1. Connector Guide for Siebel User Management
  2. Using the Connector

3 Using the Connector

You can use the Siebel User Management connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.

This chapter provides information about the following topics:

3.1 Guidelines to Apply While Using the Connector

Apply the following guidelines while using the connector:

  • While creating an account for a user of type 'User' in the target system, the Position field is optional. Suppose you create a target system user account (of the type 'User') without specifying a value for the Position attribute. After you run the scheduled job for user reconciliation, the details of this newly created target system account are reconciled into Oracle Identity Manager.

    In the Administrative and User Console, when you update the attributes of the OIM User (corresponding to the newly created target system user account), this update provisioning operation fails. This is because Position is a mandatory field on the OIM User process form.

    As a workaround, log in to the Design Console, mark the Position field as optional on the process form, and then run reconciliation for users of type 'Users'.

  • The following is a guildeline on performing provisioning:

    To activate a user or an employee account in Oracle Identity Manager, assign a responsibility.

    To deactivate a user or an employee account in Oracle Identity Manager, delete all responsibilities assigned to the corresponding user or employee in the target system, and then run reconciliation.

3.2 Performing First-Time Reconciliation

First-time reconciliation involves synchronizing lookup definitions in Oracle Identity Manager with the lookup fields of the target system, and performing full reconciliation. In full reconciliation, all existing user records from the target system are brought into Oracle Identity Manager.

The following is the sequence of steps involved in reconciling all existing user records:

  1. Perform lookup field synchronization by running the scheduled jobs provided for this operation.

    See Scheduled Job for Lookup Field Synchronization for information about the attributes of the scheduled jobs for lookup field synchronization.

  2. Perform user reconciliation by running the scheduled job for user reconciliation.

    See Scheduled Jobs for Reconciliation of User Records for information about the attributes of this scheduled job.

After first-time reconciliation, the Latest Token attribute of the Siebel Target User Recon scheduled job is automatically set to the time stamp at which the reconciliation run ended.

From the next reconciliation run onward, only target system user records that are added or modified after the time stamp stored in the scheduled job are considered for incremental reconciliation. These records are brought to Oracle Identity Manager when you configure and run the user reconciliation scheduled job.

3.3 Scheduled Job for Lookup Field Synchronization

The following scheduled jobs are used for lookup fields synchronization:

  • Siebel Lookup Recon for Employee Type Code

  • Siebel Lookup Recon for Personal Title

  • Siebel Lookup Recon for Position

  • Siebel Lookup Recon for Preferred Communications

  • Siebel Lookup Recon for Responsibility

  • Siebel Lookup Recon for TimeZone

You must specify values for the attributes of these scheduled jobs. Table 3-1 describes the attributes of these scheduled jobs. Configuring Scheduled Jobs describes the procedure to configure scheduled jobs.

Note:

  • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

  • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

Table 3-1 Attributes of the Scheduled Jobs for Lookup Field Synchronization

Attribute Description

ITResource

Enter the name of the IT resource for the target system installation from which you want to reconcile user records.

Default value: SIEBEL IT Resource

Object Type

Enter the type of object you want to reconcile.

Depending on the scheduled job that you are running, the default value is one of the following:

  • For Siebel Lookup Recon for Employee Type Code: Employee;Employee;Employee Type Code;Value;Description

  • For Siebel Lookup Recon for Personal Title: Employee;Employee;Personal Title;Value;Description

  • For Siebel Lookup Recon for Position: Position;Position;Position Id;Name

  • For Siebel Lookup Recon for Preferred Communications: Employee;Employee;PreferredCommunications;Value;Description

  • For Siebel Lookup Recon for Responsibility: Responsibility;Responsibility;Name;Description

  • For Siebel Lookup Recon for TimeZone: Employee;Employee;Time Zone Name - Translation;Name;Standard Abbreviation

Lookup Name

Enter the name of the lookup definition in Oracle Identity Manager that must be populated with values fetched from the target system.

Depending on the scheduled job that you are using, the default values are as follows:

  • For Siebel Lookup Recon for Employee Type Code: Lookup.Siebel.EmployeeTypeCode

  • For Siebel Lookup Recon for Personal Title: Lookup.Siebel.PersonalTitle

  • For Siebel Lookup Recon for Position: Lookup.Siebel.Position

  • For Siebel Lookup Recon for Preferred Communications: Lookup.Siebel.PreferredCommunications

  • For Siebel Lookup Recon for Responsibility: Lookup.Siebel.Responsibility

  • For Siebel Lookup Recon for TimeZone: Lookup.Siebel.TimeZone

Code Key Attribute

Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute).

