle.Query.Configuration Lookup Definition
Code Key | Decode |
---|---|
DEFAULTTS_QUOTA_QUERY |
QUOTA :ora_defaultts_quota_size ON :ora_default_tablespace |
ORA_ADD_PRIVILEGE |
GRANT :ora_privilege_name TO :ora_user_id_external~PRIVILEGE_WITH_ADMIN_OPTION |
ORA_ADD_ROLE |
GRANT :ora_role_name TO :ora_user_id_external~ROLE_WITH_ADMIN_OPTION |
ORA_CREATE_EXTERNAL_USER |
CREATE USER :ora_user_id_external IDENTIFIED EXTERNALLY ACCOUNT UNLOCK~TABLESPACE_QUERY~TEMP_TABLESPACE_QUERY~PROFILE_QUERY~DEFAULTTS_QUOTA_QUERY~TEMPTS_QUOTA_QUERY |
ORA_CREATE_GLOBAL_USER |
CREATE USER :ora_user_id IDENTIFIED GLOBALLY AS :ora_global_dn ACCOUNT UNLOCK~TABLESPACE_QUERY~TEMP_TABLESPACE_QUERY~PROFILE_QUERY~DEFAULTTS_QUOTA_QUERY~TEMPTS_QUOTA_QUERY |
ORA_CREATE_USER |
CREATE USER :ora_user_id IDENTIFIED BY :ora_password ACCOUNT UNLOCK~TABLESPACE_QUERY~TEMP_TABLESPACE_QUERY~PROFILE_QUERY~DEFAULTTS_QUOTA_QUERY~TEMPTS_QUOTA_QUERY |
ORA_DELETE_USER |
DROP USER :ora_user_id_external CASCADE |
ORA_DISABLE_USER |
ALTER USER :ora_user_id_external ACCOUNT LOCK |
ORA_ENABLE_USER |
ALTER USER :ora_user_id_external ACCOUNT UNLOCK |
ORA_REVOKE_PRIVILEGE |
REVOKE :ora_privilege_name FROM :ora_user_id_external |
ORA_REVOKE_ROLE |
REVOKE :ora_role_name FROM :ora_user_id_external |
ORA_UPDATE_DEFAULT_TABLESPACE |
ALTER USER :ora_user_id_external DEFAULT TABLESPACE :ora_default_tablespace |
ORA_UPDATE_DEFAULTTS_QUOTA_SIZE |
ALTER USER :ora_user_id_external DEFAULT TABLESPACE :ora_default_tablespace QUOTA :ora_defaultts_quota_size ON :ora_default_tablespace |
ORA_UPDATE_GLOBAL_DN |
ALTER USER :ora_user_id_external IDENTIFIED GLOBALLY AS :ora_global_dn |
ORA_UPDATE_PASSWORD |
ALTER USER :ora_user_id_external IDENTIFIED BY :ora_password |
ORA_UPDATE_PROFILE |
ALTER USER :ora_user_id_external PROFILE :ora_profile |
ORA_UPDATE_TEMP_TABLESPACE |
ALTER USER :ora_user_id_external TEMPORARY TABLESPACE :ora_temp_tablespace |
ORA_UPDATE_TEMPTS_QUOTA_SIZE |
ALTER USER :ora_user_id_external TEMPORARY TABLESPACE :ora_temp_tablespace QUOTA :ora_tempts_quota_size ON :ora_temp_tablespace\ |
ORA_UPDATE_USER_AUTHTYPE_EXTERNALLY |
ALTER USER :ora_user_id_external IDENTIFIED EXTERNALLY |
ORA_UPDATE_USER_AUTHTYPE_GLOBALLY |
ALTER USER :ora_user_id_external IDENTIFIED GLOBALLY AS :ora_global_dn |
PRIVILEGE_WITH_ADMIN_OPTION |
:ora_privilege_admin_option |
PROFILE_QUERY |
PROFILE :ora_profile |
ROLE_WITH_ADMIN_OPTION |
:ora_role_admin_option |
TABLESPACE_QUERY |
DEFAULT TABLESPACE :ora_default_tablespace |
TEMP_TABLESPACE_QUERY |
TEMPORARY TABLESPACE :ora_temp_tablespace |
TEMPTS_QUOTA_QUERY |
QUOTA :ora_tempts_quota_size ON :ora_temp_tablespace |
The Lookup.DBUM.Oracle.TargetRecon.Delete.Mapping lookup definition maps the resource object attribute with the primary key column name used in the reconciliation query. Note that this resource object attribute is the key field for reconciliation matching.
The Lookup.DBUM.Oracle.TargetRecon.Delete.Mapping lookup definition is used during delete user target reconciliation runs.
During a delete user reconciliation run, the resource object attribute that you specify in this lookup definition is used for comparing target system user records with existing target system resource assigned to OIM Users. During this comparison process, if no match is found between the target system user record and the resource provisioned to the OIM User, then the database user resource is revoked from the OIM User.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the resource object attribute, which is the key field for reconciliation matching
Decode: Primary key column name used in the reconciliation query for performing delete user reconciliation
Table A-62 lists the default entry in this lookup definition.
Note: You cannot add entries to this lookup definition. However, you can modify values of the existing Code Key and Decode values. |
The Lookup.DBUM.Oracle.TargetRecon.Mapping lookup definition maps resource object attribute with column names or column name aliases used in the reconciliation query. This lookup definition is used for performing target resource user reconciliation runs.
In this lookup definition, the Code Key contains the reconciliation attribute of the resource object.
For Code Key columns that store single-valued attributes, the Decode value can be in one of the following formats:
COL_NAME
or COL_NAME_ALIAS
In this format, COL_NAME is the target system column name used in the reconciliation query. COL_NAME_ALIAS is the alias of the target system column names used in the reconciliation query.
You use this format if the target system contains a column corresponding to the resource object attribute.
For example, consider the User Name attribute, which is a single-valued attribute on the resource object. The target system contains USER NAME, which is a column corresponding to the User Name attribute. In addition, the SELECT clause of the ORACLE_TARGET_USER_RECON reconciliation query contains the USER NAME column. Therefore, the mapping is as follows:
Code Key: User Name
Decode: USER NAME
CONSTANT~
CONSTANT_VALUE
In this format, CONSTANT specifies that the data in this column is constant. CONSTANT_VALUE is the value to be displayed in the corresponding field of the OIM User form in the Administrative and User Console.
You use this format if you want to set a constant value for a particular field on the OIM User form.
For example, consider the Password attribute of the resource object. The Decode value of this attribute is set to CONSTANT~Dummy
. This implies that the Password field on the OIM User form displays Dummy for all records reconciled from the target system.
COLUMN_NAME
~
LOOKUP_NAME
In this format, COLUMN_NAME is the target system column name from which value is fetched. LOOKUP_NAME is the name of the lookup definition that maps values fetched from the target system with values to be displayed in the corresponding field of the OIM User form.
You use this format if you want values fetched from the target system to be displayed in a format that is accepted by Oracle Identity Manager.
