4 Extending the Functionality of the Connector

This chapter discusses the following optional procedures:

• Section 4.1, "Adding New Attributes for Provisioning"

• Section 4.2, "Enabling Update on a New Attribute for Provisioning"

• Section 4.3, "Adding New Attributes for Reconciliation"

• Section 4.4, "Adding New ID Types for Provisioning"

• Section 4.5, "Enabling Update on a New ID Type for Provisioning"

• Section 4.6, "Adding New ID Type for Reconciliation"

• Section 4.7, "Configuring Validation of Data During Reconciliation"

• Section 4.8, "Configuring Transformation of Data During Reconciliation"

• Section 4.9, "Configuring Validation of Data During Provisioning"

• Section 4.10, "Modifying Field Lengths on the Process Form"

• Section 4.11, "Configuring the Connector for Multiple Installations of the Target System"

• Section 4.12, "Enabling the Dependent Lookup Fields Feature"

4.1 Adding New Attributes for Provisioning

You can configure a new attribute for provisioning, in addition to those provided by default.

Note: If you do not want to add new attributes for provisioning, then you can ignore this section.

To add a new attribute for provisioning:

Note: Only those attributes that have their corresponding SET APIs in IUserProfile.class in the peoplesoft.jar file can be provisioned. For example, to provision the Worklist attribute, the peoplesoft.jar file must also contain the setWorklistUser (String s) API. The data type of the argument in setWorklistUser (String s) must be the same or compatible with the data type of the corresponding Worklist field in Oracle Identity Manager.

1. Add a new column in the process form by performing the following:

   1. Log in to the Oracle Identity Manager Design Console.

   2. Expand Development Tools and then double-click Form Designer.

   3. Enter UD_PSFT_BAS in the Table Name field and click the Query for records button.

      
      

   4. Click Create New Version.

   5. In the Create a New Version dialog box, specify the version name in the Label field, save the changes, and then close the dialog box.

   6. From the Current Version list, select the newly created version.

   7. On the Additional Columns tab, click Add.

   8. Specify the new attribute name, for example, UD_PSFT_BAS_WORKLIST and other values.

      
      
      
      

      See Also: Oracle Identity Manager Design Console Guide for more information about this step and the remaining steps of this procedure

      
      

   9. Click the Make Version Active button.

   
   

   Note: To enable the new attributes perform the procedure described in Section 4.2, "Enabling Update on a New Attribute for Provisioning."

   
   

2. Add a mapping for the new attribute. To do so:

   1. Log in to the Oracle Identity Manager Design Console.

   2. Expand Administration and then double-click Lookup Definition.

      
      

   3. Enter the Lookup.PSFT.UM.Attr.Map.Prov as the name of the lookup definition in the Code field and click the Query for records button.

   4. Modify the Lookup.PSFT.UM.Attr.Map.Prov lookup definition and add a new row with the form column name as code and target field name as decode.

      The format that you must use is as follows:

      FORM COLUMN NAME=TARGET API NAME

      For example:

      To add the Worklist field, you must add the following Code Key and Decode values in the Lookup.PSFT.UM.Attr.Map.Prov lookup definition:

      Code Key	Decode
      UD_PSFT_BAS_WORKLIST	setWorklistUser,String

      
      
      
      
      
      

      Note: The peoplesoft.jar file must contain a setWorklistUser API for the attribute in the Decode column of the lookup. This Decode value is case sensitive. The Decode value is a combination of APIName and DataType separated by a comma (,). The supported data types are String, Date, Boolean, and BigDecimal.

      
      

3. Update the request dataset.

   When you add an attribute on the process form, you also update the XML file containing the request dataset definitions. To update a request dataset:

   1. In a text editor, open the XML file located in the OIM_HOME/DataSet/file directory for editing.

   2. Add the AttributeReference element and specify values for the mandatory attributes of this element.

      
      

      See Also: The "Configuring Requests" chapter of the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager guide for more information about creating and updating request datasets

      
      

      For example, while performing Step 1 of this procedure, if you added City as an attribute on the process form, then enter the following line:

      <AttributeReference
      name = "City"
      attr-ref = "City"
      type = "String"
      widget = "text"
      length = "50"
      available-in-bulk = "false"/>
      

      In this AttributeReference element:

      • For the name attribute, enter the value in the Name column of the process form without the tablename prefix.

        For example, if UD_PSFT_BAS_CITY is the value in the Name column of the process form, then you must specify CITY is the value of the name attribute in the AttributeReference element.

      • For the attr-ref attribute, enter the value that you entered in the Field Label column of the process form while performing Step 1.

      • For the type attribute, enter the value that you entered in the Variant Type column of the process form while performing Step 1.

      • For the widget attribute, enter the value that you entered in the Field Type column of the process form, while performing Step 1.

      • For the length attribute, enter the value that you entered in the Length column of the process form while performing Step 1.

      • For the available-in-bulk attribute, specify true if the data value is available for bulk modification. Otherwise specify false.

      While performing Step 1, if you added more than one attribute on the process form, then repeat this step for each attribute added.

   3. Save and close the XML file.

4. Run the PurgeCache utility to clear content related to request datasets from the server cache.

   See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about the PurgeCache utility.

5. Import into MDS, the request dataset definitions in XML format.

   See Section 2.3.1.8.2, "Importing Request Datasets into MDS" for detailed information about the procedure.

4.2 Enabling Update on a New Attribute for Provisioning

To enable the update of newly provisioned attributes:

Note: Some of the steps in the following procedure are specific to the values that have been used. If you use other values, then these steps must be performed differently. To add new attributes for provisioning, see Section 4.1, "Adding New Attributes for Provisioning."

1. Log in to the Oracle Identity Manager Design Console.

2. Expand Process Management and then double-click Process definition.

3. In the Name field, enter Peoplesoft User Management and then click the Query for records button.

   
   

4. Add a new task, for example WorkList User Updated and save the task.

   
   

   Note: While creating a new task, ensure that the task name is same as the name of the field in the process form.