Depending on the scheduled job that you are using, the default values are as follows:

  • For Siebel Lookup Recon for Employee Type Code: Value

  • For Siebel Lookup Recon for Personal Title: Value

  • For Siebel Lookup Recon for Position: Position Id

  • For Siebel Lookup Recon for Preferred Communications: Value

  • For Siebel Lookup Recon for Responsibility: Name

  • For Siebel Lookup Recon for TimeZone: Name

Decode Attribute

Enter the name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute).

Depending on the scheduled job that you are using, the default values are as follows:

  • For Siebel Lookup Recon for Employee Type Code: Description

  • For Siebel Lookup Recon for Personal Title: Description

  • For Siebel Lookup Recon for Position: Name

  • For Siebel Lookup Recon for Preferred Communications: Description

  • For Siebel Lookup Recon for Responsibility: Description

  • For Siebel Lookup Recon for TimeZone: Abbreviation

3.4 Configuring Reconciliation

As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

3.4.1 Performing Full Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation. In addition, you can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Manager.

To perform a full reconciliation run, ensure that no values are specified for the Latest Token and Custom Recon Query attributes of the scheduled jobs for reconciling user records.

At the end of the reconciliation run, the Latest Token attribute of the scheduled job for user record reconciliation is automatically set to the time stamp at which the run ended. From the next run onward, only records created or modified after this time stamp are considered for reconciliation. This is incremental reconciliation.

3.4.2 Performing Limited Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.

For this connector, you create a filter by specifying values for the Custom Recon Query attribute of the scheduled job for reconciliation of user records.

The following are sample query conditions:

  • First Name=John&Last Name=Doe

    With this query condition, records of users whose first name is John and last name is Doe are reconciled.

  • First Name=John|First Name=Jane

    With this query condition, record of Users with first name John and Jane are reconciled.

If you do not specify values for the Custom Recon Query attribute, then all the records in the target system are compared with existing Oracle Identity Manager records during reconciliation.

The following are guidelines to be followed while specifying a value for the Custom Recon Query attribute:

  • For the target system attributes, you must use the same case (uppercase or lowercase) as given in the table shown earlier in this section. This is because the attribute names are case-sensitive.

  • You must not include unnecessary blank spaces between operators and values in the query condition.

    A query condition with spaces separating values and operators would yield different results as compared to a query condition that does not contain spaces between values and operators. For example, the output of the following query conditions would be different:

    First Name=John&Last Name=Doe

    First Name= John&Last Name= Doe

    In the second query condition, the reconciliation engine would look for first name and last name values that contain a space at the start.

  • You must not include special characters other than the equal sign (=), ampersand (&), and vertical bar (|) in the query condition.

    Note:

    An exception is thrown if you include special characters other than the equal sign (=), ampersand (&), and vertical bar (|).

  • The query condition must be an expression without any braces.

  • Searching users based on multiple value roles and groups are not supported. Only one value for roles and profiles can be queried at a time. For example, if the query condition is Usergroup=a,b,c, then the query generates an error.

  • Searching users based on more than three user attributes are not supported. For example, if the query condition is userid=JOHN&firstname=John&lastname=Doe&country=US, then the query generates an error.

You specify a value for the Custom Recon Query attribute while configuring the scheduled job user record reconciliation.

Sample Query Conditions

You can specify the following types of query conditions as values for the Custom Recon Query attribute and run the scheduled job for user record reconciliation:

  • Simple query with user attributes, for example:

    • Value assigned to the Custom Recon Query attribute: First Name=John

      Users with first name John is reconciled.

    • Value assigned to the Custom Recon Query attribute: Login Name=JOHN

      Users with login name JOHN are reconciled.

    • Value assigned to the Custom Recon Query attribute: First Name=John|First Name=Jane

      Users with first name John and Jane are reconciled.

    • Value assigned to the Custom Recon Query attribute: First Name=John&Last Name=Doe

      Users with the first name John and last name Doe are reconciled.

  • Query based on positions and responsibilities, for example:

    • Value assigned to the Custom Recon Query attribute: Position=Proxy Employee|Position=ERM AnonUser

      All users having positions as Proxy Employee or ERM AnonUser are reconciled.

