Go to main content
|
|
You can use the connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.
Topics:
Before using the DBAT connector, ensure that the lookup definitions is synchronized and for a trusted source reconciliation, the date formats set in both the target system and Oracle Identity Manager are the same.
Apply the following guidelines while using the connector:
Before a target resource reconciliation run is performed, lookup definitions must be synchronized with the child tables of the target system. In other words, scheduled tasks for lookup field synchronization must be run before user reconciliation runs.
If you have configured the connector for trusted source reconciliation, then ensure that the date formats set in both the target system and Oracle Identity Manager are the same. To ensure that the date formats match:
Check the date format set on Oracle Identity Manager. To do so:
Log in to the Administrative and User Console.
In the Welcome page of Oracle Identity Manager Administration, under System Management, click System Configuration. Alternatively, you can click the System Management tab, and then click System Configuration.
Search for and open the Default Date Format system property.
On the System Property Detail page, note the date format displayed in the Value field.
In the DBATConfiguration.groovy
file, ensure that the value of the timestampFormat
property is the same as the date format in Step 1.1.d.
Know more about the lookup definitions used during connector operations
It can be categorized as follows:
This section discusses the lookup definitions that are created in Oracle Identity Manager after you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed. In addition, you can customize entries in the lookup definitions to suit your requirements. This section discusses the following lookup definitions:
Note:
RESOURCE has been used as a place holder text for IT resource name. Therefore, replace all instances of RESOURCE in this guides with the value that you specified for the itResourceName entry in the DBATConfiguration.groovy file. See Entries in the Predefined Sections for more information about entries in the DBATConfiguration.groovy file.
The Lookup.Configuration.RESOURCE lookup definition holds connector configuration entries that are used during reconciliation (both trusted source and target resource) and provisioning operations.
Table 4-1 lists the entries in this lookup definition.
Table 4-1 Entries in the Lookup.Configuration.RESOURCE Lookup Definition
Code Key | Decode | Description |
---|---|---|
Bundle Name |
org.identityconnectors.databasetable |
This entry holds the name of the connector bundle class. Do not modify this entry. |
Bundle Version |
1.2.2 |
This entry holds the version of the connector bundle class. Do not modify this entry. |
Connector Name |
org.identityconnectors.databasetable.DatabasetableConnector |
This entry holds the name of the connector class. Do not modify this entry. |
Pool Max Idle |
10 |
This entry holds the maximum number of idle objects in a pool. |
Pool Max Size |
10 |
This entry holds the maximum number of connections that the pool can create. |
Pool Max Wait |
150000 |
This entry holds the maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation. |
Pool Min Evict Idle Time |
120000 |
This entry holds the minimum time, in milliseconds, the connector must wait before evicting an idle object. |
Pool Min Idle |
1 |
This entry holds the minimum number of idle objects in a pool. |
User Configuration Lookup |
Lookup.RESOURCE.UM.Configuration |
This entry holds the name of the lookup definition that contains configuration information specific to the user object type. See Lookup.RESOURCE.UM.Configuration for more information about this lookup definition. |
The Lookup.RESOURCE.UM.Configuration lookup definition contains entries specific to the user object type. This lookup definition is preconfigured.
Table 4-2 lists the default entries in this lookup definition when you have configured your target system as a target resource.
Table 4-2 Entries in the Lookup.RESOURCE.UM.Configuration Lookup Definition for a Target Resource Configuration
Code Key | Decode |
---|---|
Provisioning Attribute Map |
Lookup.RESOURCE.UM.ProvAttrMap |
Recon Attribute Map |
Lookup.RESOURCE.UM.ReconAttrMap |
Table 4-3 lists the default entries in this lookup definition when you have configured your target system as a trusted source.