   
   
   
   

5. Click the Integration tab of the WorkList User Updated task, and then click Add.

6. Select Adapter as the handler type and then perform the following:

   1. Select ADPPSFTUMUPDATEUSER and click Save.

      
      

   2. In the Adapter Variables region, double-click Adapter return value. A window is displayed for editing the data mapping for the variable.

   3. From the Map To list, select Response Code and then click Save.

      
      

   4. In the Adapter Variables region, double-click UserID. A window is displayed for editing the data mapping of the variable.

   5. From the Map To list, select Process Data and from the Qualifier list, select User ID and then click Save.

      
      

   6. In the Adapter Variables region, double-click AttributeColumnName. A window is displayed for editing the data mapping of the variable.

   7. From the Map To list, select Literal.

   8. In the Literal Value field, enter UD_PSFT_BAS_WORKLIST as the column name for the new attribute that was added in the Lookup.PSFT.UM.Attr.Map.Prov lookup definition.

   9. In the Adapter Variables region, double-click ProcessInstanceKey. A window is displayed for editing the data mapping of the variable.

   10. From the Map To list, select Process Data and from the Qualifier list, select Process Instance and then click Save.

       
       

   11. In the Adapter Variables region, double-click ITResourceColumnField. A window is displayed for editing the data mapping of the variable.

   12. From the Map To list, select Literal.

   13. In the Literal Value field, enter UD_PSFT_BAS_SERVER as the column name of the ITResource field.

       
       

7. Perform the mappings and save the form.

8. Click the Responses tab of the Worklist Updated task. The PSFT.USER_MODIFIED_SUCCESSFUL response should be mapped to status C and all other responses to status R.

   
   

   Note: You must enter Y or N in the WorklistUser field, because PeopleSoft accepts only these values.

   
   

4.3 Adding New Attributes for Reconciliation

You can modify the default field mappings between Oracle Identity Manager and the target system. For example, the Lookup.PSFT.UM.UserProfile.AttributeMapping lookup definition for the USER_PROFILE message holds the default attribute mappings. If required, you can add to this predefined set of attribute mappings.

To add a new attribute for reconciliation:

Note: If you do not want to add new attributes for reconciliation, then you need not perform this procedure.

1. In the Oracle Identity Manager Design Console, make the required changes as follows:

   
   

   See Also: Oracle Identity Manager Design Console Guide for detailed instructions on performing the following steps

   
   

   1. Add a new attribute on the process form. See Section 4.1, "Adding New Attributes for Provisioning" for more information.

   2. If you are using Oracle Identity Manager release 11.1.1, then on the Object Reconciliation tab, click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.

   3. Add a reconciliation field corresponding to the new attribute in the Peoplesoft User resource object. For example, you can add the WorkList reconciliation field.

      
      

   4. Modify the Peoplesoft User Management process definition to include the mapping between the newly added field and the corresponding reconciliation field.

      The mapping is shown in the following screenshot:

      
      

2. Add the new attribute in the message-specific attribute mapping lookup definition, for example, the Lookup.PSFT.UM.UserProfile.AttributeMapping lookup definition for the USER_PROFILE message.

   The following is the format of the values stored in this table:

   Code Key	Decode
   AttributeName	NODE~PARENT NODE~NODE TYPE=Value~EFFECTIVE DATED NODE~PRIMARY or Child Table=Multivalued Child Table RO Field

   
   

   For example:

   Code Key: WorkList

   Decode: WORKLIST_USER_SW~PSROLEXLATOPRVW

   In this example, WorkList is the reconciliation field, and its equivalent target system field is WORKLIST_USER_SW.

   The mapping is shown in the following screenshot:

   
   

3. Add the new attribute in the Resource Object attribute reconciliation lookup definition, for example, the Lookup.PSFT.UM.UserProfile.Recon lookup definition for the USER_PROFILE message.

   The following is the format of the values stored in this table:

   Code Key	Decode
   RO Attribute	ATTRIBUTE_NAME~LOOKUP_DEFINITION_NAME~LOOKUP_FIELD

   
   

   In this example, RO Attribute refers to the resource object attribute name added in the preceding steps. The Decode column refers to the Code Key value in the message-specific attribute mapping lookup definition.

   For example:

   Code Key: WorkList

   Decode: WorkList

   The following screenshot displays the mapping:

   
   

4.4 Adding New ID Types for Provisioning

A user profile describes a particular user of the PeopleSoft system. Each user of the system has an individual user profile, which in turn is linked to one or more roles. Typically, a user profile must be linked to at least one role to be a usable profile. To each role, you can add one or more permission lists, which control what a user can and cannot access. So, a user inherits permissions through the role.

You can categorize user profiles based on ID types. In addition, you can grant data access based on ID type, such as customer, employee, and so on.

The Human Resource system is designed to focus on employee user type. On the other hand, the financial system is designed to keep track of customer and supplier user types. The ID type enables you to link user types with records that are most relevant when a user interacts with the system. So, when a user logs in to the PeopleSoft application, they see information relevant to them.

The Attribute Value field is where you select the value associated with the attribute name for the ID type. For example, the value reflects the employee number, but it could be a customer number or a vendor number.

PeopleSoft supports Customer and Vendor ID types in addition to Employee ID type. You can also add new ID types depending on the PeopleSoft application module being provisioned. The new ID type can then be linked to a user profile for provisioning.

Note: The ID type and attributes discussed in the following procedure are sample values, and might differ from the values in the actual environment. Therefore, you must follow the same procedure with the values applicable in your present environment.

Suppose you want to add a new ID type Department with attributes SetID and Department. Perform the steps mentioned in the following procedure:

Note: The ID type attribute that you decide to use while configuring the new user profile ID type must map to a field in the PSOPRALIAS table.

To add a new ID type for provisioning:

1. Add a new column to the process form by performing the following steps:

   1. Log in to the Oracle Identity Manager Design Console.

   2. Expand Development Tools and then double-click Form Designer.

   3. In the Table Name field, enter UD_PSFT_BAS and click the Query for records button.

      
      

   4. Click Create New Version.

   5. In the Create a new version dialog box, specify the version name in the Label field, save the changes, and then close the dialog box.

