Oracle Identity Manager automates access rights management, and the security of resources to various target systems. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with target applications. This guide discusses the connector that enables you to use PeopleSoft HRMS as an authoritative (trusted) source of identity information for Oracle Identity Manager.
Note:
In this guide, PeopleSoft HRMS has been referred to as the target system.
In the identity reconciliation (trusted source) configuration of the connector, persons are created or modified only on the target system and information about these persons is reconciled into Oracle Identity Manager.
This chapter contains the following sections:
Table 1-1 lists the components certified for use with the connector.
Table 1-1 Certified Components
Item | Requirement |
---|---|
Oracle Identity Governance or Oracle identity Manager |
You can use one of the following releases of Oracle Identity Governance or Oracle Identity Manager:
|
Target systems |
The target system can be any one of the following:
|
Connector Server |
11.1.2.1.0 |
Connector Server JDK |
JDK 1.6 or later, or JRockit 1.6 or later |
Other Software |
You must ensure that the following components are installed and configured in the target system environment:
The following standard PeopleSoft messages are available:
|
You might want to determine the versions of PeopleTools and the target system you are using to check whether this release of the connector supports that combination. To determine the versions of PeopleTools and the target system:
Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:
If you are using an Oracle Identity Manager release 9.1.0.2 BP05 or later and earlier than Oracle Identity Manager 11g Release 1 BP02 (11.1.1.5.2), then you must use the 9.1.0.2 version of this connector.
If you are using Oracle Identity Manager 11g Release 1 BP02 (11.1.1.5.2) or later, Oracle Identity Manager 11g Release 2 BP04 (11.1.2.0.4) or later, or Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0), then use the latest 11.1.1.x version of this connector.
This section contains the following topics:
Figure 1-1 shows the architecture of the connector.
The target system is configured as a trusted source of identity data for Oracle Identity Manager. In other words, identity data that is created and updated on the target system is fetched into Oracle Identity Manager and used to create and update OIM Users.
Standard PeopleSoft XML files and messages are the medium of data interchange between PeopleSoft HRMS and Oracle Identity Manager.
The method by which person data is sent to Oracle Identity Manager depends on the type of reconciliation that you configure. It is listed as follows:
Note:
To reconcile all existing target system records into Oracle Identity Manager, you must run full reconciliation the first time you perform a reconciliation run after deploying the connector. This is to ensure that the target system and Oracle Identity Manager contain the same data.
PeopleSoft uses its standard message format PERSON_BASIC_FULLSYNC and WORKFORCE_FULLSYNC to send person data to external applications such as Oracle Identity Manager. Full reconciliation fetches all person records from the target system to reconcile records within Oracle Identity Manager. Full reconciliation within Oracle Identity Manager is implemented using the PERSON_BASIC_FULLSYNC and WORKFORCE_FULLSYNC XML files that PeopleSoft generates. See Support for Standard PeopleSoft Messages for more information about these messages.
Full reconciliation involves the following steps:
See Performing Full Reconciliation for the procedure to perform full reconciliation.
The PeopleSoft Integration Broker populates the XML files for the PERSON_BASIC_FULLSYNC and WORKFORCE_FULLSYNC messages with all the person data, such as biographical information and job information.
Copy these XML files to a directory on the Oracle Identity Manager host computer.
Configure the PeopleSoft HRMS Trusted Reconciliation scheduled task. The XML files are read by this scheduled task to generate reconciliation events.
Incremental reconciliation involves real-time reconciliation of newly created or modified person data. You use incremental reconciliation to reconcile individual data changes after an initial, full reconciliation run has been performed. PERSON_BASIC_SYNC or WORKFORCE_SYNC are standard PeopleSoft messages to initiate incremental reconciliation. See Support for Standard PeopleSoft Messages for details. These messages are used to send specific person data for each transaction on the target system that involves addition or modification of person information. Incremental reconciliation is configured using PeopleSoft application messaging.
Incremental reconciliation involves the following steps:
Performing Incremental Reconciliation describes the procedure to configure incremental reconciliation.
When person data is added or updated in the target system, a PeopleCode event is generated.
The PeopleCode event generates an XML message, PERSON_BASIC_SYNC or WORKFORCE_SYNC, containing the modified person data and sends it in real time to the PeopleSoft listener over HTTP. The PeopleSoft listener is a Web application that is deployed on an Oracle Identity Manager host computer. If SSL is configured, then the message is sent to the PeopleSoft listener over HTTPS.
The PeopleSoft listener parses the XML message and creates a reconciliation event in Oracle Identity Manager.
Note:
During connector deployment, the PeopleSoft listener is deployed as an EAR file.