Table 4-3 Entries in the Lookup.RESOURCE.UM.Configuration Lookup Definition for a Trusted Source Configuration
Code Key | Decode |
---|---|
Recon Attribute Defaults |
Lookup.RESOURCE.UM.ReconAttrMap.Defaults |
Recon Attribute Map |
Lookup.RESOURCE.UM.ReconAttrMap |
You can add or modify entries in this lookup definition. For example, you can add an entry in this lookup definition if you want to use the connector for configuring validation of data during reconciliation and provisioning. See Extending the Functionality of the Database Application Tables Connector for more information on using this lookup definition for transformation and validation.
The Lookup.RESOURCE.UM.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes. In this connector, the target system attributes correspond to the target system column names. Depending on whether you have configured your target system as a trusted source or target resource, this lookup definition is used during target resource or trusted source user reconciliation runs, respectively.
If you have configured your target system as a target resource:
The following is the format of the Code Key and Decode values in this lookup definition:
For single-valued attributes
Code Key: Reconciliation attribute of the resource object against which target resource user reconciliation runs must be performed
Decode: Corresponding connector attribute name or the target system column name
For multivalued attributes
Code Key: RO_ATTR_NAME~ATTR_NAME[LOOKUP]
In this format:
RO_ATTR_NAME specifies the reconciliation field for the child table.
ATTR_NAME is the name of the multivalued attribute.
[LOOKUP] is a keyword that is appended to the code key value if the child data is picked from a lookup or declared as an entitlement.
Decode: Combination of the following elements separated by the tilde (~) character:
EMBED_OBJ_NAME~RELATION_TABLE_NAME~ATTR_NAME
In this format:
EMBED_OBJ_NAME is the name of the object (for example, an account's address) on the target system that is embedded in another object.
RELATION_TABLE_NAME is the name of child table in the target system.
ATTR_NAME is the name of the column in the child table corresponding to the multivalued attribute in the Code Key column.
If you have configured your target system as a trusted source:
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Reconciliation attribute of the resource object against which trusted source user reconciliation runs must be performed
Decode: Corresponding target system column name
The entries in this lookup definition depend on the data available in the target system. The entries of this lookup definition are populated based on the values specified for the alias entry in the DBATConfiguration.groovy file. See Entries in the Predefined Sections for more information about the alias entry.
The Lookup.RESOURCE.UM.ProvAttrMap lookup definition holds mappings between process form fields and target system column names. This lookup definition is used for performing provisioning operations.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the label on the process form
Decode: Corresponding target system column name
For entries corresponding to child form fields, the following is the format of the Code Key and Decode values:
Code Key: CHILD_FORM_NAME~FIELD_NAME
In this format:
CHILD_FORM_ NAME specifies the name of the child form.
FIELD_NAME specifies the name of the label on the child form in the Administrative and User Console.
Decode: Combination of the following elements separated by the tilde (~) character:
EMBED_OBJ_NAME~RELATION_TABLE_NAME~COL_NAME
In this format:
EMBED_OBJ_NAME is the name of the object (for example, an account's address) on the target system that is embedded in another object.
COL_NAME is the name of the column in the child table corresponding to the child form specified in the Code Key column.
RELATION_TABLE_NAME is the name of child table in the target system.
The entries in this lookup definition depend on the data available in the target system. The values in the lookup definition are populated based on the value specified for the alias entry in the DBATConfiguration.groovy file. See Entries in the Predefined Sections for more information about the alias entry.
The Lookup.RESOURCE.UM.ReconAttrMap.Defaults lookup definition holds default values of the mandatory fields on the OIM User form that are not mapped with the connector attributes. This lookup definition is created only if you have configured your target system as a trusted source.
This lookup definition is used when there is a mandatory field on the OIM User form, but no corresponding column in the target system from which values can be fetched during trusted source reconciliation runs. In addition, this lookup definition is used if the mandatory field on the OIM User form has a corresponding column that is empty or contains null values.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the user field on the Administrative and User Console.
Decode: Corresponding default value to be displayed.