For example, consider the Status attribute of the resource object. This is a single valued attribute. The target system contains ACCOUNT_STATUS, which is a column corresponding to the Status attribute of the resource object. However, we do not map the Status resource object attribute to the ACCOUNT_STATUS column for the following reason:
A user account reconciled from the target system can be in one of the following statuses:
OPEN
LOCKED
EXPRIRED & LOCKED
However, these statuses cannot be displayed in the Status field of the OIM User form. This is because Oracle Identity Manager accepts only one of the following values as the status of a user account:
Active
Disabled
Disabled Until Start Date
Deleted
Therefore, in order to display the status retrieved from the ACCOUNT_STATUS column in a format that is accepted by Oracle Identity Manager, the Status resource object attribute has been mapped to ACCOUNT_STATUS~Lookup.DBUM.TargetRecon.StatusMapping
.
This implies that in the Code Key column of the Lookup.DBUM.TargetRecon.StatusMapping lookup definition, the connector searches for the value that is fetched from the ACCOUNT_STATUS column of the target system. Then, the corresponding Decode value is displayed as the status of the user account in Oracle Identity Manager. This is illustrated by the following example:
Suppose the value fetched from the ACCOUNT_STATUS column for a particular user account on the target system is OPEN. In the Code Key column of the Lookup.DBUM.TargetRecon.StatusMapping lookup definition, the connector searches for the value OPEN. The Decode value of the OPEN Code Key is Enabled. Therefore, in Oracle Identity Manager, the connector displays Enabled as the status of the user account.
LOOKUP~
COL_NAME
In this format:
LOOKUP specifies that the data retrieved from the target system is lookup data.
COL_NAME is the corresponding column name or column name alias used in the reconciliation query
You use this format if the process form field corresponding to the Code Key value is a lookup type field.
For Code Key columns that store multivalued attributes, the Decode value is specified in the following format:
CHILD~
MULTIVALUED_ATTR_CONFIG_LOOKUP
In this format:
CHILD specifies that the data in this column is the child attribute data
MULTIVALUED_ATTR_CONFIG_LOOKUP is name of the lookup definition that holds configurable entries for the multivalued attribute.
For example, Role List is a multivalued attribute. The Decode value of the Role List Code Key value is CHILD~Lookup.DBUM.Oracle.TargetRecon.Role.Configuration
. The Lookup.DBUM.Oracle.TargetRecon.Role.Configuration lookup definition contains configurable entries for the Role List attribute.
You can add to or remove entries in the Lookup.DBUM.Oracle.TargetRecon.Mapping lookup definition. See Section 4.2, "Adding or Removing Attributes for Reconciliation" for information about adding or modifying entries in this lookup definition.
Table A-63 lists the default entries in the Lookup.DBUM.Oracle.TargetRecon.Mapping lookup definition.
Table A-63 Entries in the Lookup.DBUM.Oracle.TargetRecon.Mapping Lookup Definition
The Lookup.DBUM.Oracle.TargetRecon.Privilege.Configuration lookup definition holds configuration entries related to the Privilege multivalued attribute.
Table A-64 lists the default entries in this lookup definition.
Note: You cannot add entries to this lookup definition. However, you can modify the Decode values of existing entries. |
Table A-64 Entries in the Lookup.DBUM.Oracle.TargetRecon.Privilege.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Child Attribute Mapping Lookup |
See Appendix A, "Lookup.DBUM.Oracle.TargetRecon.Privilege.Mapping" for information about this lookup definition. |
|
Child Query Name |
ORACLE_TARGET_USER_PRIVILEGE |
Name of the query in the reconciliation query file that you want to run for reconciling data about the child attribute. |
Child Reconciliation Query Filter Lookup |
Name of the lookup definition that contains information about reconciliation filter parameters for the child attribute. See Appendix A, "Lookup.DBUM.Oracle.TargetRecon.Privilege.QueryFilter" for more information about this lookup definition. |
|
Parent Attribute |
USERNAME |
Primary key column of the query used for running target resource user reconciliation. |
The Lookup.DBUM.Oracle.TargetRecon.Privilege.Mapping lookup definition maps the attributes of the Privilege multivalued attribute on the resource object with column names used in the ORACLE_TARGET_USER_PRIVILEGE reconciliation query. This lookup definition is used to retrieve data about the Privilege attribute during target resource reconciliation.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Attribute name of the multivalued attribute
Decode: The value can be specified in one of the following formats:
LOOKUP~
COL_NAME
In this format:
LOOKUP specifies that the data retrieved from the target system is lookup data.
COL_NAME is the corresponding column name or column name alias used in the reconciliation query
You use this format if the process form field corresponding to the Code Key value is a lookup type field.
COL_NAME
This is the column name used in the reconciliation query corresponding to the value in the code key column.
If you want to add or modify the entries in this lookup definition, then you must specify values in the format described in this section.
Table A-65 lists the default entries in this lookup definition.
The Lookup.DBUM.Oracle.TargetRecon.Privilege.QueryFilter lookup definition holds information about the filter parameters that you want to use while running the ORACLE_TARGET_USER_PRIVILEGE query.
The Lookup.DBUM.Oracle.TargetRecon.Privilege.QueryFilter lookup definition is empty by default.
See Section 3.4.4.2, "Adding a Filter Parameter in the Reconciliation Query" for information about adding entries to this lookup definition.
The Lookup.DBUM.Oracle.TargetRecon.QueryFilter lookup definition holds information about the filter parameters that you want to use while running the ORACLE_TARGET_USER_RECON query for target resource reconciliation.
The Lookup.DBUM.MSSQL.TargetRecon.QueryFilter lookup definition is empty by default.
See Section 3.4.4.2, "Adding a Filter Parameter in the Reconciliation Query" for information about adding entries to this lookup definition.
The Lookup.DBUM.Oracle.TargetRecon.Role.Configuration lookup definition holds configuration entries related to the Role multivalued field.
Table A-66 lists the default entries in this lookup definition.
Note: You cannot add entries to this lookup definition. However, you can modify the Decode values of the existing entries. |
Table A-66 Entries in the Lookup.DBUM.Oracle.TargetRecon.Role.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Child Attribute Mapping Lookup |
See Appendix A, "Lookup.DBUM.Oracle.TargetRecon.Role.Mapping" for information about this lookup definition. |
|
Child Query Name |
ORACLE_TARGET_USER_ROLE |
Name of the query in the reconciliation query file that you want to run for reconciling data about the child attribute. |
Child Reconciliation Query Filter Lookup |
Name of the lookup definition that contains information about reconciliation filter parameters for the child attribute. See Appendix A, "Lookup.DBUM.Oracle.TargetRecon.Role.QueryFilter" for more information about this lookup definition. |
|
Parent Attribute |
USERNAME |
Primary key column of the query used for running target resource user reconciliation. |
The Lookup.DBUM.Oracle.TargetRecon.Role.Mapping lookup definition maps attributes of the Role multivalued attribute on the resource object with column names used in the ORACLE_TARGET_USER_ROLE reconciliation query. This lookup definition is used to retrieve data about the Role attribute during target resource reconciliation.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Attribute name of the multivalued attribute
Decode: The value can be specified in one of the following formats:
LOOKUP~
COL_NAME
In this format:
LOOKUP specifies that the data retrieved from the target system is lookup data.