      
      

   6. From the Current Version list, select the newly created version.

   7. On the Additional Columns tab, click Add.

   8. Specify the new attribute name for the attribute Set ID, for example UD_PSFT_BAS_DEPSETID. In addition, enter other values, such as the field label as Department Set ID.

      
      
      
      

      See Also: Oracle Identity Manager Design Console Guide for more information about this step and the remaining steps of this procedure

      
      

   9. Click Make Version Active.

2. Add a mapping for the new ID type attribute. To do so:

   1. Log in to the Oracle Identity Manager Design Console.

   2. Expand Administration and then double-click Lookup Definition.

   3. Enter Lookup.PSFT.UM.AttrMap.IDTypes as the name of the lookup definition in the Code field and click the Query for records button.

   4. Modify the Lookup.PSFT.UM.AttrMap.IDTypes lookup definition by adding a new row with the following values:

      Code Key: Column name of the form

      Decode: It is a combination of the following elements:

      ID TYPE~ATTRIBUTE NAME#EXECUTION ORDER NUMBER

      In this format, tilde (~) is used as a separator between ID type and the corresponding attribute. The number sign (#) is used as a separator to define the execution order.

      The format that you must use is as follows:

      FORM COLUMN NAME=ID TYPE~ATTRIBUTE NAME#EXECUTION ORDER NUMBER

      To add Department ID type with the ID type value Dep, and attribute names Set ID and Department, you must define the following mapping in the Lookup.PSFT.UM.AttrMap.IDTypes lookup definition:

      Code Key	Decode
      UD_PSFT_BAS_DEPSETID	DEP~SetID#1
      UD_PSFT_BAS_DEPARTMENT	DEP~Department#2

      
      

      In the preceding example, DEP is the User Profile ID type. SetID and Department are the attributes of DEP ID type, and the order of execution is 1 and 2 for the two attributes.

      The mapping is shown in the following screenshot:

      
      

4.5 Enabling Update on a New ID Type for Provisioning

Suppose, you want to update the Department Set ID field as described in Section 4.4, "Adding New ID Types for Provisioning." Then, perform the following procedure:

To update the newly added ID type attributes:

1. Log in to the Oracle Identity Manager Design Console.

2. Expand Process Management and then double-click Process definition.

3. Enter Peoplesoft User Management in the Name field, and then click the Query for records button.

4. Add a new task, for example Department Set ID Updated, and save the task.

   
   

5. Click the Integration tab of the Department Set ID Updated task, and then click Add.

6. Select Adapter as the handler type and then perform the following:

   1. Select ADPPSFTUMUPDATEIDTYPES and click Save.

      
      

   2. In the Adapter Variables region, double-click Adapter return value. A window is displayed for editing the data mapping of the variable.

      
      

   3. From the Map To list, select Response Code and then click Save.

   4. In the Adapter Variables region, double-click UserID. A window is displayed for editing the data mapping of the variable.

   5. From the Map To list, select Process Data, and from the Qualifier list, select User ID and then click Save.

   6. In the Adapter Variables region, double-click IDTypesColumnName. A window is displayed for editing the data mapping of the variable.

   7. From the Map To list, select Literal.

   8. In the Literal Value field, enter UD_PSFT_BAS_DEPSETID as the column name for the new attribute that was added in the Lookup.PSFT.UM.Attr.Map.Prov lookup definition.

   9. In Adapter Variables region, double-click ProcessInstanceKey. A window is displayed for editing the data mapping of the variable.

   10. From the Map To list, select Process Data, and from the Qualifier list, select Process Instance and then click Save.

       
       

   11. In Adapter Variables region, double-click ITResourceColumnField. A window is displayed for editing the data mapping of the variable.

   12. From the Map To list, select Literal.

   13. In the Literal Value field, enter UD_PSFT_BAS_SERVER as the column name of the ITResource Field.

7. Perform the mappings and save the format.

8. Click the Responses tab of the Department Set ID Updated task. The PSFT.IDTYPES_MODIFIED_SUCCESSFUL response should be mapped with status C and all other responses with status R.

4.6 Adding New ID Type for Reconciliation

Suppose, you want to reconcile the Department Set ID field as described in Section 4.4, "Adding New ID Types for Provisioning," then perform the following procedure:

To add a new ID type for reconciliation:

1. In the Oracle Identity Manager Design Console, make the required changes as follows:

   
   

   See Also: Oracle Identity Manager Design Console Guide for detailed instructions on performing the following steps

   
   

   1. Add new ID Type attribute on the process form. For the procedure to add a new ID Type attribute, see Section 4.4, "Adding New ID Types for Provisioning."

   2. If you are using Oracle Identity Manager release 11.1.1, then on the Object Reconciliation tab, click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.

   3. Add a reconciliation field corresponding to the new attribute in the Peoplesoft User resource object.

      The Department Set ID reconciliation field is shown in the following screenshot:

      
      

      The Department ID reconciliation field is shown in the following screenshot:

      
      

   4. Modify the Peoplesoft User Management process definition to include the mapping between the newly added field and the corresponding reconciliation field.

      The following screenshot shows the mapping for Department Set ID field:

      
      

      The following screenshot shows the mapping for the Department ID field:

      
      

2. Add the new attribute in the message-specific attribute mapping lookup definition, for example, the Lookup.PSFT.UM.UserProfile.AttributeMapping lookup definition for the USER_PROFILE message.

   The following is the format of the values stored in this table:

   Code Key	Decode
   AttributeName	NODE~PARENT NODE~NODE TYPE=Value~EFFECTIVE DATED NODE~PRIMARY or Child Table=Multivalued Child Table RO Field

   
   

   For example:

   Code Key: Department

   Decode: DEPT_ID~PSOPRALIAS

   Code Key: Dep Set ID

   Decode: SETID~PSOPRALIAS

   In this example, Department is the reconciliation field and its equivalent target system field is Dept_ID. The equivalent target system field for Dep Set ID is SETID.

   The mapping is shown in the following screenshot:

   
   

3. Add the new attribute in the Resource Object attribute reconciliation lookup definition, for example, the Lookup.PSFT.UM.UserProfile.Recon lookup for the USER_PROFILE message.