For example, the Role field is a mandatory field on the OIM User form. Suppose the target system contains no column that stores information about the role for a user account. During reconciliation, no value for the Role field is fetched from the target system. However, as the Role field cannot be left empty, you must specify a value for this field. Therefore, the Decode value of the Role Code Key has been set to Full-Time
. This implies that the value of the Role field on the OIM User form displays Full-Time for all user accounts reconciled from the target system.
Table 4-4 lists the default entries in this lookup definition.
Table 4-4 Entries in the Lookup.RESOURCE.UM.ReconAttrMap.Defaults Lookup Definition
Code Key | Decode |
---|---|
Role |
Full-Time |
Organization Name |
Xellerate Users |
Xellerate Type |
End-User |
During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you may want to select a role from a lookup field to specify the role being assigned to the user.
When you deploy the connector, an empty lookup definition (Lookup.RESOURCE.Example) is created. The Lookup.RESOURCE.Example lookup definition is used to store values from a child table that must be displayed in a lookup field during provisioning. Depending upon your environment, you can customize the Lookup.RESOURCE.Example lookup definition to suit your requirement. Alternatively, you can create your own lookup definition for storing values to be displayed in a lookup field. See Using Lookup Definitions for information about setting up lookup fields.
Lookup field synchronization involves obtaining the most current values from specific tables in the target system to the lookup definitions (used as an input source for lookup fields, for example Lookup.RESOURCE.Example) in Oracle Identity Manager.
The RESOURCETarget Lookup Reconciliation scheduled job is used to synchronize values of these lookup definitions with the tables in the target system. While configuring the RESOURCETarget Lookup Reconciliation scheduled job, you specify the name of the lookup definition that you want to synchronize as the value of the Lookup Name attribute. See Scheduled Job for Lookup Field Synchronization for more information about this scheduled task.
After lookup definition synchronization, data is stored in the following format:
Code Key value: IT_RESOURCE_KEY~LOOKUP_FIELD_ID
In this format:
IT_RESOURCE_KEY is the numeric code assigned to each IT resource in Oracle Identity Manager.
LOOKUP_FIELD_ID is the target system code assigned to each lookup field entry. This value is populated based on the column name specified in the Code Key attribute of the RESOURCE Lookup Reconciliation scheduled job.
Sample value: 1~SA
Decode value: IT_RESOURCE_NAME~LOOKUP_FIELD_ID
In this format:
IT_RESOURCE_NAME is the name of the IT resource in Oracle Identity Manager.
LOOKUP_FIELD_ID is the target system code assigned to each lookup field entry. This value is populated based on the column name specified in the Decode attribute of the RESOURCE Lookup Reconciliation scheduled job.
Sample value: DBAT Lookup~SYS_ADMIN
When you run the Connector Installer, scheduled jobs are automatically created in Oracle Identity Manager.
This section discusses the following topics:
The RESOURCE Lookup Reconciliation scheduled job is used for lookup fields synchronization. You must specify values for the attributes of this scheduled job.
Table 4-5 describes the attributes of the RESOURCE Lookup Reconciliation scheduled job. About Configuring Scheduled Jobs for DBAT Connector describes the procedure to configure scheduled jobs.
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.
Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.
Table 4-5 Attributes of the RESOURCE Lookup Reconciliation Scheduled Job
Attribute | Description |
---|---|
Code Key Attribute |
Enter the name of the attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). The value must be in the following format:
|
Decode Attribute |
Enter the name of the attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). The value must be in the following format:
|
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile records. Default value: |
Lookup Name |
Enter the name of the lookup definition in Oracle Identity Manager that must be populated with values fetched from the target system. Default value: Note: Before you perform lookup field synchronization, the lookup definition name that you specify must exist in Oracle Identity Manager. |
Object Type |
Enter the type of object you want to reconcile. Default value: Note: For lookup field synchronization, the object type must be any object other than "User." |
This section discusses the attributes of the following scheduled jobs:
After you create the connector, the scheduled task for user data reconciliation is automatically created in Oracle Identity Manager. A scheduled job, which is an instance of this scheduled task is used to reconcile user data from the target system. The following scheduled jobs are used for user data reconciliation:
RESOURCE Target Resource User Reconciliation
This scheduled job is used to reconcile user data in the target resource (account management) mode of the connector.