COL_NAME is the corresponding column name or column name alias used in the reconciliation query
You use this format if process form field corresponding to the Code Key value is a lookup type field.
COL_NAME
This is the column name used in the reconciliation query corresponding to the value in the code key column.
If you want to add or modify the entries in this lookup definition, then you must specify values in the format described in this section.
If you want to add or modify entries in this lookup definition, then you must enter values in the format specified in the preceding paragraph.
Table A-67 lists the default entries in this lookup definition.
The Lookup.DBUM.Oracle.TargetRecon.Role.QueryFilter lookup definition holds information about the filter parameters that you want to use while running the ORACLE_TARGET_USER_ROLE query.
The Lookup.DBUM.Oracle.TargetRecon.Role.QueryFilter lookup definition is empty by default.
See Section 3.4.4.2, "Adding a Filter Parameter in the Reconciliation Query" for information about adding entries to this lookup definition.
The Lookup.DBUM.Oracle.TargetRecon.Transformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during target resource reconciliation.
The Lookup.DBUM.Oracle.TargetRecon.Transformation lookup definition is empty by default.
See Section 4.9, "Configuring Transformation of Data During Reconciliation" for information about adding entries to this lookup definition.
The Lookup.DBUM.Oracle.TargetRecon.Validation lookup definition is used to configure validation of attribute values that are fetched from the target system during target resource reconciliation.
The Lookup.DBUM.Oracle.TargetRecon.Validation lookup definition is empty by default.
See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about adding entries to this lookup definition.
During a provisioning operation, you use the Lookup.DBUM.Oracle.WithAdminOption lookup definition to specify whether the target system user record being created has administrative options on the role or privilege being grant to the user record.
Note: You cannot add or modify entries in this lookup definition. |
Table A-68 lists the default entry in this lookup definition.
The Lookup.DBUM.Oracle.TrustedRecon.Configuration lookup definition holds connector configuration entries that are used during trusted source reconciliation.
Table A-69 lists the default entries in this lookup definition.
Note: You cannot add entries to this lookup definition. However, you can modify the Decode values of the existing entries. |
Table A-69 Entries in the Lookup.DBUM.Oracle.TrustedRecon.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Reconciliation Class Name |
oracle.iam.connectors.dbum.tasks.impl.DBUMQueryReconciliationImpl |
Name of the class that implements the logic for trusted source reconciliation. |
Reconciliation Query Property File |
Enter a value |
Enter the full path and name of the file containing queries that must be run during reconciliation. |
Reconciliation SQL Injection Keywords |
DROP ~DROP\t~INSERT ~INSERT\t~ALTER ~ALTER\t~CREATE ~CREATE\t~DELETE ~DELETE\t~UPDATE ~UPDATE\t~TRUNCATE ~TRUNCATE\t~EXEC ~EXEC\t~/*~--~; |
List of SQL keywords (separated by a tilde (~) character) that modify or can be used to modify data in the database. The connector does not run a query (used for trusted source reconciliation) that contains any of the keywords listed in the Decode column. You can add to or remove from the list of SQL keywords. See Section 3.1.2, "Setting Up the Configuration Lookup Definition for a Trusted Source" for information about setting a value for this entry. |
Resource Exclusion List Lookup |
See Appendix A, "Lookup.DBUM.Oracle.TrustedRecon.ExclusionList" for more information about this lookup definition. |
|
Status Reconciliation Class Name |
NODATA |
Name of the class that implements the logic for deriving the status of a target system user account. You must enter a value for this entry only if your target system does not contain a column from which you can retrieve the status of a target system account. In Oracle Database, the ACCOUNT_STATUS column holds the status of the user in the target system. Therefore, do not enter any value for this entry. |
Target Date Format |
NODATA |
Enter the format in which date values are stored on the target system. |
Use Status Reconciliation |
No |
Specifies whether you wan to run reconciliation for the status of a target system user account. Note: Do not change the value of this entry. |
The Lookup.DBUM.Oracle.TrustedRecon.Delete.Mapping lookup definition maps the resource object field with the primary key column name used in the reconciliation query (for retrieving all users from the target system). Note that this resource object field is the key field for reconciliation matching.
The Lookup.DBUM.Oracle.TrustedRecon.Delete.Mapping lookup definition is used during delete user trusted reconciliation runs.
During a delete user reconciliation run, the resource object field that you specify in this lookup definition is used for comparing target system user records with existing OIM Users. During the comparison process, if no match is found between the target system user record and OIM User, then the OIM User is deleted.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the resource object field, which is the key field for reconciliation matching
Decode: Primary key column name used in the reconciliation query for performing delete user reconciliation
Table A-70 lists the default entry in this lookup definition.
Note: You cannot add entries to this lookup definition. You modify the entry in this lookup definition if you change the key field for reconciliation matching on the resource object. |
The Lookup.DBUM.Oracle.TrustedRecon.ExclusionList lookup definition holds user attributes of target system accounts that must not be reconciled during trusted source reconciliation.
The following is the format of the Code Key and Decode values for this lookup definition:
Code Key: Resource object attribute name
Decode: Resource object attribute values separated by the tilde (~) character
Table A-71 lists the default entry in this lookup definition.
See Also: Section 3.1.3, "Setting Up the ExclusionList Lookup Definition" for information about adding or modifying entries in this lookup definition |
The Lookup.DBUM.Oracle.TrustedRecon.Mapping lookup definition maps the fields of the OIM User form with corresponding column names used in the reconciliation query. This lookup definition is used for performing trusted source reconciliation.
In this lookup definition, the Code Key contains names of the fields on the OIM User form. The Decode value can be in one of the following formats:
COL_NAME
or COL_NAME_ALIAS
In this format, COL_NAME is the target system column name used in the reconciliation query. COL_NAME_ALIAS is the alias of the target system column name used in the reconciliation query.
You use this format if the target system contains a column corresponding to the resource object attribute.
For example, consider the User Login attribute on the resource object. The target system contains USERNAME, which is a column corresponding to the User Login attribute. In addition, the SELECT clause of the ORACLE_TRUSTED_USER_RECON reconciliation query contains the USERNAME column. Therefore, the mapping is as follows:
Code Key: User Login
Decode: USERNAME
CONSTANT~
CONSTANT_VALUE
In this format:
CONSTANT specifies that the data in this column is constant.
CONSTANT_VALUE is the value to be displayed in the corresponding field of the OIM User form in the Administrative and User Console.
You use this format if you want to set a constant value for a particular field on the OIM User form.
For example, the Employee Type field is a mandatory field on the OIM User form. However, on the target system, there is no information about the employee type for a user account. During reconciliation, as the Employee Type field cannot be left empty, you must specify a value for this field. Therefore, the Decode value of the Employee Type Code Key has been set to CONSTANT~Full-Time
. This implies that the value of the Employee Type field on the OIM User form displays Full-Time for all user accounts reconciled from the target system.