The following are the features of the connector:
The connector provides all the features required for setting up PeopleSoft HRMS as a trusted (authoritative) source of identity data for Oracle Identity Manager. Oracle Identity Manager uses this message for incremental reconciliation. In other words, the connector does not support provisioning operations and target resource reconciliation with PeopleSoft HRMS.
The connector supports reconciliation in two ways:
In a full reconciliation run, all records are fetched from the target system to Oracle Identity Manager in the form of XML files. In incremental reconciliation, records that are added or modified are directly sent to the listener deployed on the Oracle Identity Manager host computer. The listener parses the records and sends reconciliation events to Oracle Identity Manager.
The connector helps you to manage all major person lifecycle events, from onboarding to termination and beyond a whole range of events that defines a long-term relationship a person establishes with an organization. This relationship can be defined as the person lifecycle.
The connector performs real-time reconciliation of changes in PeopleSoft including new person creation, changes to existing persons, and so on. Real-time reconciliation allows Oracle Identity Manager to immediately detect critical lifecycle events, such as job terminations, transfers, and so on. Oracle Identity Manager is thus able to take the appropriate action immediately.
Whenever the status of a person changes in PeopleSoft, the status of the OIM User changes as defined in the Lookup.PSFT.HRMS.WorkForceSync.EmpStatus lookup definition. See Lookup.PSFT.HRMS.WorkForceSync.EmpStatus for more information.
On the target system, you can use the effective-dated feature to assign a future date to changes that you want to make to a person account.
The connector can distinguish between hire events and other events in the lifecycle of a person record on the target system. These events may be either current-dated or future-dated (in other words, effective-dated). A current-dated event is one in which the date of the event is prior to or same as the current date. A future-dated event is one in which the date the event will take effect is set in the future. For example, if the current date is 30-Jan-09 and if the date set for an event is 15-Feb-09, then the event is future-dated. During reconciliation, the manner in which an event is processed depends on the type of the event.
PeopleSoft uses two standard messages to reconcile a record. These are the PERSON_BASIC_SYNC and the WORKFORCE_SYNC messages. See Support for Standard PeopleSoft Messages for more information about these messages.
You run the PERSON_BASIC_SYNC message to create an OIM User. The default status of an OIM User is Disabled. See the Employee Status Code Key in the lookup definition described in Lookup.PSFT.Message.PersonBasicSync.Configuration.
The job-related information of a person is updated through the WORKFORCE_SYNC message. In addition, the status is modified depending on the information fetched from the ACTION node of the WORKFORCE_SYNC message XML. For example, the value for hire event is retrieved from the ACTION node of the WORKFORCE_SYNC message XML as HIR
.
The Lookup.PSFT.HRMS.WorkForceSync.EmpStatus lookup definition provides a mapping for the value retrieved from the ACTION node of the XML message. In the lookup definition, the Code Key defines the action performed, and the Decode value is either Active
or Inactive
. Depending on the Decode value, the status of the person appears as Active
or Disabled
in Oracle Identity Manager.
For example, in this case the data fetched from the XML message is HIR
. The Lookup.PSFT.HRMS.WorkForceSync.EmpStatus lookup definition stores the mapping for the HIR action, in the Decode column. If you want to display Active on the Oracle Identity Manager console as against the HIR action then define the following mapping in the lookup definition:Code Key: HIRDecode: Active
See Lookup.PSFT.HRMS.WorkForceSync.EmpStatus. for more information about this lookup definition.
Note:
In the context of the Effective Date feature, records for a particular person on the target system can be categorized into the following types:
Current: The record with an effective date that is closest to or same as, but not greater than, the system date. There can be only one current record
History: Records with dates that are earlier than that of the current-dated record
Future: Records that have effective dates later than the system date
PeopleSoft provides standard messages to send biographical data and job-related data to external applications, such as Oracle Identity Manager. The connector uses the following standard PeopleSoft messages that are delivered as part of PeopleSoft HRMS installation to achieve full reconciliation and incremental reconciliation:
PERSON_BASIC_FULLSYNC
This message contains all the basic biographical information of all persons. This information includes Employee ID, First Name, Last Name, and Employee Type. It is used for full reconciliation.
PERSON_BASIC_SYNC
This message contains the information about a particular person. This includes Employee ID and the information that is added or modified. During incremental reconciliation, PERSON_BASIC_SYNC messages are sent to Oracle Identity Manager.
Note:
It is only if a person is added in PeopleSoft that the triggering of PERSON_BASIC_SYNC creates an OIM User. But, if an OIM User has been created during full reconciliation, then the PERSON_BASIC_SYNC message contains modifications to personal data.
WORKFORCE_FULLSYNC
This message contains job-related details of all persons. This information includes Department, Supervisor ID, Manager ID, and Job Code. It is used for full reconciliation.
