| Oracle® Identity Manager Connector Guide for SAP User Management Engine Release 9.1.0 E17554-01 |
|
 Previous |
 Next |
| Oracle® Identity Manager Connector Guide for SAP User Management Engine Release 9.1.0 E17554-01 |
|
Previous |
Next |
This chapter is divided into the following sections:
|
Note: These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures. |
Section 3.2, "Scheduled Task for Lookup Field Synchronization"
Section 3.3, "General Considerations to Be Addressed While Using the Connector"
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation.
To perform a full reconciliation run, remove (delete) any value currently assigned to the Custom Recon Query attribute of the SAP UME User Recon scheduled task. See Section 3.6, "Configuring Scheduled Tasks" for information about this scheduled task.
The SAP UME Lookup Recon scheduled task is used for lookup field synchronization. Table 3-1 describes the attributes of this scheduled task. The procedure to configure scheduled tasks is described later in the guide.
Table 3-1 Attributes of the SAP UME Lookup Recon Scheduled Task
| Attribute | Description |
|---|---|
|
IT Resource |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
|
Lookup Name |
This attribute holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched. Default value: |
|
Schedule Task Name |
This attribute holds the name of the scheduled task. Value: |
Keep in mind the following points when you start using the connector:
Multiple requests are generated from Oracle Identity Manager in response to some provisioning operations. For example, if you assign multiple roles to a user in a particular provisioning operation, then one request is created and sent to Compliant User Provisioning for each role.
For a particular account, Oracle Identity Manager keeps track of the latest request only. This means, for example, if more than one attribute of an account has been modified in separate provisioning operations, then Oracle Identity Manager keeps track of data related to the last operation only.
A Modify User operation can involve changes to multiple process form fields or child form fields. For each field that is modified, one request is created and sent to SAP GRC Compliant User Provisioning. Only information about the last request sent to Compliant User Provisioning is stored in Oracle Identity Manager.
Only parent or child form requests can be submitted in a single operation. You cannot submit both parent and child form requests at the same time.
Apply the following guideline while configuring reconciliation:
On a Microsoft Windows platform, if you encounter the org.quartz.SchedulerException exception during a reconciliation run, then download and install the Microsoft Visual C++ 2005 SP1 Redistributable Package from the Microsoft Web site.
As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:
In full reconciliation, all existing target system records are fetched into Oracle Identity Manager for reconciliation. See Section 3.1, "Performing Full Reconciliation" for instructions.
In full reconciliation, all target system records are fetched into Oracle Identity Manager. You can also configure limited reconciliation to specify the subset of target system records that must be fetched into Oracle Identity Manager.
You configure limited reconciliation by specifying a query condition as the value of the Custom Query attribute of the SAP UME User Recon scheduled task.
You must use the following format to specify a value for the Custom Query attribute:
RESOURCE_OBJECT_FIELD_NAME equals VALUE
For example, suppose you specify the following as the value of the Custom Query attribute:
Last Name equals Doe
With this query condition, only records of users whose last name is Doe are brought for reconciliation.
|
Note: The SPML API supports only one level of conditions, using either the AND or OR operator. Because the data source condition is already used in the connector code, only one additional condition can be specified in the custom reconciliation query. |
To configure limited reconciliation:
Ensure that the attribute that you want to use in the query exists in the Lookup.SAP.UME.ReconAttrMap lookup definition.
Create the query condition. Apply the following guidelines to create the query condition:
Use only the following operations in the query condition:
|
Note: If any other special character is included, then it is treated as part of the attribute value that you specify. |
equals
startsWith
endsWith
like
Add a space before and after the operators used in the query condition. For example:
First Name startsWith John
This is to help the system distinguish between operators used in the query and the same characters included as part of attribute values specified in the query condition.
Ensure that attribute names that you use in the query condition are in the same case (uppercase and lowercase) as the case of values in the Lookup.SAP.UME.ReconAttrMap lookup definition. For example, the following query condition would fail:
fiRst Name startsWith John
While configuring the SAP UME User Recon scheduled task, specify the query condition as the value of the Custom Query attribute. The procedure is described later in this chapter.
You must specify values for the attributes of the following scheduled tasks:
|
Note: Attribute values are predefined in the connector XML file that you import. Specify values only for the attributes that you want to change. |
You use the SAP UME User Recon scheduled task to reconcile user data from the target system. Table 3-2 describes the attributes of this scheduled task.