By default, in this lookup definition, the Decode values for the Employee Type, Organization, and User Type Code Key columns have been set to constant values Full-Time, Xellerate Users, and End-User, respectively. However, depending on your requirement, you can change these values to one of the following:
For the Employee Type Code Key, you can set one of the following constant values:
Full-Time
Part-Time
Temp
Intern
Consultant
For the Organization Code Key, you can set one of the following constant values:
Xellerate Users
Requests
For the User Type Code Key, you can set one of the following constant values:
End-User
End-User Administrator
COLUMN_NAME
~
LOOKUP_NAME
In this format:
COLUMN_NAME is the target system column name from which value is fetched.
LOOKUP_NAME is the name of the lookup definition that maps values fetched from the target system with values to be displayed in the OIM User form field.
You use this format if you want values fetched from the target system to be displayed in a format that is accepted by Oracle Identity Manager.
For example, consider the Status attribute of the resource object. The target system contains ACCOUNT_STATUS, which is a column corresponding to the Status attribute of the resource object. However, we do not map the Status attribute to the ACCOUNT_STATUS column for the following reason:
A user account reconciled from the target system can be in one of the following statuses:
OPEN
LOCKED
EXPRIRED & LOCKED
However, these statuses cannot be displayed in the Status field of the OIM User form. This is because Oracle Identity Manager accepts only one of the following values as the status of a user account:
Active
Disabled
Disabled Until Start Date
Deleted
Therefore, in order to display the status retrieved from the ACCOUNT_STATUS column in a format that is accepted by Oracle Identity Manager, the Status resource object attribute has been mapped to ACCOUNT_STATUS~Lookup.DBUM.TrustedRecon.StatusMapping
.
This implies that in the Code Key column of the Lookup.DBUM.TrustedRecon.StatusMapping lookup definition, the connector searches for the value that is fetched from the ACCOUNT_STATUS column of the target system. Then, the corresponding Decode value is displayed as the status of the user account in Oracle Identity Manager. This is illustrated by the following example:
Suppose the value fetched from the ACCOUNT_STATUS column for a particular user account on the target system is OPEN. In the Code Key column of the Lookup.DBUM.TrustedRecon.StatusMapping lookup definition, the connector searches for the value OPEN. The Decode value of the OPEN Code Key is Active. Therefore, in Oracle Identity Manager, the connector displays Active as the status of the user account.
You can add to or remove entries in the Lookup.DBUM.Oracle.TrustedRecon.Mapping lookup definition. See Section 4.2, "Adding or Removing Attributes for Reconciliation" for information about adding or modifying entries in this lookup definition.
Table A-72 lists the default entries in this lookup definition.
The Lookup.DBUM.Oracle.TrustedRecon.QueryFilter lookup definition is used for configuring limited reconciliation if your target system is configured as a trusted source. This lookup definition holds information about the filter parameters that you want to use while running the SQL query for trusted source reconciliation.
The Lookup.DBUM.Oracle.TrustedRecon.QueryFilter lookup definition is empty by default.
See Section 3.4.4.2, "Adding a Filter Parameter in the Reconciliation Query" for information about adding entries to this lookup definition.
The Lookup.DBUM.Oracle.TrustedRecon.Transformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during trusted source reconciliation.
The Lookup.DBUM.Oracle.TrustedRecon.Transformation lookup definition is empty by default.
See Section 4.9, "Configuring Transformation of Data During Reconciliation" for information about adding entries to this lookup definition.
The Lookup.DBUM.Oracle.TrustedRecon.Validation lookup definition is used to configure validation of attribute values that are fetched from the target system during trusted source reconciliation.
The Lookup.DBUM.Oracle.TrustedRecon.Validation lookup definition is empty by default.
See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about adding entries to this lookup definition.
This section provides information about the following lookup definitions:
Appendix A, "Lookup.DBUM.Sybase.TargetRecon.Delete.Login.Mapping"
Appendix A, "Lookup.DBUM.Sybase.TargetRecon.Delete.User.Mapping"
Appendix A, "Lookup.DBUM.Sybase.TargetRecon.Login.Transformation"
Appendix A, "Lookup.DBUM.Sybase.TargetRecon.Login.Validation"
Appendix A, "Lookup.DBUM.Sybase.TargetRecon.User.Transformation"
Appendix A, "Lookup.DBUM.Sybase.TargetRecon.User.Validation"
Appendix A, "Lookup.DBUM.Sybase.TrustedRecon.Delete.Mapping"
Appendix A, "Lookup.DBUM.Sybase.TrustedRecon.Transformation"
The Lookup.DBUM.Sybase.Configuration lookup definition holds connector configuration entries that are used during target resource reconciliation and provisioning operations.
Note: You cannot add entries to this lookup definition. However, you can modify the Decode values of the existing entries. |
Table A-73 lists the default entries in this lookup definition.
Table A-73 Entries in the Lookup.DBUM.Sybase.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Error Mapping Lookup |
See Appendix A, "Lookup.DBUM.MSSQL.Error.Mapping" for information about this lookup definition. |
|
Parameter Configuration Lookup |
See Appendix A, "Lookup.DBUM.MSSQL.Parameter.Configuration" for information about this lookup definition. |
|
Provisioning Validation Lookup |
See Appendix A, "Lookup.DBUM.MSSQL.Provisioning.Validation" for information about this lookup definition. |
|
Query Configuration Lookup |
See Appendix A, "Lookup.DBUM.MSSQL.Query.Configuration" for information about this lookup definition. |
|
Reconciliation Class Name |
oracle.iam.connectors.dbum.tasks.impl.DBUMSybaseReconciliationImpl |
Name of the class that implements the logic for target resource reconciliation. |
Reconciliation Query Property File |
Enter a value |
Enter the full path and name of the file containing queries that must be run during reconciliation. |
Reconciliation SQL Injection Keywords |
NODATA |
Enter the SQL keywords (separated by a tilde (~) character) that must not be used in the reconciliation query. The connector does not run a query (used for target resource reconciliation) that contains any of the keywords listed in the Decode column. |
Reserved Words List |
NODATA |
List of reserve words that are not supported in the OIM User process form fields during provisioning operations. |
Resource Exclusion Column Key |
UD_DB_SYB_L_LOGIN |
Name of the process form field that is excluded during provisioning operations. |
Resource Exclusion List Lookup |
See for more information about this lookup definition. |
|
Status Reconciliation Class Name |
NODATA |
You must enter a value for this entry only if your target system does not contain a column from which you can retrieve the status of a target system account. In Microsoft SQL server, the is_disabled column holds the status of the target system account. Therefore, do not enter any value for this entry. |
Target Date Format |
NODATA |
Enter the format in which date values are stored on the target system. |
Unsupported Special Characters |
NODATA |
Enter the list of special characters that are not supported in the process form fields during provisioning operations. |
Use Status Reconciliation |
No |
Specifies whether you wan to run reconciliation for the status of a target system user account. Note: Do not change the value of this entry. |
Use Validation For Provisioning |
Yes |
Specifies whether you want to enable validation of user attributes during provisioning operations. See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about configuring data validation during provisioning operations. |
The Lookup.DBUM.Sybase.Error.Mapping lookup definition maps error codes displayed by the database with error messages to be displayed on the OIM User form during provisioning operations.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: SQL error code returned by the database
Decode: Corresponding error message to be displayed on the OIM User process form
If you want to add or modify entries in this lookup definition, then specify the values in the format specified in the preceding paragraph.