RESOURCE Trusted Resource User Reconciliation
This scheduled job is used to reconcile user data in the trusted source (identity management) mode of the connector.
You must specify values for the attributes of the user reconciliation scheduled jobs. Table 4-6 describes the attributes of both scheduled jobs.
Table 4-6 Attributes of the User Reconciliation Scheduled Jobs
Attribute | Description |
---|---|
Filter |
Enter the search filter for fetching records from the target system during a reconciliation run. See About Performing Limited Reconciliation for more information. |
ITResource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Sample value: |
Object Type |
Enter the type of object you want to reconcile. Sample value: Note: User is the only object that is supported. Therefore, do not change the value of the attribute. |
Resource Object Name |
Enter the name of the resource object that is used for reconciliation. Sample value: |
Scheduled Task Name |
Name of the scheduled task that is used for reconciliation. The default value of this attribute in the RESOURCE Target Resource User Reconciliation scheduled job is RESOURCE The default value of this attribute in the RESOURCE Trusted User Reconciliation scheduled job is |
After you create the connector, the scheduled task for reconciling data about deleted users records is automatically created in Oracle Identity Manager. A scheduled job, which is an instance of this scheduled task is used to reconcile user data from the target system. The following scheduled jobs are used for reconciliation of deleted user records data:
RESOURCE Target Resource User Delete Reconciliation
This scheduled job is used to reconcile data about deleted user records in the target resource (account management) mode of the connector.
RESOURCETrusted User Delete Reconciliation
This scheduled job is used to reconcile data about deleted user records in the trusted source (identity management) mode of the connector.
You must specify values for the attributes of the user reconciliation scheduled jobs. Table 4-7 describes the attributes of both scheduled jobs.
Table 4-7 Attributes of the Delete User Reconciliation Scheduled Jobs
Attribute | Description |
---|---|
Filter |
No value should be provided in filter. |
ITResource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Sample value: |
Object Type |
Enter the type of object you want to reconcile. Sample value: Note: User is the only object that is supported. Therefore, do not change the value of the attribute. |
Resource Object Name |
Enter the name of the resource object that is used for reconciliation. Sample value: |
While configuring the DBATConfiguration.groovy file, if you have specified a value for the changeLogColumn property, then the scheduled job for incremental reconciliation is automatically created in Oracle Identity Manager when you install the connector. If you did not specify a value for the changeLogColumn property before connector installation, then perform the procedure described in Configuring the Connector for Incremental Reconciliation to create the scheduled job for incremental reconciliation.
The following scheduled jobs are used for incremental reconciliation:
RESOURCE Target Incremental Resource User Reconciliation
This scheduled job is used to perform incremental reconciliation in the target resource (account management) mode of the connector.
RESOURCE Trusted Incremental Resource User Reconciliation
This scheduled job is used to perform incremental reconciliation in the trusted source (identity management) mode of the connector.
Table 4-6 describes the attributes of both scheduled jobs.