   The following is the format of the values stored in this table:

   Code Key	Decode
   RO Attribute	ATTRIBUTE FIELD~LOOKUP NAME~LOOKUP FIELD

   
   

   In this example, the RO Attribute refers to the resource object attribute name added in the preceding steps. The Decode value is the Code Key value in the message-specific attribute mapping lookup definition.

   For example:

   Code Key: Department Set ID

   Decode: Dep Set ID

   Code Key: Department ID

   Decode: Department

   The following screenshot displays the mapping:

   
   

4.7 Configuring Validation of Data During Reconciliation

You can configure validation of reconciled and provisioned single-valued data according to your requirements. For example, you can validate data entered in the Currency Code field on the process form so that the number sign (#) is not sent to the Oracle Identity Manager during reconciliation operation.

For data that fails the validation check, the following message is displayed or recorded in the log file:

Value returned for field FIELD_NAME is false.

To configure validation of data:

1. Write code that implements the required validation logic in a Java class.

   This validation class must implement the oracle.iam.connectors.common.validate.Validator interface and the validate method.

   
   

   See Also: The Javadocs shipped with the connector for more information about this interface

   
   

   The following sample validation class checks if the value in the Currency Code attribute contains the number sign (#):

   public boolean validate(HashMap hmUserDetails,
                 HashMap hmEntitlementDetails, String field) {
               /*
            * You must write code to validate attributes. Parent
            * data values can be fetched by using hmUserDetails.get(field)
            * For child data values, loop through the
            * ArrayList/Vector fetched by hmEntitlementDetails.get("Child Table")
            * Depending on the outcome of the validation operation, 
            * the code must return true or false.
            */
            /*
            * In this sample code, the value "false" is returned if the field
            * contains the number sign (#). Otherwise, the value "true" is
            * returned.
            */
               boolean valid=true;
               String sCurrencyCode=(String) hmUserDetails.get(field);
               for(int i=0;i<sCurrencyCode.length();i++){
                 if (sCurrencyCode.charAt(i) == '#'){
                       valid=false; 
                       break;
                 } 
               }
               return valid;
         }
   

2. Create a JAR file to hold the Java class.

3. Copy the JAR file into the JavaTasks or ScheduleTask directory.

   
   

   Note: If you are using Oracle Identity Manager release 11.1.1, then see Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for steps to import the contents of JavaTasks directory into the Oracle Identity Manager database.

   
   

4. If you created the Java class for validating a process form field for reconciliation, then:

   1. Log in to the Design Console.

   2. Search for and open the message-specific configuration lookup definition, in this example, the Lookup.PSFT.Message.UserProfile.Configuration lookup definition for the USER_PROFILE message. See Section 1.5.2.1.1, "Lookup.PSFT.Message.UserProfile.Configuration" for information about this lookup definition. Check for the Validation Lookup Definition parameter in this lookup definition. The Decode value specifies the name of the validation lookup. In this example, the Decode value is Lookup.PSFT.UM.UserProfile.Validation.

   3. Search for and open the Lookup.PSFT.UM.UserProfile.Validation lookup definition.

   4. In the Code Key column, enter the resource object name. In the Decode column, enter the class name.

      For example, to perform validation on the Currency Code attribute, you must define the following mapping in the lookup definition:

      Code Key: Currency Code

      Decode: oracle.iam.connectors.recon.validation

      Here, the Code Key value specifies the name of the resource object attribute to validate and the Decode value is the complete package name of the Implementation class.

   5. Save the changes to the lookup definition.

   6. Search for and open the message-specific configuration lookup definition, in this example, the Lookup.PSFT.Message.UserProfile.Configuration lookup definition.

   7. Set the value of the Use Validation entry to yes.

   8. Save the changes to the lookup definition.

5. Remove the PeopleSoftOIMListener.war file or PeopleSoftOIMListener.ear file depending on the Oracle Identity Manager release from the application server.

6. Depending on the Oracle Identity Manager release that you are using, perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.1.0.x, then:

     1. Copy the OIM_HOME/xellerate/XLIntegrations/PSFTUM/ WAR/PeopleSoftOIMListener.war file into a temporary folder. Enter the following command to extract the contents of the PeopleSoftOIMListener.war file:

        jar -xvf PeopleSoftOIMListener.war
        

     2. Copy the validation JAR file created in Step 2 to the following directory of the extracted PeopleSoftOIMListener.war file:

        WEB-INF/lib

     3. Delete the PeopleSoftOIMListener.war file from the temporary directory into which you extracted its contents.

     4. Use the following command to re-create the file:

        jar -cvf PeoplesoftOIMListener.war .
        

   • If you are using Oracle Identity Manager release 11.1.1, copy the validation JAR file created in Step 2 to the following directory:

     PeoplSoftOIMListener.ear/PeoplSoftOIMListener.war/WEB-INF/lib

7. Depending on the Oracle Identity Manager release that you are using, perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.1.0.x, then redeploy the PeopleSoftOIMListener.war file on the application server. See Section 2.2.1.5.1, "Deploying the PeopleSoft Listener on Oracle Identity Manager Release 9.1.0.x" for the procedure.

   • If you are using Oracle Identity Manager release 11.1.1, then redeploy the PeopleSoftOIMListener.ear file on the application server. See Section 2.2.1.5.2, "Deploying the PeopleSoft Listener on Oracle Identity Manager Release 11.1.1" for the procedure.

4.8 Configuring Transformation of Data During Reconciliation

You can configure the transformation of reconciled single-valued data according to your requirements. For example, you can use the Currency Code value to create a value for the Currency Code field in Oracle Identity Manager.

To configure the transformation of data:

1. Write code that implements the required transformation logic in a Java class.

   This transformation class must implement the oracle.iam.connectors.common.transform.Transformation interface and the transform method.