Table A-74 lists the default entries in this lookup definition.
The Lookup.DBUM.Sybase.ExclusionList lookup definition holds user attributes of the target system accounts for which you do not want to perform target resource reconciliation and provisioning.
For target system accounts on which you do not want to perform provisioning operations, the following is the format of the Code Key and Decode values:
Code Key: Name of the process form field
Decode: Process form field values separated by the tilde (~) character
For target system accounts that must not be reconciled during a target resource reconciliation run, the following is the format of the Code Key and Decode values:
Code Key: Resource object attribute name
Decode: Resource object attribute values separated by the tilde (~) character
Table A-28 lists the default entry in this lookup definition.
See Also: Section 3.1.3, "Setting Up the ExclusionList Lookup Definition" for information about adding or modifying entries in this lookup definition |
The Lookup.DBUM.Sybase.Parameter.Configuration lookup definition maps identifiers of stored procedures and SQL statements (defined in the Lookup.DBUM.Sybase.Query.Configuration lookup definition) with names of the process form fields.
This connector uses stored procedures and SQL statements to perform provisioning operations. The data that you enter on the process form while performing provisioning operations are stored in the corresponding process form fields in the Design Console. The process form field is mapped to the identifiers of stored procedures or SQL statements that are defined in the Lookup.DBUM.Sybase.Query.Configuration lookup definition.
See Also: Appendix A, "Lookup.DBUM.Sybase.Query.Configuration" for more information about the Lookup.DBUM.Sybase.Query.Configuration lookup definition |
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Identifier in the stored procedure or SQL statement used for provisioning operations
Decode: Combination of the following elements separated by the tilde (~) character:
PF_FIELD_NAME~PF_DATA_TYPE~PARAMETER_TYPE~QUOTE_TYPE~EXCLUDE_VALIDATION~UPPERCASE
In this format:
PF_FIELD_NAME is process form field name
PF_DATA_TYPE is process form field data type
PARAMETER_TYPE specifies whether the value in the process form field is of type input of output.
If the value in the process form field is used as an input parameter, for example, as an input to a variable in the SQL statement, then use IN. Otherwise, use OUT.
QUOTE_TYPE specifies whether the value from the process form field that is passed to the SQL statement must be enclosed in a single quotation mark or double quotation mark. The QUOTE_TYPE element is optional.
If you want to enclose the value in single quotation marks, then use SINGLE_QUOTE. If you want to enclose the value in double quotation marks, then use DOUBLE_QUOTE.
EXCLUDE_VALIDATION is an optional element. It is used in the following scenario:
Suppose you specify values for the Reserved Words List or Unsupported Special Characters entries of the Lookup.DBUM.Sybase.Configuration lookup definition. During provisioning operations, the connector checks whether the OIM User process form fields contain any of the values specified in the Reserved Words List or Unsupported Special Characters entries. If such values are found, then no provisioning operations are performed on that record. If you do not want the connector to perform this check on a particular field on the OIM User process form, then include EXCLUDE_VALIDATION along with the name of that process form field.
For example, the UD_DB_SYB_R_ROLE~varchar2~IN~EXCLUDE_VALIDATION Decode values specifies that during a particular provisioning operation, the connector does not check whether the Role field contains any of the values specified in the Reserved Words List or Unsupported Special Characters entries of the Lookup.DBUM.Sybase.Configuration lookup definition.
UPPERCASE element is an optional element. You use this element if you want to save on the target system the value entered in the process form field in upper case
Table A-76 lists the default entries in this lookup definition.
Table A-76 Entries in the Lookup.DBUM.Sybase.Parameter.Configuration Lookup Definition
Code Key | Decode |
---|---|
syb_defdb |
UD_DB_SYB_L_DEFDB~varchar2~IN~EXCLUDE_VALIDATION |
syb_deflang |
UD_DB_SYB_L_DEFAULTLANG~varchar2~IN~EXCLUDE_VALIDATION |
syb_fullname |
UD_DB_SYB_L_FULLNAME~varchar2~IN |
syb_group |
UD_DB_SYB_U_DBGROUP~varchar2~IN~EXCLUDE_VALIDATION |
syb_login |
UD_DB_SYB_L_LOGIN~varchar2~IN |
syb_old_pass |
UD_DB_SYB_L_OLD_PASSWORD~varchar2~IN |
syb_pass |
UD_DB_SYB_L_PASSWORD~varchar2~IN |
syb_role |
UD_DB_SYB_R_ROLE~varchar2~IN~EXCLUDE_VALIDATION |
syb_user_id |
UD_DB_SYB_U_USERNAME~varchar2~IN |
syb_user_login |
UD_DB_SYB_U_LOGINNAME~varchar2~IN |
The Lookup.DBUM.Sybase.Provisioning.Validation lookup definition is used to store the mapping between the attribute for which validation has to be applied and the validation implementation class.
The Lookup.DBUM.Sybase.Provisioning.Validation lookup definition is empty by default.
See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about adding entries to this lookup definition.
As mentioned in one of the sections in this chapter, this connector uses stored procedures and SQL statements to perform provisioning operations.
The Lookup.DBUM.Sybase.Query.Configuration lookup definition contains stored procedures and SQL statements that are used to perform provisioning operations.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the stored procedure or SQL statement
Decode: Corresponding stored procedure or SQL statement
Depending on the provisioning operations that you are performing, adapters run the appropriate stored procedures or SQL statements on the target system.
Table A-77 lists the default entries in this lookup definition.