Table 4-8 Attributes of the Scheduled Jobs for Incremental Reconciliation
Attribute | Description |
---|---|
ITResource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Sample value: |
Object Type |
Enter the type of object you want to reconcile. Default value: Note: User is the only object that is supported. Therefore, do not change the value of the attribute. |
Resource Object Name |
Enter the name of the resource object that is used for reconciliation. Sample value: |
Scheduled Task Name |
Name of the scheduled task that is used for reconciliation. Default value: |
Sync Token |
Depending on the value specified for the changeLogColumn property in the Config entry of the DBATConfiguration.groovy file, this attribute holds one of the following values:
Sample value: Note: - Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute. - This attribute stores values in an XML serialized format. |
As discussed earlier, the scheduled job for incremental reconciliation is automatically created in Oracle Identity Manager during connector installation, if you have specified a value for the changeLogColumn property while configuring the DBATConfiguration.groovy file. If you did not specify a value for the changeLogColumn property before installing the connector, you can still configure the connector to create the scheduled job for incremental reconciliation. To do so:
In a text editor, open the DBATConfiguration.groovy file for editing. This file is located in the dbat-RELEASE_NUMBER/generator/dbat-generator-RELEASE_NUMBER directory of the connector installation ZIP.
Set a value for the changeLogColumn property. See the "changeLogColumn" row of Table 2-1 for information about that values that you can specify for this property.
Run the DBAT Generator. See Discover the Schema and Generate the Connector for information on running the DBAT Generator. The connector package is generated that contains the IT_RES_DEF-ConnectorConfig.xml file. This file contains definitions for connector components such as IT resource, lookup definitions, scheduled tasks, process forms, and resource objects.
Import the scheduled job and task corresponding to incremental reconciliation from the IT_RES_DEF-ConnectorConfig.xml file. To do so:
Note:
See Importing Deployments in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for detailed instructions on performing each of the steps discussed in this procedure.
Log in to the System Administration console.
Add the IT_RES_DEF-ConnectorConfig.xml file to the Deployment Manager for import.
Except for the incremental reconciliation scheduled job and task, remove all other artifacts from the IT_RES_DEF-ConnectorConfig.xml file.
Import the IT_RES_DEF-ConnectorConfig.xml file.
Update the IT resource by setting the value of the changeLogColumn parameter to the value entered in Step 2.
This completes the procedure for importing the scheduled job for incremental reconciliation into Oracle Identity Manager.
This section describes the procedure to configure scheduled jobs. You can apply this procedure to configure the scheduled jobs for lookup field synchronization and reconciliation.
Table 4-9 lists the scheduled jobs that you can configure.
Table 4-9 Scheduled Jobs for Lookup Field Synchronization and Reconciliation
Scheduled Task | Description |
---|---|
RESOURCE Lookup Reconciliation |
This scheduled job is used for lookup field synchronization. See Scheduled Job for Lookup Field Synchronization for information about this scheduled job. |
RESOURCE Target Resource User Reconciliation |
This scheduled job is used for user reconciliation when the target system is configured as a target resource. See Scheduled Jobs for Reconciliation of User Records for more information. |
RESOURCETrusted Resource User Reconciliation |
This scheduled job is used for user reconciliation when the target system is configured as a trusted source. See Scheduled Jobs for Reconciliation of User Records for more information. |
RESOURCE Target Resource User Delete Reconciliation |
This scheduled job is used for reconciliation of deleted user records when the target system is configured as a target resource. See Scheduled Jobs for Reconciliation of Deleted Users Records for more information. |
RESOURCETrusted Resource User Delete Reconciliation |
This scheduled job is used for reconciliation of deleted user records when the target system is configured as a trusted source. See Scheduled Jobs for Reconciliation of Deleted Users Records for more information. |
RESOURCE Target Incremental Resource User Reconciliation |
This scheduled job is used to perform incremental reconciliation when the target system is configured as a target resource. See Scheduled Jobs for Incremental Reconciliation for more information. |
RESOURCETrusted Incremental Resource User Reconciliation |
This scheduled job is used to perform incremental reconciliation when the target system is configured as a trusted resource. See Scheduled Jobs for Incremental Reconciliation for more information. |
To configure a scheduled job:
Log in to Oracle Identity System Administration.
In the left pane, under System Management, click Scheduler.
Search for and open the scheduled task as follows:
On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
In the search results table on the left pane, click the scheduled job in the Job Name column.