   
   

   See Also: The Javadocs shipped with the connector for more information about this interface

   
   

   The following sample transformation class modifies a value for the Currency Code attribute by prefixing a dollar sign ($) in the Currency Code value received from the target system:

   package oracle.iam.connectors.common.transform;
    
   import java.util.HashMap;
    
   public class TransformAttribute1 implements Transformation {
    
         /*
         Description:Abstract method for transforming the attributes
         param hmUserDetails<String,Object>
         HashMap containing parent data details
         param hmEntitlementDetails <String,Object>
         HashMap containing child data details
         
         */
         public Object transform(HashMap hmUserDetails, HashMap                  
         hmEntitlementDetails,String sField) { {
         /*
          * You must write code to transform the attributes.
          Parent data attribute values can be fetched by
          using hmUserDetails.get("Field Name").
          *To fetch child data values, loop through the
          * ArrayList/Vector fetched by hmEntitlementDetails.get("Child Table")
          * Return the transformed attribute.
          */
         System.out.println("sfield =" + sField);
         String sCurrencyCode= (String)hmUserDetails.get(sField);
         sCurrencyCode = "$"+sCurrencyCode;
         return sCurrencyCode;
         }
   }
   

2. Create a JAR file to hold the Java class.

3. Copy the JAR file into the JavaTasks or ScheduleTask directory.

   
   

   Note: If you are using Oracle Identity Manager release 11.1.1, then see Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for steps to import the contents of JavaTasks directory into the Oracle Identity Manager database.

   
   

4. If you created the Java class for transforming a process form field for reconciliation, then:

   1. Log in to the Design Console.

   2. Search for and open the message-specific configuration lookup definition, in this example, the Lookup.PSFT.Message.UserProfile.Configuration lookup definition for the USER_PROFILE message. See Section 1.5.2.1.1, "Lookup.PSFT.Message.UserProfile.Configuration" for information about this lookup definition. Check for the Transformation Lookup Definition parameter in this lookup definition. The Decode value specifies the name of the transformation lookup. In this example, the Decode value is Lookup.PSFT.UM.UserProfile.Transformation.

   3. Search for and open the Lookup.PSFT.UM.UserProfile.Transformation lookup definition.

   4. In the Code Key column, enter the resource object field name. In the Decode column, enter the class name.

      For example, to perform transformation on the Currency Code attribute, you must define the following mapping in the lookup definition:

      Code Key: Currency Code

      Decode: oracle.iam.connectors.common.transform.TransformAttribute1

      Here, the Code Key value specifies the name of the resource object attribute on which you have applied transformation and the Decode value is the complete package name of the Implementation class.

   5. Save the changes to the lookup definition.

   6. Search for and open the message-specific configuration lookup definition, in this example, the Lookup.PSFT.Message.UserProfile.Configuration lookup definition.

   7. Set the value of the Use Transformation entry to yes.

   8. Save the changes to the lookup definition.

5. Remove the PeopleSoftOIMListener.war file or PeopleSoftOIMListener.ear file depending on the Oracle Identity Manager release from the application server.

6. Depending on the Oracle Identity Manager release that you are using, perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.1.0.x, then:

     1. Copy the OIM_HOME/xellerate/XLIntegrations/PSFTUM/ WAR/PeopleSoftOIMListener.war file into a temporary folder. Enter the following command to extract the contents of the PeopleSoftOIMListener.war file:

        jar -xvf PeopleSoftOIMListener.war
        

     2. Copy the transformation JAR file created in Step 2 to the following directory of the extracted PeopleSoftOIMListener.war file:

        WEB-INF/lib

     3. Delete the PeopleSoftOIMListener.war file from the temporary directory into which you extracted its contents.

     4. Use the following command to re-create the file:

        jar -cvf PeoplesoftOIMListener.war .
        

   • If you are using Oracle Identity Manager release 11.1.1, copy the transformation JAR file created is Step 2 to the following directory:

     PeoplSoftOIMListener.ear/PeoplSoftOIMListener.war/WEB-INF/lib

7. Depending on the Oracle Identity Manager release that you are using, perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.1.0.x, then redeploy the PeopleSoftOIMListener.war file on the application server. See Section 2.2.1.5.1, "Deploying the PeopleSoft Listener on Oracle Identity Manager Release 9.1.0.x" for the procedure.

   • If you are using Oracle Identity Manager release 11.1.1, then redeploy the PeopleSoftOIMListener.ear file on the application server. See Section 2.2.1.5.2, "Deploying the PeopleSoft Listener on Oracle Identity Manager Release 11.1.1" for the procedure.

4.9 Configuring Validation of Data During Provisioning

You can configure the validation of provisioned single-valued data according to your requirements. For example, you can validate the user ID provisioned to ensure that it does not contain the number sign (#).

For data that fails the validation check, the following message is displayed or recorded in the log file:

Value returned for field FIELD_NAME is false.

In this format, FIELD_NAME is the name of the field on which you perform validation.

To configure validation of data:

1. Write code that implements the required validation logic in a Java class.

   This validation class must implement the oracle.iam.connectors.common.validate.Validator interface and the validate method.

   
   

   See Also: The Javadocs shipped with the connector for more information about this interface

   
   

   The following sample validation class checks whether the value in the user ID attribute contains the number sign (#):

   public boolean validate(HashMap hmUserDetails,
                 HashMap hmEntitlementDetails, String field) {
               /*
            * You must write code to validate attributes. Parent
            * data values can be fetched by using hmUserDetails.get(field)
            * For child data values, loop through the
            * ArrayList/Vector fetched by hmEntitlementDetails.get("Child Table")
            * Depending on the outcome of the validation operation, 
            * the code must return true or false.
            */
            /*
            * In this sample code, the value "false" is returned if the field
            * contains the number sign (#). Otherwise, the value "true" is
            * returned.
            */
               boolean valid=true;
               String sUserID=(String) hmUserDetails.get(field);
               for(int i=0;i<sUserID.length();i++){
                 if (sUserID.charAt(i) == '#'){
                       valid=false; 
                       break;
                 } 
               }
               return valid;
         }
   

2. Create a JAR file to hold the Java class.

3. Copy the JAR file into the JavaTasks or ScheduleTask directory.

   
   

   Note: If you are using Oracle Identity Manager release 11.1.1, then see Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for steps to import the contents of JavaTasks directory into the Oracle Identity Manager database.