    • Value assigned to the Custom Recon Query attribute: Responsibility=CEO&Responsibility=Consultant

      All users having responsibilities as CEO and Consultant are reconciled.

    • Value assigned to the Custom Recon Query attribute: Responsibility=CEO&Position=ERM AnonUser

      All users having responsibility CEO and position as ERM AnonUser are reconciled.

  • Complex queries, for example:

    • Value assigned to the Custom Recon Query attribute: First Name=John&Position=Proxy Employee|Position=ERM AnonUser

      All users having first name as John and position as Proxy Employee, as well as all users with position as ERM AnonUser are reconciled.

    • Value assigned to the Custom Recon Query attribute: Last Name=Doe|Position=Proxy Employee&Responsibility=CEO

      All users having last name as Doe plus all users having both Position as Proxy Employee and Responsibility as CEO are reconciled.

Note:

For queries with a combination of & and |, the name value pairs adjacent to the & operator are taken as if they are in parenthesis by Siebel.

3.4.3 Reconciliation Based on User Type

Note:

This section discusses the UserType attribute of the scheduled job.

Siebel supports the definition of the following user types:

  • Employee

  • Partner User

  • Customer

  • User

You can specify the user type for which reconciliation must be performed.

To specify the user type for which reconciliation must be performed, you use the UserType scheduled job attribute. This attribute is discussed in Scheduled Jobs for Reconciliation of User Records.

3.4.4 Reconciliation Scheduled Jobs

When you run the Connector Installer, the scheduled tasks corresponding to the following scheduled jobs are automatically created in Oracle Identity Manager:

3.4.4.1 Scheduled Jobs for Reconciliation of User Records

Depending on whether you want to implement trusted source or target resource reconciliation, you must specify values for the attributes of one of the following user reconciliation scheduled jobs:

  • Siebel Target User Recon

    This scheduled job is used to reconcile user data in the target resource (account management) mode of the connector

  • Siebel Trusted User Reconciliation

    This scheduled job is used to reconcile user data in the trusted source (identity management) mode of the connector

Table 3-2 describes the attributes of both scheduled jobs.

Table 3-2 Attributes of the Scheduled Jobs for Reconciliation of User Records

Attribute Description

Scheduled Task Name

Name of the scheduled task used for reconciliation.

The default value of this attribute in the Siebel Target User Recon scheduled job is Siebel Target User Recon.

The default value of this attribute in the Siebel Trusted User Reconciliation scheduled job is Siebel Trusted User Reconciliation.

ITResource Name

Enter the name of the IT resource for the target system installation from which you want to reconcile user records.

Default value: SIEBEL IT Resource

Resource Object Name

Name of the resource object that is used for reconciliation.

The default value of this attribute in the Siebel Target User Recon scheduled job is Siebel Resource Object.

The default value of this attribute in the Siebel Trusted User Reconciliation scheduled job is Siebel Trusted User.

Time Zone

Enter the time zone of the target system database.

Default value: GMT-08:00

Day Light Saving

Enter the time, in minutes, that must be added to the time-stamp value stored in the LastExecution Timestamp attribute.

Default value: 0

Custom Recon Query

Provide a value for this attribute if you want to reconcile the subset of added or modified target system records

See Performing Limited Reconciliation for more information.

UserType

Specify the type of user that must be reconciled from the target system.

You can specify one of the following Siebel user types:

  • Employee: This user is an internal employee and user who is associated with a position in a division within your company.

  • Partner User: This user is an employee at a partner company (external organization) and is associated with a position in a division within that company. Therefore, a Partner User is also an Employee, but not an internal one.

  • Customer: This user is a self-registered partner having no position in your company. However, this user has a responsibility that specifies the application views the user can access.

  • User: This user is also a self-registered partner having no position in your company. However, this user has a responsibility that specifies the application views the user can access.

Default value: Employee

Latest Token

This attribute holds the time stamp at which the last reconciliation run started. The reconciliation engine automatically enters a value in this attribute.

Sample value: 23 May 2011 04:30:41 -0700

Incremental Recon Date Attribute

This attribute holds the name of the target system that maintains the time stamp of target system records.