WORKFORCE_SYNC
This message contains job-related details of a particular person. This information includes Employee ID and the information that is added or modified. It is used in incremental reconciliation.
Note:
When you reconcile records, it is mandatory to run the PERSON_BASIC_FULLSYNC message before WORKFORCE_FULLSYNC. If the WORKFORCE_FULLSYNC message is processed first, then Oracle Identity Manager stores the data for all those events in the Event Received state and processes them after person data is available through reconciliation performed using the PERSON_BASIC_FULLSYNC message.
Standard messages provided by PeopleSoft are asynchronous. In other words, if a message is not delivered successfully, then the PeopleSoft Integration Broker marks that message as not delivered. The message can then be resent manually.
If the connector is not able to process a message successfully, then it sends an error code and PeopleSoft Integration Broker marks that message as Failed. A message marked as Failed can be resent to the listener. See Resending Messages That Are Not Received by the PeopleSoft Listener for details.
See Also:
Resubmitting and Canceling Service Operations for Processing topic in the PeopleBook Enterprise PeopleTools 8.49 PeopleBook: PeopleSoft Integration Broker available on Oracle Technology Network:
http://download.oracle.com/docs/cd/E13292_01/pt849pbr0/eng/psbooks/tibr/book.htm
You can configure validation of person data that is brought into Oracle Identity Manager during reconciliation. In addition, you can configure transformation of person data that is brought into Oracle Identity Manager during reconciliation.
Configuring Validation of Data During Reconciliation provides information about setting up the validation feature.
Configuring Transformation of Data During Reconciliation provides information about setting up the transformation feature.
The connector supports full and dynamic reconciliation of Manager ID values. The Manager ID attribute is one of the predefined OIM User form attributes. When you reconcile data while creating an OIM User, you can populate this field with manager details by running the PeopleSoft HRMS Manager Reconciliation scheduled task.
Note:
The target system also provides the Supervisor attribute, which is a lookup field on the target system UI. This value is populated in the Supervisor ID field, which is a UDF on the process form.
When you perform a full reconciliation for the first time, you must run the PeopleSoft HRMS Manager Reconciliation scheduled task to reconcile the Manager ID values.
See Running the PeopleSoft HRMS Manager Reconciliation Scheduled Task for instructions on how to reconcile Manager ID values in this scenario.
After you perform a full reconciliation for the first time, during the subsequent incremental reconciliation operations, the Manager ID values are reconciled dynamically.
The connector reconciles the manager information based on the Supervisor ID in Oracle Identity Manager and the job information fetched through the WORKFORCE_SYNC message.
This section describes the steps in the Manager ID reconciliation process, which applies to both full and dynamic reconciliation of the Manager ID values.
To update the job details of a person:
The Supervisor details for a person are retrieved from the target system when you run the WORKFORCE_FULLSYNC or the WORKFORCE_SYNC message.
The Supervisor details are fetched from the SUPERVISOR_ID node of the message XML, as shown in the following screenshot:
The connector populates the Supervisor ID field in the process form.
Run the PeopleSoft HRMS Manager Reconciliation scheduled task only if you perform full reconciliation for the first time. See Running the PeopleSoft HRMS Manager Reconciliation Scheduled Task for instructions on how to reconcile Manager ID values in this scenario.
The scheduled task checks for the existence of an OIM User with the same User ID as that of Supervisor ID value. If a match is found, the Manager ID attribute is updated with the value of the Supervisor ID.
This sequence of steps can be illustrated by the following example:
Suppose Richard is a person on the target system with the user ID 02. John Doe, his manager, with user ID 01 exists on Oracle Identity Manager. During reconciliation of Richard's person record:
Target authentication is done to validate whether Oracle Identity Manager should accept messages from the target system or not. It is done by passing the name of the IT resource in the Integration Broker node. You must ensure that the correct value of the IT resource name is specified in the node. See Configuring PeopleSoft Integration Broker for setting up the node. In addition, the flag IsActive is used to verify whether the IT Resource is active or not. The value of this flag is Yes,
by default. When this value is Yes, target authentication is carried out. Target authentication fails if it is set to No.
You can specify a list of persons who must be excluded from all reconciliation operations. Persons whose User IDs you specify in the exclusion list are not affected by the reconciliation operation. See Lookup.PSFT.HRMS.ExclusionList for more information.
Trusted source reconciliation involves reconciling data of newly created or modified accounts on the target system into Oracle Identity Manager and adding or updating OIM Users.
See Also:
Managing Reconciliation in Oracle Fusion Middleware Administering Oracle Identity Manager for conceptual information about reconciliation
This section discusses the following topics:
Table 1-2 lists the identity attributes whose values are fetched from the target system during reconciliation.