   
   

4. If you created the Java class for validating a process form field for reconciliation, then:

   1. Log in to the Design Console.

   2. Search for and open the Lookup.PSFT.UM.Validation lookup definition.

   3. In the Code Key column, enter the column name of the process form field. In the Decode column, enter the class name.

      For example, to perform validation on the user ID attribute, you must define the following mapping in the Lookup.PSFT.UM.Validation lookup definition:

      Code Key: UD_PSFT_BAS_OPRID

      Decode: oracle.iam.connectors.prov.validation

      Here, the Code Key value specifies the column name of the field you want to validate and the Decode value is the complete package name of the Implementation class.

   4. Save the changes to the lookup definition.

5. Set the value of the Use Validation For Prov entry to yes in the Lookup.PSFT.Configuration lookup definition.

6. Save the changes to the lookup definition.

4.10 Modifying Field Lengths on the Process Form

You might want to modify the lengths of the fields (attributes) on the process form. For example, if you use a Japanese locale, then you might want to increase the lengths of the process form fields to accommodate multibyte data from the target system.

To modify the length of a field on the OIM User form:

1. Log in to the Design Console.

2. Expand Administration, and double-click User Defined Field Definition.

3. Search for and open the Users form.

4. Modify the length of the required field.

5. Click the Save icon.

4.11 Configuring the Connector for Multiple Installations of the Target System

You might want to configure the connector for multiple installations of the target system. The following example illustrates this requirement:

The London and New York offices of Example Multinational Inc. have their own installations of the target system. The company has recently installed Oracle Identity Manager, and wants to configure Oracle Identity Manager to link all the installations of the target system.

The company has a trusted (authoritative) source of identity data for Oracle Identity Manager, for example PSFT_TRST. The company uses the PeopleSoft Employee Reconciliation connector to reconcile person records, which in turn creates OIM Users.

The company now needs to provision resources on two different target systems, PSFT_LDN and PSFT_NY for London and New York offices, respectively, using the PeopleSoft User Management connector.

The resources in the London office have five mandatory fields to be provisioned. But, the New York office has an additional field to provision, for example the Social Security Number (SSN). In this scenario, you must create a clone of the User Management connector to provision PSFT_LDN and PSFT_NY target systems. The connector for the PSFT_NY target system has an additional SSN field to provision.

Figure 4-1 shows the architecture for multiple installations of the target system in Example Multinational Inc.

Figure 4-1 Architecture for Multiple Installations of the Target System

Description of "Figure 4-1 Architecture for Multiple Installations of the Target System"

To meet the requirement posed by such a scenario, you can create copies of connector objects, such as the IT resource, process form, process definition, and resource object.

The decision to create a copy of a connector object is based on a requirement. For example, an IT resource can hold connection information for one target system installation. Therefore, it is mandatory to create a copy of the IT resource for each target system installation.

With some other connector objects, you do not need to create copies at all. For example, a single attribute-mapping lookup definition can be used for all installations of the target system.

All connector objects are linked. For example, a scheduled task holds the name of the IT resource. Similarly, the IT resource holds the name of the common configuration lookup definition, which is Lookup.PSFT.Configuration. If you create a copy of an object, then you must specify the name of the copy in other connector object. Table 4-1 lists the association between connector objects whose copies can be created and the other objects that reference these objects. When you create a copy of an object, use this information to change the associations of that object with other objects.

Table 4-1 Connector Objects and Their Associations

Connector Object	Name	Referenced By	Description
IT Resource	PSFT Server	Scheduled Task: PeopleSoft User Management Target Reconciliation Resource Object: Peoplesoft User	You need to create a copy of IT Resource with a different name.
Resource Object	Peoplesoft User	Message-specific configuration lookup definitions: Lookup.PSFT.Message.UserProfile.Configuration Lookup.PSFT.Message.DeleteUserProfile.Configuration	It is optional to create a copy of a resource object. If you are reconciling the same set of attributes from the other target system, then you need not create a new resource object. Note: Create copies of this resource object only if there are differences in attributes between two installations of the target system.
Process Definition	Peoplesoft User Management	NA	It is optional to create a copy of a process definition. If you are reconciling or provisioning the same set of attributes, then you need not create a copy of this connector object. Note: Create copies of this process definition only if there are differences in attributes between two installations of the target system.
Process Form	UD_PSFT_BAS	NA	It is optional to create a copy of the process form. If you are provisioning different sets of attributes, then you need to create a copy of this connector object.
Common Configuration Lookup Definition	Lookup.PSFT.Configuration	Message-specific configuration lookup definitions: Lookup.PSFT.Message.UserProfile.Configuration Lookup.PSFT.Message.DeleteUserProfile.Configuration	It is optional to create a copy of the common configuration lookup definition. Note: Create copies of this lookup definition only if there are differences in attributes between two installations of the target system.
Message-specific Configuration Lookup Definition	Lookup.PSFT.Message.UserProfile.Configuration Lookup.PSFT.Message.DeleteUserProfile.Configuration	Attribute mapping lookup definitions: Lookup.PSFT.UM.UserProfile.AttributeMapping Lookup.PSFT.UM.DeleteUserProfile.AttributeMapping	It is optional to create a copy of the message-specific lookup definitions. Note: Create copies of this lookup definition only if there are differences in attributes between two installations of the target system.
Attribute Mapping Lookup Definition	Lookup.PSFT.UM.UserProfile.AttributeMapping Lookup.PSFT.UM.DeleteUserProfile.AttributeMapping	NA	This lookup definition holds the information of the attributes reconciled from the XML message file from the target system. Note: Create copies of this lookup definition only if there are differences in attributes between two installations of the target system.
Recon Map Lookup Definition	Lookup.PSFT.UM.UserProfile.Recon Lookup.PSFT.UM.DeleteUserProfile.Recon	NA	This lookup definition maps the resource object field with the data reconciled from the message. Note: Create copies of this lookup definition only if there are differences in attributes between two installations of the target system.

To create copies of the connector objects:

Note: See the Oracle Identity Manager Design Console Guide for detailed information about the steps in this procedure.