Table 3-2 Attributes of the SAP UME User Recon Scheduled Task
| Attribute | Description |
|---|---|
|
This attribute holds the name of the lookup definition that stores attribute mappings for reconciliation. Value: |
|
|
This attribute holds the name of the lookup definition that stores child attribute mappings for reconciliation. Value: |
|
|
Custom Query |
Enter the query that you want the connector to apply during reconciliation. See Section 3.5.2, "Limited Reconciliation" for more information. |
|
IT Resource |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
|
Resource Object |
This attribute holds the name of the resource object. Default value: |
|
SAP System Time Zone |
Enter the abbreviation for the time zone of the target system host computer. The value that you enter must be one of the time zones supported by the java.util.TimeZone class. Note: The connector does not validate the value that you enter. In addition, no error is thrown during reconciliation if the value entered is not a valid time zone. Sample value: |
|
Schedule Task Name |
This attribute holds the name of the scheduled task. Value: |
|
Full Recon Filter |
This attribute holds the name of the lookup definition that stores characters supported by SAP User Management Engine. Value: |
You use the SAP UME Delete Recon scheduled task to reconcile deleted users from the target system. Table 3-3 describes the attributes of this scheduled task.
Table 3-3 Attributes of the SAP UME Delete Recon Scheduled Task
| Attribute | Description |
|---|---|
|
Disable User |
Enter Default value: |
|
IT Resource |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
|
Resource Object |
This attribute holds the name of the resource object. Default value: |
|
Schedule Task Name |
This attribute holds the name of the scheduled task. Default value: |
You use the SAP CUP Status Update Recon scheduled task to fetch the status of provisioning requests sent to SAP GRC Compliant User Provisioning. For a particular user, only the status of the latest request is brought to Oracle Identity Manager. This request is the one currently stored on the process form. Table 3-4 describes the attributes of this scheduled task.
Table 3-4 Attributes of the SAP CUP Status Update Recon Scheduled Task
| Attribute | Description |
|---|---|
|
This attribute holds the name of the lookup definition that holds constants used by the connector during reconciliation and provisioning. Default value: |
|
|
IT Resource |
Enter the name of the IT resource for the SAP GRC installation from which you want to fetch request status data. Default value: |
|
Resource Object |
This attribute holds the name of the resource object. Default value: |
|
Schedule Task Name |
This attribute holds the name of the scheduled task. Default value: |
You use the SAP CUP Delete Recon scheduled task to revoke accounts (resources) of users in Oracle Identity Manager for whom the Create User provisioning requests are rejected by SAP GRC Compliant User Provisioning.
When you perform a Create User provisioning operation, the account is allocated to the OIM User even before SAP GRC Compliant User Provisioning clears the provisioning request and creates an account on the target system. For a particular user, if account creation on the target system fails, then the account provisioned in Oracle Identity Manager is an invalid account. You use the SAP CUP Delete Recon scheduled task to identify and delete such accounts.
Table 3-5 Attributes of the SAP CUP Delete Recon Scheduled Task
| Attribute | Description |
|---|---|
|
This attribute holds the name of the lookup definition that stores configuration values used by the connector during reconciliation and provisioning. You can set values for some of the entries in this lookup definition. Default value: |
|
|
This attribute holds the name of the lookup definition that holds constant values used by the connector during reconciliation and provisioning. Default value: |
|
|
IT Resource |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
|
Resource Object |
This attribute holds the name of the resource object. Default value: |
|
Schedule Task Name |
This attribute holds the name of the scheduled task. Default value: |
This section describes the procedure to configure scheduled tasks. You can apply this procedure to configure the scheduled tasks for lookup field synchronization and reconciliation.
Table 3-6 lists the scheduled tasks that you must configure.
Table 3-6 Scheduled Tasks for Lookup Field Synchronization and Reconciliation
| Scheduled Task | Description |
|---|---|
|
SAP UME Lookup Recon |
This scheduled task is used for lookup field synchronization. Section 3.2, "Scheduled Task for Lookup Field Synchronization" describes this scheduled task. |
|
SAP UME User Recon |
This scheduled task is used for user record reconciliation. Section 3.5.3.1, "SAP UME User Recon" describes this scheduled task. |
|
SAP UME Delete Recon |
This scheduled task is used for reconciliation of deleted user records. Section 3.5.3.2, "SAP UME Delete Recon" describes this scheduled task. |
|
This scheduled task is used to fetch the status of provisioning requests sent to SAP GRC Compliant User Provisioning. Section 3.5.3.3, "SAP CUP Status Update Recon" describes this scheduled task. Note: This scheduled task is created only if you configure the Compliant User Provisioning feature. |
|
|
This scheduled task is used to revoke accounts (resources) of users in Oracle Identity Manager for whom the Create User provisioning requests are rejected by SAP GRC Compliant User Provisioning. Section 3.5.3.4, "SAP CUP Delete Recon" describes this scheduled task. Note: This scheduled task is created only if you configure the Compliant User Provisioning feature. |
To configure a scheduled task:
Log in to the Administrative and User Console.
Expand Resource Management.
Click Manage Scheduled Task.