Table 1-2 User Attributes for Reconciliation
OIM User Form Field | PeopleSoft HRMS/HCM Field | Description |
---|---|---|
User ID |
PS_PERSON.EMPLID |
The employee ID of the user This is a mandatory field for the creation of an OIM User. |
Last Name |
PS_NAMES.LAST_NAME |
The last name of the user This is a mandatory field for the creation of an OIM User. |
First Name |
PS_NAMES.FIRST_NAME |
The first name of the user This is a mandatory field for the creation of an OIM User. |
Employee Type |
PS_JOB.REG_TEMP PS_JOB.FULL_PART_TIME PS_JOB.PER_ORG |
The employee type of the OIM User The combination of the values of the PS_JOB.REG_TEMP, PS_JOB.FULL_PART_TIME, and the PS_JOB.PER_ORG fields are used to specify the employee type of the OIM User. This is a mandatory field for the creation of an OIM User. |
Status |
PS_JOB.ACTION |
The action to be taken for a person. It could be HIRE, TRANSFERED, and so on. |
Start Date |
PS_JOB.EFFDT |
The effective date of a person's job record |
Supervisor ID |
PS_JOB.SUPERVISOR_ID |
The supervisor ID of a person |
Department |
PS_JOB.DEPTID |
The department ID of a person |
Job ID |
PS_JOB.JOBCODE |
The job ID of a person |
See Also:
Reconciliation Metadata in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for generic information about reconciliation matching and action rules
The following sections provide information about the reconciliation rules for this connector:
The following is the process-matching rule:
Rule Name: Peoplesoft HRMS Recon Rule
Rule Element: User Login Equals User ID
In this rule:
User Login represents the User ID field on the OIM User form.
User ID represents the Employee ID field of the employee on the target system.
For trusted source reconciliation, the User ID field of the OIM User form is matched against the Employee ID field on the target system. These are the key fields in Oracle Identity Manager and the target system, respectively.
After you deploy the connector, you can view the reconciliation rule by performing the following steps:
Note:
Perform the following procedure only after the connector is deployed.
Application of the matching rule on reconciliation events would result in one of multiple possible outcomes. The action rules for reconciliation define the actions to be taken for these outcomes.
Note:
For any rule condition that is not predefined for this connector, no action is performed and no error message is logged.
The following sections provide information about the reconciliation action rules for this connector:
Table 1-3 lists the reconciliation action rules for this connector:
Table 1-3 Action Rules for Trusted Source Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Create User |
One Entity Match Found |
Establish Link |
After you deploy the connector, you can view the reconciliation action rules by performing the following steps:
Note:
Perform the following procedure only after the connector is deployed.
The predefined lookup definitions can be categorized as follows:
The Lookup.PSFT.HRMS.Configuration lookup definition is used to store configuration information that is used by the connector. See Configuring the IT Resource for more information about the entries in this lookup definition.
The Lookup.PSFT.HRMS.Configuration lookup definition has the following entries:
Code Key | Decode | Description |
---|---|---|
Manager Recon Config Lookup |
Lookup.PSFT.HRMS.ManagerRecon.Configuration |
Name of the lookup used by the PeopleSoft HRMS Manager Reconciliation scheduled task to read the required values. See Lookup.PSFT.HRMS.ManagerRecon.Configuration for more information about this lookup definition. |
HRMS Resource Exclusion List Lookup |
Lookup.PSFT.HRMS.ExclusionList |
Name of the Resource Exclusion lookup for PeopleSoft Employee Reconciliation See Lookup.PSFT.HRMS.Configuration for more information about this lookup definition. |
Ignore Root Audit Action |
No |
Use this value if the Root PSCAMA audit action is required to be considered while parsing the XML message. Enter Enter See Also: Determining the Root Audit Action Details. |
PERSON_BASIC_FULLSYNC |
Lookup.PSFT.Message.PersonBasicSync.Configuration |
Name of the lookup definition for PERSON_BASIC_FULLSYNC message See Lookup.PSFT.Message.PersonBasicSync.Configuration for more information about this lookup definition. Note: The Decode value is the same as that of the PERSON_BASIC_SYNC message, because the data to be reconciled is the same for both messages. |
PERSON_BASIC_SYNC |
Lookup.PSFT.Message.PersonBasicSync.Configuration |
Name of the lookup definition for the PERSON_BASIC_SYNC message See Lookup.PSFT.Message.PersonBasicSync.Configuration for more information about this lookup definition. |
Target Date Format |
yyyy-MM-dd |
Data format of the Date type data in the XML file and messages You must not change this value. |
WORKFORCE_FULLSYNC |
Lookup.PSFT.Message.WorkForceSync.Configuration |
Name of the lookup definition for the WORKFORCE_FULLSYNC message See Lookup.PSFT.Message.WorkForceSync.Configuration for more information about this lookup definition. Note: The Decode value is the same as that of the WORKFORCE_ SYNC because the data to be reconciled is the same for both messages. |
WORKFORCE_SYNC |
Lookup.PSFT.Message.WorkForceSync.Configuration |
Name of the lookup definition for the WORKFORCE_SYNC message See Lookup.PSFT.HRMS.ManagerRecon.Configuration for more information about this lookup definition. |
You can configure the message names, such as the PERSON_BASIC_SYNC, WORKFORCE_SYNC, PERSON_BASIC_FULLSYNC, and WORKFORCE_FULLSYNC defined in this lookup definition. Setting Up the Lookup.PSFT.HRMS.Configuration Lookup Definition describes the procedure to configure these message names.