1. Create a copy of the IT resource. See Section 2.2.1.3, "Configuring the IT Resource" for information about this IT resource.

   You can enable dependent lookups if you want to view data in the lookup fields of the process form for the selected IT resource. Section 4.12, "Enabling the Dependent Lookup Fields Feature" describes the procedure to configure the dependent lookups.

2. Create a copy of the Peoplesoft User resource object.

3. Create copy of the USER_PROFILE message-specific configuration lookup.

4. Create a copy of the Lookup.PSFT.Configuration lookup definition. See Section 1.5.2.3.1, "Lookup.PSFT.Configuration" for information about this lookup definition.

5. Create a copy of the message-specific attribute mapping and the Recon lookup definition, for example, Lookup.PSFT.UM.UserProfile.AttributeMapping and the Lookup.PSFT.UM.UserProfile.Recon for the USER_PROFILE message.

6. Create a copy of the PeopleSoft User Management Target Reconciliation scheduled task. See "Configuring the Scheduled Task for User Data Reconciliation" for information about this scheduled task.

7. Remove the PeopleSoftOIMListener.war file as described in Section 2.2.1.6, "Removing the PeopleSoft Listener."

8. Extract the removed PeopleSoftOIMListener.war file to a temporary folder.

9. Edit the web.xml file as follows:

   1. Search for the </servlet> tag in the file.

   2. Edit the following lines above the </servlet> tag:

      <init-param>
      <!-- Specify Message Handler Impl classes -->
      <param-name>IT_RESOURCE_NAME</param-name>
      <param-value>MESSAGE~IMPLEMENTATION_CLASS;MESSAGE~IMPLEMENTATION_CLASS;MESSAGE~IMPLEMENTATION_CLASS</param-value>
      </init-param>
      

      Here, IT_RESOURCE_NAME refers to the new IT Resource name defined in Step 1 of this procedure.

      Modify the second line as described in Step 4 (e) of the procedure in Section 2.2.1.5, "Deploying the PeopleSoft Listener."

10. Deploy the PeopleSoftOIMListener.war file as described in Section 2.2.1.5, "Deploying the PeopleSoft Listener."

To reconcile data from a particular target system installation, specify the name of the IT resource for that target system installation as the value of the ITResource scheduled task attribute.

4.12 Enabling the Dependent Lookup Fields Feature

When you perform a provisioning operation, lookup fields on the Administrative and User Console allow you to select values from lists. Some of these lookup fields are populated with values copied from the target system.

In earlier releases of the connector, if you had multiple installations of the target system, then entries in the lookup field were linked to the target system installation from which the entries were copied. This allowed you to select lookup field values that were specific to the target system installation on which the provisioning operation was to be performed.

For release 9.1.1 of the connector, the Dependent Lookup Fields feature is disabled by default. You can enable this feature after you deploy the Oracle Identity Manager release 9.1.0.2 bundle patch BP05 or later.

To enable the Dependent Lookup Fields feature after you deploy the bundle patch BP05 or later, perform the following procedures:

Note: To provision a resource, you enter the required values in the process form with atleast one lookup value selected, for example, Currency Code and then click Continue. But, if you click the Back button now, the description of the Code Key on the process form changes to the Decode value. If you proceed with provisioning now, the following exception is thrown: Column data length is too long

• Section 4.12.1, "Updating the UD_PSFT_BAS Form"

• Section 4.12.2, "Updating the UD_PS_EMAIL Form"

• Section 4.12.3, "Updating the UD_PSROLES Form"

4.12.1 Updating the UD_PSFT_BAS Form

Update the UD_PSFT_BAS form as follows:

1. On the Design Console, expand Development Tools and double-click Form Designer.

2. Search for and open the UD_PSFT_BAS form.

3. Click Create New Version, enter a new version number, and then save the version.

   
   

4. From the Current Version list, select the version that you created.

5. Open the Properties tab.

6. Add properties for the Primary Email Type lookup field as follows:

   1. Select the Lookup Code= Name of Lookup Definition property, and then click Delete Property.

      For example:

      Lookup Code = Lookup.PSFT.UM.EmailType

   2. Select Primary Email Type, and then click Add Property.

   3. In the Add Property dialog box:

      From the Property Name list, select Lookup Column Name.

      In the Property Value field, enter lkv_encoded.

      Click the Save icon, and then close the dialog box.

   4. Select Primary Email Type, and then click Add Property.

   5. In the Add Property dialog box:

      From the Property Name list, select Column Names.

      In the Property Value field, enter lkv_encoded.

      
      

      Click the Save icon, and then close the dialog box.

   6. Select Primary Email Type, and then click Add Property.

   7. In the Add Property dialog box:

      From the Property Name list, select Column Widths.

      In the Property Value field, enter 234.

      
      

   8. Select Primary Email Type, and then click Add Property.

   9. In the Add Property dialog box:

      From the Property Name list, select Column Captions.

      In the Property Value field, enter lkv_decoded.

      
      

      Click the Save icon, and then close the dialog box.

   10. Select Primary Email Type, and then click Add Property.

   11. In the Add Property dialog box:

       From the Property Name list, select Lookup Query.

       In the Property Value field, enter the following if Oracle Identity Manager is running on Oracle:

       SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key AND lku_type_string_key = 'Lookup.PSFT.UM.EmailType' AND lkv_encoded like CONCAT('$Form data.UD_PSFT_BAS_SERVER$','~%')
       

       In the Property Value field, enter the following if Oracle Identity Manager is running on Microsoft SQL Server:

       SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key AND lku_type_string_key = 'Lookup.PSFT.UM.EmailType'AND lkv_encoded like '$Formdata.UD_PSFT_BAS_SERVER$' + '~%'
       

       
       

       Click the Save icon, and then close the dialog box.

7. Perform Steps 6.a through 6.j. Add the properties that you added for the Primary Email Type field on the UD_PSFT_BAS form.

8. When you perform Step 6.k, enter values in the Property Value field for the lookup query specified in Table 4-2 for the respective field, such as Language Code, Currency Code, Primary Permission List, Row Security Permission List, Process Profile Permission List, and Navigator Home Permission List.