On the Scheduled Task Management page, enter the name of the scheduled task as the search criteria and then click Search.
In the search results table, click the edit icon in the Edit column for the scheduled task.
On the Edit Scheduled Task Details page, you can modify the following details of the scheduled task by clicking Edit:
Status: Specify whether or not you want to leave the task in the enabled state. In the enabled state, the task is ready for use.
Max Retries: Enter an integer value in this field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task. The default value is 1.
Next Start: Use the date editor to specify the date when you want the task to run. After you select a date value in the date editor, you can modify the time value that is automatically displayed in the Next Start field.
Frequency: Specify the frequency at which you want the task to run.
After modifying the values for the scheduled task details listed in the previous step, click Continue.
Specify values for the attributes of the scheduled task. To do so, select each attribute from the Attribute list, specify a value in the field provided, and then click Update.
|
Note: Attribute values are predefined in the connector XML file that you import. Specify values only for the attributes that you want to change. |
The attributes of the scheduled task that you select for modification are displayed on this page.
Click Save Changes to commit all the changes to the database.
|
Note: If you want to stop a scheduled task while it is running, then use the Stop Execution feature of the Design Console. See "The Task Scheduler Form" in Oracle Identity Manager Design Console Guide for information about this feature. |
Apply the following guidelines while performing provisioning operations:
Through provisioning, if you want to create and disable an account at the same time, then you can set the value of the Valid Through attribute to a date in the past. For example, while creating an account on 31-Jul, you can set the Valid Through date to 30-Jul. With this value, the resource provisioned to the OIM User is in the Disabled state immediately after the account is created.
However, on the target system, if you set the Valid Through attribute to a date in the past while creating an account, then the target system automatically sets Valid Through to the current date. The outcome of this Create User provisioning operation is as follows:
The value of the Valid Through attribute on Oracle Identity Manager and the target system do not match.
On the target system, the user can log in all through the current day. The user cannot log in from the next day onward.
You can lock the user on the target system so that the user is not able to log in the day the account is created.
When you try to provision a multivalued attribute, such as a role or group, if the attribute has already been set for the user on the target system, then the status of the process task is set to Completed in Oracle Identity Manager. If required, you can configure the task so that it shows the status Rejected in this situation. See Oracle Identity Manager Design Console Guide for information about configuring process tasks.
When you perform the Lock User or Unlock User provisioning operation, remember that the connector makes the required change on the target system without checking whether the account is currently in the Locked or Unlocked state. This is because the target system does not provide a method to check the current state of the account.
The target system does not accept non-English letters in the E-mail Address field. Therefore, during provisioning operations, you must enter only English language letters in the E-mail Address field on the process form.
During a Create User operation performed when the Compliant User Provisioning is configured, first submit process form data. Submit child form data after the user is created on the target system. This is because when Compliant User Provisioning is enabled, the connector supports modification of either process form fields or child form fields in a single Modify User operation.
The following fields on the process form are mandatory attributes on SAP GRC Compliant User Provisioning:
|
Note: You must enter values for these fields even though some of them are not marked as mandatory fields on the Administrative and User Console. |
CUP Requestor ID
CUP Requestor First Name
CUP Requestor Last Name
CUP Requestor Email
GRC IT Resource
User ID
First Name
Last Name
E Mail
The Valid From and Valid Through attributes are not mandatory attributes.
As mentioned earlier in this guide, SAP GRC Compliant User Provisioning does not process passwords. Therefore, any value entered in the Password field is ignored during Create User provisioning operations. After a Create User operation is performed, the user for whom the account is created on the target system must apply one of the following approaches to set the password:
To use the Oracle Identity Manager password as the target system password, change the password through Oracle Identity Manager.
Directly log in to the target system, and change the password.
You perform an Enable User operation by setting the Valid From field to a future date. Similarly, you perform a Disable User operation by setting the Valid Through field to the current date. Both operations are treated as Modify User operations.
When you delete a user (account) on the Administrative and User Console (process form), a Delete User request is created.
When you select the Lock User check box on the process from, a Lock User request is created.
When you deselect the Lock User check box on the process from, an Unlock User request is created.
The Enable User and Disable User operations are implemented through the Valid From and Valid Through fields on the process form.
In a Modify User operation, you can specify values for attributes that are mapped with SAP GRC Compliant User Provisioning and attributes that are directly updated on the target system. A request is created SAP GRC Compliant User Provisioning only for attributes whose mappings are present in these lookup definitions. If you specify values for attributes that are not present in these lookup definitions, then the connector sends them to directly the target system.
If an ABAP data source is configured in SAP User Management Engine, then ABAP roles are shown as groups in SAP User Management Engine. The group child form in Oracle Identity Manager shows these role details.
|
 Copyright © 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|