The Lookup.PSFT.HRMS.ManagerRecon.Configuration lookup definition provides a list of values used by the PeopleSoft HRMS Manager Reconciliation scheduled task to read the values required to run the task.
If you want to modify the PeopleSoft HRMS Manager Reconciliation scheduled task, for example, when the Employee ID field is mapped to a UDF, then you must modify the values in this lookup as per the changes made to the task.
The following is the format of the values stored in this lookup:
Code Key | Decode |
---|---|
Employee ID RO |
Name of the Resource Object field for Employee ID of a person. Sample value: |
Employee ID UDF |
Metadata of the field of the person form with which EMPL ID from the target system is mapped. Sample value: |
Manager UDF |
Metadata of the Supervisor ID field of the person form. Sample value: |
See Running the PeopleSoft HRMS Manager Reconciliation Scheduled Task for instructions on how to configure and run the PeopleSoft HRMS Manager Reconciliation scheduled task.
The following lookup definitions are used to process PERSON_BASIC_SYNC messages:
The Lookup.PSFT.Message.PersonBasicSync.Configuration lookup definition provides the configuration-related information for the PERSON_BASIC_SYNC and PERSON_BASIC_FULLSYNC messages.
The lookup definition has the following entries:
Code Key | Decode | Description |
---|---|---|
Attribute Mapping Lookup |
Lookup.PSFT.HRMS.PersonBasicSync.AttributeMapping |
Name of the lookup definition that maps Oracle Identity Manager attributes with the attributes in the PERSON_BASIC_SYNC and PERSON_BASIC_FULLSYNC message XML See Lookup.PSFT.HRMS.PersonBasicSync.AttributeMapping for more information about this lookup definition. |
Custom Query |
Enter a Value |
If you want to implement limited reconciliation, then enter the query condition that you create by following the instructions given in the Limited Reconciliation. |
Custom Query Lookup Definition |
Lookup.PSFT.HRMS.CustomQuery |
This entry holds the name of the lookup definition that maps resource object fields with OIM User form fields. This lookup definition is used during application of the custom query. See Limited Reconciliation for more information. |
Data Node Name |
Transaction |
Name of the node in the XML files to execute a transaction Default value: You must not change the default value. |
Employee Status |
Active |
Default status of an employee during the creation of an OIM User Note: You can change the status to Disabled, if you want the status to be Inactive when the OIM User is created. |
Employee Type Lookup |
Lookup.PSFT.HRMS.PersonBasicSync.EmpType |
Name of the lookup definition that maps Oracle Identity Manager attributes with employee type attributes obtained from XML message See Lookup.PSFT.HRMS.PersonBasicSync.EmpType for more information about this lookup definition. |
Message Handler Class |
oracle.iam.connectors.psft.common.handler.impl.PSFTPersonSyncReconMessageHandlerImpl |
Name of the Java class that accepts the XML payload, configuration information, and a handle to Oracle Identity Manager. Depending on the message type, it retrieves the appropriate configuration from Oracle Identity Manager and processes the message. To parse a specific message type, it relies on a Message Parser factory. If you want a customized implementation of the message, then you must extend the See Also: Configuring the Connector Messages |
Message Parser |
oracle.iam.connectors.psft.common.parser.impl.PersonMessageParser |
Name of the parser implementation class that contains the logic for message parsing If you want a customized implementation of the message, then you must extend the See Also: Configuring the Connector Messages |
Organization |
Xellerate Users |
Default organization in Oracle Identity Manager |
Recon Lookup Definition |
Lookup.PSFT.HRMS.PersonBasicSync.Recon |
Name of the lookup definition that maps Oracle Identity Manager attributes with the Resource Object attributes See Lookup.PSFT.HRMS.PersonBasicSync.Recon for more information about this lookup definition. |
Resource Object |
Peoplesoft HRMS |
Name of the resource object |
Transformation Lookup Definition |
Lookup.PSFT.HRMS.PersonBasicSync.Transformation |
Name of the transformation lookup definition See Configuring Transformation of Data During Reconciliation for more information about adding entries in this lookup definition. |