Default value: Updated
3.4.4.2 Scheduled Job for Reconciliation of Deleted Users Records

Depending on whether you want to implement trusted source or target resource delete reconciliation, you must specify values for the attributes of one of the following scheduled jobs:

  • Siebel Target Resource User Delete Reconciliation

    This scheduled job is used to reconcile data about deleted users in the target resource (account management) mode of the connector. During a reconciliation run, for each deleted user account on the target system, the Siebel resource is revoked for the corresponding OIM User.

  • Siebel Trusted User Delete Reconciliation

    This scheduled job is used to reconcile data about deleted users in the trusted source (identity management) mode of the connector. During a reconciliation run, for each deleted target system user account, the corresponding OIM User is deleted.

Table 3-3 describes the attributes of both scheduled jobs.

Table 3-3 Attributes of the Siebel Target Resource User Delete Reconciliation Scheduled Job

Attribute Description

IT Resource Name

Enter the name of the IT resource for the target system installation from which you want to reconcile data about deleted user records.

Default is: SIEBEL IT Resource

Resource Object Name

Name of the resource object that is used for reconciliation.

The default value of this attribute in the Siebel Target User Recon scheduled job is Siebel Resource Object.

The default value of this attribute in the Siebel Trusted User Reconciliation scheduled job is Siebel Trusted User.

Object Type

Enter the type of object you want to reconcile.

Default is: Employee

3.5 Configuring Scheduled Jobs

Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.

You can apply this procedure to configure the scheduled jobs for lookup field synchronization and reconciliation.

See Scheduled Jobs for Lookup Field Synchronization and Reconciliation for the list of scheduled jobs that you can configure.

To configure a scheduled job:

  1. If you are using Oracle Identity Manager release 11.1.1.x, then:

    1. Log in to the Administrative and User Console.

    2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.

    3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.

  2. If you are using Oracle Identity Manager release 11.1.2.x or later, then:

    1. Log in to Oracle Identity System Administration.

    2. Create and activate a sandbox. For detailed instructions on creating and activating a sandbox, see Managing Sandboxes of Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.

    3. In the left pane, under System Management, click Scheduler.

  3. Search for and open the scheduled job as follows:

    1. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.

    2. In the search results table on the left pane, click the scheduled job in the Job Name column.

  4. On the Job Details tab, you can modify the following parameters:

    • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

    • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

    In addition to modifying the job details, you can enable or disable a job.

  5. On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled job.

    Note:

    • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

    • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

    • Attributes of the scheduled job are discussed in Scheduled Jobs for Reconciliation of User Records.

  6. Click Apply to save the changes.

    Note:

    The Stop Execution option is available in the Administrative and User Console. You can use the Scheduler Status page to either start, stop, or reinitialize the scheduler.

3.6 Configuring Provisioning in Oracle Identity Manager Release 11.1.1

Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a target system account for the user.

When you install the connector on Oracle Identity Manager release 11.1.1, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.

If you have configured the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then perform the steps described in Switching Between Request-Based Provisioning and Direct Provisioning.

The following are types of provisioning operations:

  • Direct provisioning

  • Request-based provisioning

  • Provisioning triggered by policy changes

See Also:

Manually Completing a Task in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for information about the types of provisioning

This section discusses the following topics:

3.6.1 Direct Provisioning

To provision a resource by using the direct provisioning approach:

  1. Log in to the Administrative and User Console.

  2. If you want to first create an OIM User and then provision a target system account, then:

    1. On the Welcome to Identity Administration page, in the Users region, click Create User.

    2. On the Create User page, enter values for the OIM User fields, and then click Save.

  3. If you want to provision a target system account to an existing OIM User, then:

    1. On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the list on the left pane.

    2. From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.

  4. On the user details page, click the Resources tab.

  5. From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.

  6. On the Step 1: Select a Resource page, select Siebel Resource Object from the list and then click Continue.

  7. On the Step 2: Verify Resource Selection page, click Continue.

  8. On the Step 5: Provide Process Data for Siebel User Details page, enter the details of the account that you want to create on the target system and then click Continue.

  9. On the Step 5: Provide Process Data for Siebel Responsibility Form page, search for and select a group for the user on the target system and then click Continue.

  10. On the Step 5: Provide Process Data for Siebel Position Form page, search for and select a group for the user on the target system and then click Continue.

  11. On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.

  12. The "Provisioning has been initiated" message is displayed. Close the window displaying this message.

  13. On the Resources tab, click Refresh to view the newly provisioned resource.

3.6.2 Request-Based Provisioning

A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:

Note:

The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.