   
   

   Table 4-2 lists the lookup queries.

   Table 4-2 Queries for Lookup Fields

   Field Name	Oracle Database Version of the Query	Microsoft SQL Server Version of the Query
   Field Name (UD_PSFT_BAS)
   Primary Email Type	SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key AND lku_type_string_key = 'Lookup.PSFT.UM.EmailType' AND lkv_encoded like CONCAT('$Form data.UD_PSFT_BAS_SERVER$', '~%')	SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key AND lku_type_string_key = 'Lookup.PSFT.UM.EmailType'AND lkv_encoded like '$Formdata.UD_PSFT_BAS_SERVER$' + '~%'
   Language Code	SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key AND lku_type_string_key = 'Lookup.PSFT.UM.LanguageCode' AND lkv_encoded like CONCAT('$Form data.UD_PSFT_BAS_SERVER$', '~%')	SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key ANDlku_type_string_key ='Lookup.PSFT.UM.LanguageCode' AND lkv_encoded like '$Formdata.UD_PSFT_BAS_SERVER$' + '~%'
   Currency Code	SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key AND lku_type_string_key = 'Lookup.PSFT.UM.CurrencyCode' AND lkv_encoded like CONCAT('$Form data.UD_PSFT_BAS_SERVER$', '~%')	SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key ANDlku_type_string_key = 'Lookup.PSFT.UM.CurrencyCode' AND lkv_encoded like'$Formdata.UD_PSFT_BAS_SERVER$' + '~%'
   Primary Permission List	SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key AND lku_type_string_key ='Lookup.PSFT.UM.PermissionList' AND lkv_encoded like CONCAT('$Form data.UD_PSFT_BAS_SERVER$', '~%')	SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key ANDlku_type_string_key = 'Lookup.PSFT.UM.PermissionList' AND lkv_encoded like'$Formdata.UD_PSFT_BAS_SERVER$' + '~%'
   Row Security Permission List	SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key AND lku_type_string_key ='Lookup.PSFT.UM.PermissionList' AND lkv_encoded like CONCAT('$Form data.UD_PSFT_BAS_SERVER$', '~%')	SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key ANDlku_type_string_key = 'Lookup.PSFT.UM.PermissionList' AND lkv_encoded like'$Formdata.UD_PSFT_BAS_SERVER$' + '~%'
   Process Profile Permission List	SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key AND lku_type_string_key = 'Lookup.PSFT.UM.PermissionList' AND lkv_encoded like CONCAT('$Form data.UD_PSFT_BAS_SERVER$', '~%'	SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key ANDlku_type_string_key = 'Lookup.PSFT.UM.PermissionList' AND lkv_encoded like'$Formdata.UD_PSFT_BAS_SERVER$' + '~%'
   Navigator Home Permission List	SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key AND lku_type_string_key = 'Lookup.PSFT.UM.PermissionList' AND lkv_encoded like CONCAT('$Form data.UD_PSFT_BAS_SERVER$', '~%')	SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key ANDlku_type_string_key = 'Lookup.PSFT.UM.PermissionList' AND lkv_encoded like'$Formdata.UD_PSFT_BAS_SERVER$' + '~%'

   
   

9. Click the Save icon to save the changes to the form.

10. Click Make Version Active.

4.12.2 Updating the UD_PS_EMAIL Form

The procedure that you perform to update the UD_PS_EMAIL form is almost the same as the procedure described in Section 4.12.1, "Updating the UD_PSFT_BAS Form":

1. On the Design Console, expand Development Tools and double-click Form Designer.

2. Search for and open the UD_PS_EMAIL form.

3. Click Create New Version, enter a new version number, and then save the version.

4. From the Current Version list, select the version that you created.

5. Open the Properties tab.

6. Add properties for the Email Type lookup field as follows:

   1. When you perform Step 6.b of the procedure described in Section 4.12.1, "Updating the UD_PSFT_BAS Form," select Email Type instead of Primary Email Type.

   2. Perform Steps 6.c through 6.j. Add the properties that you added for the Primary Email Type field on the UD_PSFT_BAS form.

   3. When you perform Step 6.k, enter the following in the Property Value field for the lookup query:

      For Oracle:

      SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key AND lku_type_string_key = 'Lookup.PSFT.UM.EmailType' AND  lkv_encoded like CONCAT('$Form data.UD_PSFT_BAS_SERVER$',   '~%')
      

      For Microsoft SQL Server:

      SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key=lku.lku_key ANDlku_type_string_key='Lookup.PSFT.UM.EmailType'and lkv_encoded like'$Formdata.UD_PSFT_BAS_SERVER$' + '~%'
      

7. Click the Save icon to save the changes to the form.

8. Click Make Version Active.

   
   

4.12.3 Updating the UD_PSROLES Form

The procedure that you perform to update the UD_PSROLES form is almost the same as the procedure described in Section 4.12.1, "Updating the UD_PSFT_BAS Form":

1. On the Design Console, expand Development Tools and double-click Form Designer.

2. Search for and open the UD_PSROLES form.

3. Click Create New Version, enter a new version number, and then save the version.

4. From the Current Version list, select the version that you created.

5. Open the Properties tab.

6. Add properties for the Role Name lookup field as follows:

   1. When you perform Step 6.b of the procedure described in Section 4.12.1, "Updating the UD_PSFT_BAS Form," select Role Name instead of Primary Email Type.

   2. Perform Steps 6.c through 6.j. Add the properties that you added for the Primary Email Type field on the UD_PSFT_BAS form.

   3. When you perform Step 6.k, enter the following in the Property Value field for the lookup query:

      For Oracle:

      SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key AND lku_type_string_key = 'Lookup.PSFT.UM.Roles' AND  lkv_encoded like CONCAT('$Form data.UD_PSFT_BAS_SERVER$',   '~%')
      

      For Microsoft SQL Server:

      SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key=lku.lku_key ANDlku_type_string_key='Lookup.PSFT.UM.Roles' AND lkv_encoded like'$Formdata.UD_PSFT_BAS_SERVER$' + '~%'
      

7. Click the Save icon to save the changes to the form.

8. Click Make Version Active.