On the Job Details tab, you can modify the following parameters:
Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.
Note:
See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about schedule types.
In addition to modifying the job details, you can enable or disable a job.
On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.
Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.
Attributes of the scheduled task are discussed in About Attributes of the Scheduled Jobs.
Click Apply to save the changes.
Note:
The Stop Execution option is available in the Administrative and User Console. You can use the Scheduler Status page to either start, stop, or reinitialize the scheduler.
Reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system.
This section discusses the following topics related to configuring reconciliation:
As mentioned earlier, target resource reconciliation involves fetching data about newly created or modified users on the target system and using this data to add or modify resources assigned to OIM Users. Provisioning involves creating or modifying account data on the target system through Oracle Identity Manager.
The scheduled job that you use to start a target resource reconciliation run is automatically created when you create the connector.
See Also:
Managing Reconciliation in Oracle Fusion Middleware Administering Oracle Identity Manager for generic information about connector reconciliation
This section discusses the following topics:
Table 4-10 provides information about the mandatory user attribute mappings for target resource reconciliation and provisioning. The rest of the user attributes mapping for provisioning and reconciliation is created based on the alias mapping specified in the DBATConfiguration.groovy file. In other words, all other attributes that are taken dynamically from the columns in your target system must be mapped with their corresponding fields in Oracle Identity Manager. This mapping is achieved by specifying a value for the alias entry in the DBATConfiguration.groovy file. See Entries in the Predefined Sections for more information about the alias element in the section for configuring the target system as a target resource.
Table 4-10 User Attributes for Target Resource Reconciliation and Provisioning
Process Form Field | Connector Attribute | Description | Mandatory? |
---|---|---|---|
User ID |
__NAME__ |
Unique ID of a user account |
Yes |
Unique Id |
__UID__ |
Unique ID of a user account This is a connector attribute. Note: This is a hidden field. The value in this field is used by the connector to update the user ID. |
Yes |
Password |
__PASSWORD__ |
Password of the user account |
Yes, when the corresponding target system column is mandatory. |
Status |
__ENABLE__ |
This field stores the status of the user account. |
Yes, when the target system contains a column that stores the status of a user account. |
The connector supports any of the following actions during a target resource reconciliation run:
For each account created on the target system, a reconciliation event is generated. Depending on the reconciliation matching rule, a resource is assigned to the corresponding OIM User.
Updates made to each account on the target system generates update reconciliation events. These updates are propagated to the corresponding resource.
Deletion of child data from accounts on the target system results in deletion of the same data from the resource. For example, if user John Doe is removed from the Leave Approvers group on the target system, then the same action is performed on the resource assigned to the OIM User John Doe.
See Also:
Reconciliation Metadata in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for generic information about reconciliation matching and action rules
The following sections provide information about the reconciliation rules for this connector:
Reconciliation rules are automatically created when you create the Database Applications Table connector. The following is the process-matching rule:
Rule name: RESOURCE User
Rule element: User Login Equals User ID
In the rule name, RESOURCE is the name of the IT resource (for example, DB1) that you specify for the itResourceName entry in the DBATConfiguration.groovy file.
In the rule element:
User Login is the User ID field on the OIM User form.
User ID is the __NAME__ attribute of the connector.
The following sections provide information about the reconciliation rules for this connector:
Table 4-11 lists the action rules for target resource reconciliation.
Table 4-11 Action Rules for Target Resource Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Assign to Authorizer With Least Load |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Setting a Reconciliation Action Rule in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about modifying or creating reconciliation action rules.
Provisioning involves creating or modifying a user's data on the target system through Oracle Identity Manager.
The connector supports the following provisioning functions:
Create User
Update User
Enable User
Disable User
Revoke User
Grant Entitlement
Revoke Entitlement
Note:
The Enable User or Disable User provisioning operations are supported only if there is a column in the target system that stores user account status and values for the Status Column, Enable Value, and Disable Value columns are set.