Table A-77 Entries in the Lookup.DBUM.Sybase.Query.Configuration Lookup Definition
Code Key | Decode |
---|---|
SYB_ADD_ROLE |
{CALL sp_role('grant',:syb_role,:syb_login)} |
SYB_CREATE_LOGIN |
{CALL sp_addlogin(:syb_login,:syb_pass,:syb_defdb,:syb_deflang,:syb_fullname)} |
SYB_CREATE_USER |
{CALL sp_adduser(:syb_user_login,:syb_user_id,:syb_group)} |
SYB_DELETE_LOGIN |
{CALL sp_droplogin(:syb_login)} |
SYB_DELETE_USER |
{CALL sp_dropuser(:syb_user_id)} |
SYB_DISABLE_LOGIN |
{CALL sp_locklogin(:syb_login,'lock')} |
SYB_ENABLE_LOGIN |
{CALL sp_locklogin(:syb_login,'unlock')} |
SYB_REVOKE_ROLE |
{CALL sp_role('revoke',:syb_role,:syb_login)} |
SYB_UPDATE_DEFDB |
{CALL sp_modifylogin(:syb_login,'defdb',:syb_defdb)} |
SYB_UPDATE_DEFLANG |
{CALL sp_modifylogin(:syb_login,'deflanguage',:syb_deflang)} |
SYB_UPDATE_FULLNAME |
{CALL sp_modifylogin(:syb_login,'fullname',:syb_fullname)} |
SYB_UPDATE_GROUP |
{CALL sp_changegroup(:syb_group,:syb_user_id)} |
SYB_UPDATE_LOGIN_PASSWORD |
{CALL sp_password(:syb_old_pass,:syb_pass,:syb_login)} |
SYB_GET_USER |
select u.name from sysusers u, sysusers g, master.dbo.syslogins m where u.name=:syb_user_id and u.suid *= m.suid and u.gid *= g.uid and ((u.uid < @@mingroupid and u.uid != 0) or (u.uid > @@maxgroupid)) |
SYB_GET_LOGIN |
select name from master.dbo.syslogins where name=:syb_login |
The Lookup.DBUM.Sybase.TargetRecon.Delete.Login.Mapping lookup definition maps the resource object field with the primary key column name used in the reconciliation query. Note that this resource object field is the key field for reconciliation matching.
The Lookup.DBUM.Sybase.TargetRecon.Delete.Login.Mapping lookup definition is used during delete login target reconciliation runs.
During a delete login reconciliation run, the resource object field that you specify in this lookup definition is used for comparing target system login entity records with existing target system resource assigned to OIM Users. During this comparison process, if no match is found between the target system login entity record and the resource provisioned to the OIM User, then the database user resource is revoked from the OIM User.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the resource object field, which is the key field for reconciliation matching
Decode: Primary key column name used in the reconciliation query for performing delete user reconciliation
Table A-78 lists the default entry in this lookup definition.
The Lookup.DBUM.Sybase.TargetRecon.Delete.User.Mapping lookup definition maps the resource object field with the primary key column name used in the reconciliation query. Note that this resource object field is the key field for reconciliation matching.
The Lookup.DBUM.Sybase.TargetRecon.Delete.User.Mapping lookup definition is used during delete user target reconciliation runs.
During a delete user reconciliation run, the resource object field that you specify in this lookup definition is used for comparing target system user entity records with existing target system resource assigned to OIM Users. During this comparison process, if no match is found between the target system user entity record and the resource provisioned to the OIM User, then the database user resource is revoked from the OIM User.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the resource object field, which is the key field for reconciliation matching
Decode: Primary key column name used in the reconciliation query for performing delete user reconciliation
Table A-79 lists the default entry in this lookup definition.
The Lookup.DBUM.Sybase.TargetRecon.Login.Mapping lookup definition maps resource object fields with column names used in the stored procedure or SQL query for reconciliation. This lookup definition is used for performing target resource login reconciliation runs.
In this lookup definition, the Code Key contains the reconciliation field of the resource object.
For Code Key columns that store single-valued attributes, the Decode value can be in one of the following formats:
COL_NAME
or COL_NAME_ALIAS
In this format, COL_NAME is the target system column name used in the reconciliation query. COL_NAME_ALIAS is the alias of the target system column names used in the reconciliation query.
You use this format if the target system contains a column corresponding to the resource object attribute.
For example, consider the Login Name attribute, which is a single-valued attribute on the resource object. The target system contains Loginname, which is a column corresponding to the Login Name attribute. Therefore, the mapping is as follows:
Code Key: Login Name
Decode: Loginname
CONSTANT~
CONSTANT_VALUE
In this format, CONSTANT specifies that the data in this column is constant. CONSTANT_VALUE is value that you want to be displayed in the corresponding field of the OIM User form in the Administrative and User Console.
You use this format if you want to set a constant value for a particular field on the OIM User form.
For example, consider the Password attribute of the resource object. The Decode value of this attribute is set to CONSTANT~Dummy
. This implies that the Password field on the OIM User form displays Dummy for all records reconciled from the target system.
COLUMN_NAME
~
LOOKUP_NAME
In this format, COLUMN_NAME is the target system column name from which value is fetched. LOOKUP_NAME is the name of the lookup definition that maps values fetched from the target system with values to be displayed in the OIM User form field.
You use this format if you want values fetched from the target system to be displayed in a format that is accepted by Oracle Identity Manager.
For example, consider the Status attribute of the resource object. This is a single-valued attribute. The target system contains Locked, which is a column corresponding to the Status attribute of the resource object. However, we do not map the Status resource object attribute to the Locked column for the following reason:
The status of an account in the target system can be reconciled from the Locked column, which can contain only the following values:
YES
NO
However, these statuses cannot be displayed in the Status field of the OIM User form. This is because Oracle Identity Manager accepts only one of the following values as the status of a user account:
Active
Disabled
Disabled Until Start Date
Deleted
Therefore, in order to display the status retrieved from the Locked column in a format that is accepted by Oracle Identity Manager, the Status resource object attribute has been mapped to Locked~Lookup.DBUM.TargetRecon.StatusMapping
.
This implies that in the Code Key column of the Lookup.DBUM.TargetRecon.StatusMapping lookup definition, the connector searches for the value that is fetched from the Locked column of the target system. Then, the corresponding Decode value is displayed as the status of the user account in Oracle Identity Manager. This is illustrated by the following example:
Suppose the value fetched from the Locked column for a particular user account on the target system is NO. In the Code Key column of the Lookup.DBUM.TargetRecon.StatusMapping lookup definition, the connector searches for the value NO. The Decode value of the No Code Key is Enabled. Therefore, in Oracle Identity Manager, the connector displays Enabled as the status of the user account.
LOOKUP~
COL_NAME
In this format:
LOOKUP specifies that the data retrieved from the target system is lookup data.
COL_NAME is the corresponding column name or column name alias used in the reconciliation query
You use this format if the process form field corresponding to the Code Key value is a lookup type field.
For Code Key columns that store multivalued attributes, the Decode value is specified in one of the following formats:
CHILD~
MULTIVALUED_ATTR_CONFIG_LOOKUP
In this format:
CHILD specifies that the data in this column is the child attribute data
MULTIVALUED_ATTR_CONFIG_LOOKUP is name of the lookup definition that holds configurable entries for the multivalued attribute.
For example, Role List is a multivalued attribute. The Decode value of the Role List Code Key value is CHILD~Lookup.DBUM.Sybase.TargetRecon.Role.Mapping
.
You can add to or remove entries in the Lookup.DBUM.Oracle.TargetRecon.Mapping lookup definition. See Section 4.2, "Adding or Removing Attributes for Reconciliation" for information about adding or modifying entries in this lookup definition.
Table A-80 lists the default entries in this lookup definition, and the descriptions for some of the lookup entries.