User Type |
End-User |
It specifies the value with which a person is created in Oracle Identity Manager using the PERSON_BASIC_SYNC message. |
Use Transformation |
No |
Enter |
Use Validation |
No |
Enter |
Validation Lookup Definition |
Lookup.PSFT.HRMS.PersonBasicSync.Validation |
Name of the validation lookup definition See Configuring Validation of Data During Reconciliation for more information about adding entries in this lookup definition. |
The Lookup.PSFT.HRMS.PersonBasicSync.AttributeMapping lookup definition maps OIM User attributes with the attributes defined in the PERSON_BASIC_SYNC message. The following table provides the format of the values stored in this lookup definition:
Code Key | Decode |
---|---|
Emp Type |
PER_ORG~PERSON |
First Name |
FIRST_NAME~NAMES~NAME_TYPE=PRI~EFFDT |
Last Name |
LAST_NAME~NAMES~NAME_TYPE=PRI~EFFDT |
User ID |
EMPLID~PERSON~None~None~PRIMARY |
Code Key: Name of the OIM User field
Decode: Combination of the following elements separated by the tilde (~) character:
NODE~PARENT NODE~TYPE NODE=Value~EFFECTIVE DATED NODE~PRIMARY
In this format:
NODE:
Name of the node in the PERSON_BASIC_SYNC message XML file from which the value is read. You must specify the name of the NODE in the lookup definition. It is a mandatory field.
PARENT NODE:
Name of the parent node for the NODE. You must specify the name of the parent node in the lookup definition. It is a mandatory field.
TYPE NODE=Value:
Type of the node associated with the Node value. Value defines the type of the Node.
For example, in the PERSON_BASIC_SYNC message, the rowset NAME_TYPE_VW lists the names assigned to a person. The names assigned could be primary, secondary, or nickname, depending on how it is configured in PeopleSoft.
If you want to use the primary name to create an OIM User, then you must locate the NAME_TYPE node with the value PRI to fetch First Name and Last Name from the XML message. Therefore, you must provide the following mapping in Decode column for First Name:
FIRST_NAME~NAMES~NAME_TYPE=PRI~EFFDT
In this format, NAME_TYPE specifies the TYPE NODE to consider, and PRI specifies that name of type PRI (primary) must be considered while fetching data from the XML messages. All other names types are then ignored.
The NAME_TYPE node with PRI value is shown in the following screenshot:
EFFECTIVE DATED NODE:
Effective-dated node for the NODE,
if any.
PeopleSoft supports effective-dated events. The value refers to the name of the node that provides information about the date on which the event becomes effective.
For example, names can be effective-dated in PeopleSoft. The EFFDT node in XML provides the date on which the name becomes effective for the OIM User.
The EFFDT node is shown in the following screenshot:
Primary:
Specifies if the node is a mandatory field on Oracle Identity Manager.
The following scenario illustrates how to map the entries in the lookup definition. On the target system, there is no direct equivalent for the First Name attribute of the OIM User. As a workaround, a combination of elements is used to decipher the value for each Code Key entry in the preceding table.
If you want to retrieve the value for the Code Key, First Name,
then the name of the NODE will be FIRST_NAME as depicted in the XML file. See the sample XML file in Figure 1-4 for more information about each node in the PERSON_BASIC_SYNC message.
Figure 1-4 Sample XML File for PERSON_BASIC_SYNC Message
The PARENT NODE for the NODE FIRST_NAME will be NAMES. Now suppose, you have a scenario where you have multiple FIRST_NAME nodes in the XML file to support the effective-dated feature for this attribute. In this case, you must identify the TYPE NODE for the PARENT NODE that has the value PRI. In this example, the TYPE NODE is NAME_TYPE with the value PRI.
Next, you must locate the EFFECTIVE DATED NODE for FIRST_NAME
in the XML file. This node provides the value when the event becomes effective-dated.
In Oracle Identity Manager, you must specify a mandatory field, such as User ID
for reconciliation. This implies that to retrieve the value from XML, you must mention User ID
as the primary node.
If you do not want to provide any element in the Decode column, then you must specify None. This is implemented for the User ID attribute.