Trusted source reconciliation involves fetching data about newly created or modified users directly on the target system and using this data to create or update OIM Users.
See Trusted Source Reconciliation in Oracle Fusion Middleware Administering Oracle Identity Manager for conceptual information about trusted source reconciliation.
This section discusses the following topics:
Table 4-12 provides information about the mandatory user attribute mappings for trusted source reconciliation. The rest of the user attributes mapping for reconciliation must be created. In other words, all other attributes that are taken dynamically from the columns in your target system must be mapped with their corresponding fields in Oracle Identity Manager. This mapping is achieved by specifying a value for the alias entry in the DBATConfiguration.groovy file. See Entries in the Predefined Sections for more information about the alias element in the section for configuring the target system as a trusted source.
Table 4-12 lists user attributes for trusted source reconciliation.
Table 4-12 User Attributes for Trusted Source Reconciliation
OIM User Form Field | Connector or Target System Attribute | Description |
---|---|---|
User Login |
__UID__ |
User login of a user account. This is a connector attribute. Note: This is a hidden field. The value in this field is used by the connector to update the user ID. |
Last Name |
__NAME__ |
Unique ID of a user account |
Status |
__ENABLE__ |
Status of the user account This is a connector attribute. This attribute is mandatory if the target system contains a column for storing statuses of user accounts. |
See Also:
Reconciliation Metadata in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for generic information about reconciliation matching and action rules
Reconciliation rules are automatically created when you create the Database Applications Table connector. The following is the process-matching rule:
Rule name: RESOURCE Trusted User
Rule element: User Login Equals User ID
In the rule name, RESOURCE is the name of the IT resource (for example, DBAT) that you specify for the itResourceName entry in the DBATConfiguration.groovy file.
In the rule element:
User Login is the User ID field on the OIM User form.
User ID is the __NAME__ attribute of the connector.
After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:
Note:
Perform the following procedure only after the connector is deployed.
The following sections provide information about the reconciliation action rules for this connector:
Table 4-13 lists the action rules for trusted source reconciliation.
Table 4-13 Action Rules for Trusted Source Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Create User |
One Entity Match Found |
Establish Link |
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Setting a Reconciliation Action Rule in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about modifying or creating reconciliation action rules.
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation. In addition, you can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Manager.
You can perform a full reconciliation run in one of the following manners:
Ensure that no value is specified for the Filter attribute of the scheduled job for user data reconciliation. See Scheduled Jobs for Reconciliation of User Records for information about the Filter attribute.
Ensure the Sync Token attribute of the scheduled job for incremental reconciliation does not contain any value. See Scheduled Jobs for Incremental Reconciliation for information about the Sync Token attribute.
In incremental reconciliation, only records created or modified after the latest date/ timestamp the last reconciliation was run are considered for reconciliation. To perform incremental reconciliation, configure and run the scheduled job for incremental reconciliation. The first time you run the scheduled job for incremental reconciliation, note that a full reconciliation is performed. Note that the scheduled job for incremental reconciliation is generated only if you specify a last update column value for the changeLogColumn property in the DBATConfiguration.groovy file.
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.
You can configure limited reconciliation by performing the procedures described in one of the following sections:
You can perform limited reconciliation by creating filters for the reconciliation module. This connector provides a Filter attribute (a scheduled task attribute) that allows you to use any of the Database Application Tables resource attributes to filter the target system records.
When you specify a value for the Filter attribute, only the target system records that match the filter criterion are reconciled into Oracle Identity Manager. If you do not specify a value for the Filter attribute, then all the records in the target system are reconciled into Oracle Identity Manager.
You specify a value for the Filter attribute while configuring the user reconciliation scheduled job.
For detailed information about Filters, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
If you want to filter values that are being retrieved from different tables by using native SQL queries, then use the customizedQuery property to configure limited reconciliation. You can configure limited reconciliation by specifying a value for either the customizedQuery property in the DBATConfiguration.groovy file or customizedQuery IT resource parameter.