Table A-80 Entries in the Lookup.DBUM.Sybase.TargetRecon.Login.Mapping Lookup Definition
Code Key | Decode |
---|---|
Default Database Name |
Lookup~Default Database |
Default Language |
Lookup~Default Language |
Full Name |
Fullname |
Login Name |
Loginame |
Password |
CONSTANT~Dummy |
Role List |
|
Status |
Locked~Lookup.DBUM.TargetRecon.StatusMapping |
The Lookup.DBUM.Sybase.TargetRecon.Login.Transformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during target resource reconciliation of login entities.
The Lookup.DBUM.Sybase.TargetRecon.Login.Transformation lookup definition is empty by default.
See Section 4.9, "Configuring Transformation of Data During Reconciliation" for information about adding entries to this lookup definition.
The Lookup.DBUM.Sybase.TargetRecon.Login.Validation lookup definition is used to configure validation of login entity attribute values that are fetched from the target system during target resource reconciliation.
The Lookup.DBUM.Sybase.TargetRecon.Login.Validation lookup definition is empty by default.
See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about adding entries to this lookup definition.
The Lookup.DBUM.Sybase.TargetRecon.QueryFilter lookup definition holds information about the filter parameters that you want to use while running the SQL query for target resource reconciliation.
The Lookup.DBUM.Sybase.TargetRecon.QueryFilter lookup definition is empty by default.
See Section 3.4.4.2, "Adding a Filter Parameter in the Reconciliation Query" for information about adding entries to this lookup definition.
The Lookup.DBUM.Sybase.TargetRecon.Role.Mapping lookup definition holds mapping between the Role multivalued attribute and the corresponding column name used in the stored procedure for target resource reconciliation.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Attribute name of the multivalued attribute
Decode: The value can be specified in one of the following formats:
LOOKUP~
COL_NAME
In this format:
LOOKUP specifies that the data retrieved from the target system is lookup data.
COL_NAME is the corresponding column name or column name alias used in the reconciliation query
You use this format if the process form field corresponding to the Code Key value is a lookup type field.
COL_NAME
This is the column name used in the reconciliation query corresponding to the value in the code key column.
If you want to add or modify the entries in this lookup definition, then you must specify values in the format described in this section.
Table A-81 lists the default entry in this lookup definition.
The Lookup.DBUM.Sybase.TargetRecon.User.Mapping lookup definition maps resource object fields with column names used in the stored procedure or SQL query for reconciliation. This lookup definition is used for performing target resource user reconciliation runs.
In this lookup definition, the Code Key contains the reconciliation field of the resource object.
For Code Key columns that store single-valued attributes, the Decode value can be one of the following formats:
COL_NAME
or COL_NAME_ALIAS
In this format, COL_NAME is the target system column name used in the reconciliation query. COL_NAME_ALIAS is the alias of the target system column names used in the reconciliation query.
You use this format if the target system contains a column corresponding to the resource object attribute that you added.
CONSTANT~
CONSTANT_VALUE
In this format, CONSTANT specifies that the data in this column is constant. CONSTANT_VALUE is value to be displayed in the corresponding OIM User form field in the Administrative and User Console.
You use this format if you want to display in a particular process form field, a constant value for all records.
COLUMN_NAME
~
LOOKUP_NAME
In this format, COLUMN_NAME is the target system column name from which value is fetched. LOOKUP_NAME is the name of the lookup definition that maps values fetched from the target system with values that must be displayed in the process form field.
You use this format if you want to specify the format in which values fetched from the target system must be displayed in the process form field. By default, this lookup definition does not contain entries in this format. See Appendix A, "Lookup.DBUM.Oracle.TargetRecon.Mapping" for an example on using this format.
LOOKUP~
COL_NAME
In this format:
LOOKUP specifies that the data retrieved from the target system is lookup data.
COL_NAME is the corresponding column name or column name alias used in the reconciliation query
You use this format if the process form field corresponding to the Code Key value is a lookup type field.
For Code Key columns that store multivalued attributes, the Decode value is specified in the following format:
CHILD~
MULTIVALUED_ATTR_CONFIG_LOOKUP
In this format:
CHILD specifies that the data in this column is the child attribute data
MULTIVALUED_ATTR_CONFIG_LOOKUP is name of the lookup definition that holds configurable entries for the multivalued attribute.
By default, this lookup definition does not contain entries in this format. See Appendix A, "Lookup.DBUM.Oracle.TargetRecon.Mapping" for an example an using this format.
Table A-82 lists the default entries in this lookup definition.
The Lookup.DBUM.Sybase.TargetRecon.User.Transformation lookup definition is used to configure transformation of user entity attribute values that are fetched from the target system during target resource reconciliation.
The Lookup.DBUM.Sybase.TargetRecon.User.Transformation lookup definition is empty by default.
See Section 4.9, "Configuring Transformation of Data During Reconciliation" for information about adding entries to this lookup definition.
The Lookup.DBUM.Sybase.TargetRecon.User.Validation lookup definition is used to configure validation of user entity attribute values that are fetched from the target system during target resource reconciliation.
The Lookup.DBUM.Sybase.TargetRecon.User.Validation lookup definition is empty by default.
See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about adding entries to this lookup definition.
The Lookup.DBUM.Sybase.TrustedRecon.Configuration lookup definition holds connector configuration entries that are used during trusted source reconciliation.
Table A-83 lists the default entries in this lookup definition.
Note: You cannot add entries to this lookup definition. However, you can modify the Decode values of the existing entries. |
Table A-83 Entries in the Lookup.DBUM.Sybase.TrustedRecon.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Reconciliation Class Name |
oracle.iam.connectors.dbum.tasks.impl.DBUMSybaseReconciliationImpl |
Name of the class that implements the logic for trusted source reconciliation. |
Reconciliation Query Property File |
Enter a value |
Enter the full path and name of the file containing queries that must be run during reconciliation. |
Reconciliation SQL Injection Keywords |
NODATA |
Enter the list of SQL keywords (separated by the tilde (~) character) that must not be used in the reconciliation query. The connector does not run a query (used for trusted source reconciliation) that contains any of the keywords listed in the Decode column. |
Resource Exclusion List Lookup |
See Appendix A, "Lookup.DBUM.Sybase.TrustedRecon.ExclusionList" for more information about this lookup definition. |
|
Status Reconciliation Class Name |
NODATA |
You must enter a value for this entry only if your target system does not contain a column from which you can retrieve the status of a target system account. In Sybase, the Locked column holds the status of the target system account. Therefore, do not enter any value for this entry. |
Target Date Format |
NODATA |
Enter the format in which date values are stored on the target system. |
Use Status Reconciliation |
No |
Specifies whether you wan to run reconciliation for the status of a target system user account. Note: Do not change the value of this entry. |
The Lookup.DBUM.Sybase.TrustedRecon.Delete.Mapping lookup definition maps the resource object field with the primary key column name used in the reconciliation query (for retrieving all login entities from the target system). Note that this resource object field is the key field for reconciliation matching.
The Lookup.DBUM.Sybase.TrustedRecon.Delete.Mapping lookup definition is used during delete login trusted reconciliation runs.