Now, you can concatenate the various elements of the syntax using a tilde (~) to create the Decode entry for First Name as follows:
NODE: FIRST_NAME
PARENT NODE: NAMES
TYPE NODE=Value: NAME_TYPE=PRI
EFFECTIVE DATED NODE: EFFDT
So, the Decode column for First Name is as follows:
FIRST_NAME~NAMES~NAME_TYPE=PRI~EFFDT
The Lookup.PSFT.HRMS.PersonBasicSync.Recon lookup definition maps the resource object field name with the value fetched from the Lookup.PSFT.HRMS.PersonBasicSync.AttributeMapping lookup definition. The following is the format of the values stored in this lookup definition:
Code Key | Decode |
---|---|
Employee Type |
Emp Type~Employee Type Lookup |
First Name |
First Name |
Last Name |
Last Name |
User ID |
User ID |
Code Key: Name of the resource object field in Oracle Identity Manager
Decode: Combination of the following elements separated by a tilde (~) character:
ATTRIBUTE ~ LOOKUP DEF
In this format:
ATTRIBUTE:
Refers to the Code Key of the Lookup.PSFT.HRMS.PersonBasicSync.AttributeMapping lookup definition
LOOKUP DEF:
Name of the lookup definition, if the value of the attribute is retrieved from a lookup definition. This lookup is specified in the message-specific configuration lookup.
Consider the scenario discussed in Lookup.PSFT.HRMS.PersonBasicSync.AttributeMapping. In this example, you fetched First Name from the FIRST_NAME node of the XML file.
Now, you must map this First Name defined in the Lookup.PSFT.HRMS.PersonBasicSync.AttributeMapping lookup definition with the resource object attribute First Name defined in the Lookup.PSFT.HRMS.PersonBasicSync.Recon lookup definition Code Key.
For example, if the name of the Code Key column in the Lookup.PSFT.HRMS.PersonBasicSync.AttributeMapping lookup definition is First then you define the mapping in the Lookup.PSFT.HRMS.PersonBasicSync.Recon lookup definition as follows:
Code Key: First Name
Decode: First
In other words, the value for First Name in the Lookup.PSFT.HRMS.PersonBasicSync.Recon lookup definition is fetched from First, defined in the attribute mapping lookup definition.
The same process holds true for Last Name and User ID.
However, to fetch the value of the Employee Type resource object, you must consider the Employee Type lookup definition. Emp Type
is defined in the message-specific attribute lookup, Lookup.PSFT.HRMS.PersonBasicSync.AttributeMapping, which has a value EMP,
which is fetched from the PER_ORG
node in the XML.
Now, Employee Type Lookup is defined in the message-specific configuration, Lookup.PSFT.Message.PersonBasicSync.Configuration lookup definition. The mapping is as follows:
Code Key: Employee Type Lookup
Decode: Lookup.PSFT.HRMS.PersonBasicSync.EmpType
In other words, you must search the value EMP
in the Lookup.PSFT.HRMS.PersonBasicSync.EmpType lookup definition. The mapping in the Lookup.PSFT.HRMS.PersonBasicSync.EmpType lookup definition is defined as follows:
Code Key: EMP
Decode: Full-Time
When you create an OIM User, the Employee Type field has Full-Time Employee as the value.
The Lookup.PSFT.HRMS.PersonBasicSync.EmpType lookup definition is used when person data is received for an account.
The lookup definition has the following entries:
Code Key | Decode |
---|---|
EMP |
Full-Time |
CWR |
Part-Time |
POI |
Temp |
In the preceding table:
CWR represents Contingent Worker.
EMP represents Employee.
POI represents Person of Interest.
The Lookup.PSFT.HRMS.PersonBasicSync.Validation lookup definition is used to store the mapping between the attribute for which validation has to be applied and the validation implementation class.
The Lookup.PSFT.HRMS.PersonBasicSync.Validation lookup definition is empty by default.
See Configuring Validation of Data During Reconciliation for more information about adding entries in this lookup definition.
The Lookup.PSFT.HRMS.PersonBasicSync.Transformation lookup definition is used to store the mapping between the attribute for which transformation has to be applied and the transformation implementation class.
The Lookup.PSFT.HRMS.PersonBasicSync.Transformation lookup definition is empty by default.
See Configuring Transformation of Data During Reconciliation for more information about adding entries in this lookup definition.
The following lookup definitions are used to process the WORKFORCE_SYNC messages:
The Lookup.PSFT.Message.WorkForceSync.Configuration lookup definition provides the configuration-related information for the WORKFORCE_SYNC and WORKFORCE_FULLSYNC messages for reconciliation.