3.6.2.1 End User's Role in Request-Based Provisioning

The following steps are performed by the end user in a request-based provisioning operation:

  1. Log in to the Administrative and User Console.
  2. On the Welcome page, click Advanced in the upper-right corner of the page.
  3. On the Welcome to Identity Administration page, click the Administration tab, and then click the Requests tab.
  4. From the Actions menu on the left pane, select Create Request.

    The Select Request Template page is displayed.

  5. From the Request Template list, select Provision Resource and click Next.
  6. On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specify is displayed in the Available Users list.
  7. From the Available Users list, select the user to whom you want to provision the account..

    If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.

  8. Click Move or Move All to include your selection in the Selected Users list, and then click Next.
  9. On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.
  10. From the Available Resources list, select Siebel Resource Object, move it to the Selected Resources list, and then click Next.
  11. On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.
  12. On the Justification page, you can specify values for the following fields, and then click Finish.

    • Effective Date

    • Justification

    On the resulting page, a message confirming that your request has been sent successfully is displayed along with the Request ID.

  13. If you click the request ID, then the Request Details page is displayed.
  14. To view details of the approval, on the Request Details page, click the Request History tab.
3.6.2.2 Approver's Role in Request-Based Provisioning

The following are steps performed by the approver in a request-based provisioning operation:

The following are steps that the approver can perform:

  1. Log in to the Administrative and User Console.
  2. On the Welcome page, click Self-Service in the upper-right corner of the page.
  3. On the Welcome to Identity Manager Self Service page, click the Tasks tab.
  4. On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.
  5. From the search results table, select the row containing the request you want to approve, and then click Approve Task.

    A message confirming that the task was approved is displayed.

3.6.3 Switching Between Request-Based Provisioning and Direct Provisioning

Note:

It is assumed that you have performed the procedure described in Configuring Oracle Identity Manager for Request-Based Provisioning.

If you have configured the connector for request-based provisioning, you can always switch to direct provisioning. Similarly, you can always switch back to request-based provisioning any time. This section discusses the following topics:

3.6.3.1 Switching From Request-Based Provisioning to Direct Provisioning

If you want to switch from request-based provisioning to direct provisioning, then:

  1. Log in to the Design Console.

  2. Disable the Auto Save Form feature as follows:

    1. Expand Process Management, and then double-click Process Definition.

    2. Search for and open the Siebel Process process definition.

    3. Deselect the Auto Save Form check box.

    4. Click the Save icon.

  3. If the Self Request Allowed feature is enabled, then:

    1. Expand Resource Management, and then double-click Resource Objects.

    2. Search for and open the Siebel Resource Object resource object.

    3. Deselect the Self Request Allowed check box.

    4. Click the Save icon.

3.6.3.2 Switching From Direct Provisioning to Request-Based Provisioning

If you want to switch from direct provisioning back to request-based provisioning, then:

  1. Log in to the Design Console.

  2. Enable the Auto Save Form feature as follows:

    1. Expand Process Management, and then double-click Process Definition.

    2. Search for and open the Siebel Process process definition.

    3. Select the Auto Save Form check box.

    4. Click the Save icon.

  3. If you want to enable end users to raise requests for themselves, then:

    1. Expand Resource Management, and then double-click Resource Objects.

    2. Search for and open the Siebel Resource Object resource object.

    3. Select the Self Request Allowed check box.

    4. Click the Save icon.

3.7 Configuring Provisioning in Oracle Identity Manager Release 11.1.2

To configure provisioning operations in Oracle Identity Manager release 11.1.2.x:

Note:

The time required to complete a provisioning operation that you perform the first time by using this connector takes longer than usual.

  1. Log in to Oracle Identity Administrative and User console.

  2. Create a user. See Managing Users in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for more information about creating a user.

  3. On the Account tab, click Request Accounts.

  4. In the Catalog page, search for and add to cart the application instance, and then click Checkout.

  5. Specify value for fields in the application form and then click Ready to Submit.

  6. Click Submit.

  7. If you want to provision entitlements, then:

    1. On the Entitlements tab, click Request Entitlements.

    2. In the Catalog page, search for and add to cart the entitlement, and then click Checkout.

    3. Click Submit.

3.8 Uninstalling the Connector

If you want to uninstall the connector for any reason, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.