During a delete login reconciliation run, the resource object field that you specify in this lookup definition is used for comparing target system accounts with existing OIM Users. During this comparison process, if no match is found between the target system account and OIM User, then the OIM User is deleted.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the resource object field, which is the key field for reconciliation matching
Decode: Primary key column name used in the reconciliation query for performing delete login reconciliation
Table A-84 lists the default entry in this lookup definition.
The Lookup.DBUM.Sybase.TrustedRecon.ExclusionList lookup definition holds user attributes of target system accounts that must not be reconciled during trusted source reconciliation.
The following is the format of the Code Key and Decode values for this lookup definition:
Code Key: Resource object field name
Decode: Resource object field values separated by the tilde (~) character
Table A-39 lists the default entry in this lookup definition.
See Also: Section 3.1.3, "Setting Up the ExclusionList Lookup Definition" for information about adding or modifying entries in this lookup definition |
The Lookup.DBUM.Sybase.TrustedRecon.Mapping lookup definition maps the fields of the OIM User form with corresponding column names used in the reconciliation query. This lookup definition is used for performing trusted source reconciliation.
In this lookup definition, the Code Key contains names of the fields on the OIM User form. The Decode value can be in one of the following formats:
COL_NAME
or COL_NAME_ALIAS
In this format, COL_NAME is the target system column name used in the reconciliation query. COL_NAME_ALIAS is the alias of the target system column name used in the reconciliation query.
You use this format if the target system contains a column corresponding to the resource object attribute.
For example, consider the User Login attribute on the resource object. The target system contains Loginname, which is a column corresponding to the User Login attribute. Therefore, the mapping is as follows:
Code Key: User Login
Decode: Loginname
CONSTANT~
CONSTANT_VALUE
In this format:
CONSTANT specifies that the data in this column is constant.
CONSTANT_VALUE is the value that must be displayed in the corresponding field of the OIM User form in the Administrative and User Console.
You use this format if you want to set a constant value for a particular field on the OIM User form.
For example, the Employee Type field is a mandatory field on the OIM User form. However, on the target system, there is no information about the employee type for a user account. During reconciliation, as the Employee Type field cannot be left empty, you must specify a value for this field. Therefore, the Decode value of the Employee Type Code Key has been set to CONSTANT~Full-Time
. This implies that the value of the Employee Type field on the OIM User form displays Full-Time for all user accounts reconciled from the target system.
By default, in this lookup definition, the Decode values for the Employee Type, Organization, and User Type Code Key columns have been set to constant values Full-Time, Xellerate Users, and End-User, respectively. However, depending on your requirement, you can change these values to one of the following:
For the Employee Type Code Key, you can set one of the following constant values:
Full-Time
Part-Time
Temp
Intern
Consultant
For the Organization Code Key, you can set one of the following constant values:
Xellerate Users
Requests
For the User Type Code Key, you can set one of the following constant values:
End-User
End-User Administrator
COLUMN_NAME
~
LOOKUP_NAME
In this format:
COLUMN_NAME is the target system column name from which value is fetched.
LOOKUP_NAME is the name of the lookup definition that maps values fetched from the target system with values to be displayed in the OIM User form field.
You use this format if you want values fetched from the target system to be displayed in a format that is accepted by Oracle Identity Manager.
For example, consider the Status attribute of the resource object. The target system contains Locked, which is a column corresponding to the Status attribute of the resource object. However, we do not map the Status attribute to the Locked column for the following reason:
The status of an account in the target system can be reconciled from the Locked column, which can contain only the following values:
YES
NO
However, these statuses cannot be displayed in the Status field of the OIM User form. This is because Oracle Identity Manager accepts only one of the following values as the status of a user account:
Active
Disabled
Disabled Until Start Date
Deleted
Therefore, in order to display the status retrieved from the Locked column in a format that is accepted by Oracle Identity Manager, the Status resource object attribute has been mapped to Locked~Lookup.DBUM.TrustedRecon.StatusMapping
.
This implies that in the Code Key column of the Lookup.DBUM.TrustedRecon.StatusMapping lookup definition, the connector searches for the value that is fetched from the Locked column of the target system. Then, the corresponding Decode value is displayed as the status of the user account in Oracle Identity Manager. This is illustrated by the following example:
Suppose the value fetched from the Locked column for a particular user account on the target system is YES. In the Code Key column of the Lookup.DBUM.TrustedRecon.StatusMapping lookup definition, the connector searches for the value YES. The Decode value of the YES Code Key is Disabled. Therefore, in Oracle Identity Manager, the connector displays Disabled as the status of the user account.
You can add to or remove entries in the Lookup.DBUM.Oracle.TrustedRecon.Mapping lookup definition. See Section 4.2, "Adding or Removing Attributes for Reconciliation" for information about adding or modifying entries in this lookup definition.
Table A-86 lists the default entries in this lookup definition.
The Lookup.DBUM.Sybase.TrustedRecon.QueryFilter lookup definition is used for configuring limited reconciliation if your target system is configured as a trusted source. This lookup definition holds information about the filter parameters that you want to use while running the SQL query or stored procedure for trusted source reconciliation.
The Lookup.DBUM.Sybase.TargetRecon.QueryFilter lookup definition is empty by default.
See Section 3.4.4.2, "Adding a Filter Parameter in the Reconciliation Query" for information about adding entries to this lookup definition.
The Lookup.DBUM.Sybase.TrustedRecon.Transformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during trusted source reconciliation.
The Lookup.DBUM.Sybase.TrustedRecon.Transformation lookup definition is empty by default.
See Section 4.9, "Configuring Transformation of Data During Reconciliation" for information about adding entries to this lookup definition.
The Lookup.DBUM.Sybase.TrustedRecon.Validation lookup definition is used to configure validation of attribute values that are fetched from the target system during trusted source reconciliation.
The Lookup.DBUM.Sybase.TrustedRecon.Validation lookup definition is empty by default.
See Section 4.8, "Configuring Validation of Data During Reconciliation and Provisioning" for information about adding entries to this lookup definition.
This section discusses the following lookup definitions that are common to all target systems:
The Lookup.DBUM.TargetRecon.StatusMapping lookup definition maps statuses of users accounts in the target system with the corresponding statuses to be displayed in the Status field of the OIM User form. This lookup definition is used for target system configured as a target resource.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Status of the user account fetched from the target system
Decode: Corresponding status to be displayed in the Status field of the OIM User form
If you want to add or modify entries in this lookup definition, then you must specify entries in the format described in this section.
Table A-87 lists the default entries in this lookup definition.
The Lookup.DBUM.TrustedRecon.StatusMapping lookup definition maps statuses of users accounts in the target system with the corresponding statuses to be displayed in the Status field of the OIM User form. This lookup definition is used for target system configured as a trusted source.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Status of the user account fetched from the target system
Decode: Corresponding status to be displayed in the Status field of the OIM User form
If you want to add or modify entries in this lookup definition, then you must specify entries in the format described in this section.
Table A-88 lists the default entries in this lookup definition.