You must specify a WHERE clause specifying the subset of newly added or modified records that you want to reconcile as the value of the customizedQuery parameter. For example, specifying the following WHERE clause as the value of the customizedQuery parameter returns all user records whose first name is John:
WHERE FIRST_NAME='JOHN'
The following is another example of a WHERE clause that returns all user records whose location contains "land":
WHERE LOCATION LIKE '%LAND'
Note:
If you are configuring limited reconciliation by using the customizedQuery property, then first test the query by running it on a staging server to ensure that data in the production server is altered as desired.
At any given point in time, you can change the WHERE clause by modifying the value of the customizedQuery parameter of the IT resource. There is no need to change the value in the DBATConfiguration.groovy file and regenerate the connector.
You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.
To perform provisioning operations in Oracle Identity Manager:
Log in to Oracle Identity Administrative and User console.
Create a user. See Managing Users in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for more information about creating a user.
On the Account tab, click Request Accounts.
In the Catalog page, search for and add to cart the application instance created for the IT resource (in Creating an Application Instance), and then click Checkout.
Specify values for fields in the application form. In addition to specifying values for the parent form, if you want to add child values, then you can specify values for fields on the child form.
Note:
Ensure to select proper values for lookup type fields as there are a few dependent fields. Selecting a wrong value for such fields may result in provisioning failure.
Click Ready to Submit.
Click Submit.
If you want to provision entitlements, then:
On the Entitlements tab, click Request Entitlements.
In the Catalog page, search for and add to cart the entitlement, and then click Checkout.
Click Submit.
You can configure action scripts to run before or after the create, update, or delete an account provisioning operations.
This section describes action scripts in the following topics:
Actions are scripts that you can configure to run before or after the create, update, or delete an account provisioning operations. For example, you could configure a script to run before every user creation.
Every connector should specify the scripting language and target it supports. The Database Application Tables connector supports the following scripts:
CMD: Windows batch script
GROOVY: Groovy script
The target means the location where the script is executed. If the target is Connector, then the script is executed on the same computer (JVM or .Net Runtime) where the connector is deployed. For example, if you deploy the connector on the connector server, the script will be executed on that computer.
That is, if you have deployed the connector in OIM, the script runs in your JVM. If you have deployed the connector remotely in the connector server, then the script runs in the remote JVM or .Net Runtime.
Note:
This connector supports only the Connector target. This means that the connector supports execution of action scripts on the computer on which the connector is deployed. However, action scripts on the target system can be Configuring the Connector for Stored Procedures and Groovy Scriptshandled by using custom Groovy scripts or procedures. See for more information.
Table 4-14 describes the entries to be added to the Lookup.RESOURCE.UM.Configuration lookup definition for running actions scripts.
Table 4-14 Lookup Entries for Running Action Scripts
Code Key | Decode |
---|---|
SCHEDULE Action Language |
Scripting language of the script you want to run. Enter |
SCHEDULE Action File |
Full path and name to the file containing the script to be run. Note that the file containing the script must be located on the computer on which Oracle Identity Manager is running. |
SCHEDULE Action Target |
Context in which the script must be run. Enter |
In the preceding table, SCHEDULE defines when an action must be performed. An action can be invoked either before or after a create, update, or delete provisioning operation. Therefore, SCHEDULE can be replaced with any of the following values:
Before Create
Before Update
Before Delete
After Create
After Update
After Delete
All the entries in Table 4-14 define an action together. Therefore, to configure action scripts, all the entries must be defined. Otherwise, no action is performed.
As an example, the following procedure describes the steps to run a cmd script before a create operation:
Now, this action will be executed every time you create a user. You must configure these three values for each action you want to execute.
Uninstalling the connector deletes all the account-related data associated with its resource objects.
If you want to uninstall the connector for any reason, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.