The Lookup.PSFT.Message.WorkForceSync.Configuration lookup definition has the following entries:
Code Key | Decode | Description |
---|---|---|
Attribute Mapping Lookup |
Lookup.PSFT.HRMS.WorkForceSync.AttributeMapping |
Name of the lookup definition that maps Oracle Identity Manager attributes with attributes in the WORKFORCE_SYNC and WORKFORCE_FULLSYNC message XML See Lookup.PSFT.HRMS.WorkForceSync.AttributeMapping for more information about this lookup definition. |
Custom Query |
Enter a Value |
If you want to implement limited reconciliation, then enter the query condition that you create by following the instructions given in Limited Reconciliation. |
Custom Query Lookup Definition |
Lookup.PSFT.HRMS.CustomQuery |
This entry holds the name of the lookup definition that maps resource object fields with OIM User form fields. This lookup definition is used during application of the custom query. See Limited Reconciliation for more information. |
Data Node Name |
Transaction |
Name of the node in the XML files to run a transaction |
Employee Status Lookup |
Lookup.PSFT.HRMS.WorkForceSync.EmpStatus |
Name of the lookup definition that maps the value of the ACTION node retrieved from the WORKFORCE_SYNC message XML with the status to be shown on Oracle Identity Manager for an employee See Lookup.PSFT.HRMS.WorkForceSync.EmpStatus for more information about this lookup definition. |
Employee Type Lookup |
Lookup.PSFT.HRMS.WorkForceSync.EmpType |
Name of the lookup definition that stores all valid person types and components of the Employee person type in the target system See Lookup.PSFT.HRMS.WorkForceSync.EmpType for more information about this lookup definition. |
Message Handler Class |
oracle.iam.connectors.psft.common.handler.impl.PSFTWorkForceSyncReconMessageHandlerImpl |
Name of the Java class that accepts the XML payload, configuration information, and a handle to Oracle Identity Manager. Depending on the message type, it retrieves the appropriate configuration from Oracle Identity Manager and processes the message. To parse a specific message type, it relies on a Message Parser factory. If you want a customized implementation of the message, then you must extend the See Also: Configuring the Connector Messages. |
Message Parser |
oracle.iam.connectors.psft.common.parser.impl.JobMessageParser |
Name of the parser implementation class that contains the logic for message parsing If you want a customized implementation of the message, then you must extend the See Also: Configuring the Connector Messages. |
Recon Lookup Definition |
Lookup.PSFT.HRMS.WorkForceSync.Recon |
Name of the lookup definition that maps Oracle Identity Manager attribute with Resource Object attribute See Lookup.PSFT.HRMS.WorkForceSync.Recon for more information about this lookup definition. |
Resource Object |
Peoplesoft HRMS |
Name of the resource object |
Transformation Lookup Definition |
Lookup.PSFT.HRMS.WorkForceSync.Transformation |
Name of the transformation lookup definition It is empty by default. See Lookup.PSFT.HRMS.WorkForceSync.Transformation for more information about this lookup definition. |
Use Transformation |
No |
Enter |
Use Validation |
No |
Enter |
Validation Lookup Definition |
Lookup.PSFT.HRMS.WorkForceSync.Validation |
Name of the validation lookup definition It is empty by default. See Lookup.PSFT.HRMS.WorkForceSync.Validation for more information about this lookup definition. |
The Lookup.PSFT.HRMS.WorkForceSync.AttributeMapping lookup definition maps OIM User attributes with the attributes defined in the WORKFORCE_SYNC message XML. The following is the format of the values stored in this lookup definition:
Code Key | Decode |
---|---|
Department |
DEPTID~JOB~None~EFFDT |
Full Part Time |
FULL_PART_TIME~JOB~None~EFFDT |
Job ID |
JOBCODE~JOB~None~EFFDT |
Per Org |
PER_ORG~JOB~None~EFFDT |
Reg Temp |
REG_TEMP~JOB~None~EFFDT |
Start Date |
EFFDT~JOB~None~EFFDT |
Status |
ACTION~JOB~None~EFFDT |
Supervisor ID |
SUPERVISOR_ID~JOB~NONE~EFFDT |
User ID |
EMPLID~PER_ORG_ASGN~None~None~PRIMARY |
Code Key: Name of the OIM User field
Decode: Combination of the following elements separated by a tilde (~) character:
NODE~PARENT NODE~TYPE NODE=Value~EFFECTIVE DATED NODE~PRIMARY
In this format:
NODE:
Name of the node in the WORKFORCE_SYNC message XML file from which the value is read. You must specify the name of the NODE in the lookup definition. It is a mandatory field.
PARENT NODE:
Name of the parent node for the NODE. You must specify the name of the PARENT NODE in the lookup definition. It is a mandatory field.
TYPE NODE=Value:
Type of the node associated with the NODE value. Value defines the Type of the Node.
EFFECTIVE DATED NODE:
Effective Dated Node for the NODE, if any.
PeopleSoft supports effective-dated events. The value refers to the name of the node that provides information about the date on which the event becomes effective.
For example, Department can be effective-dated in PeopleSoft. The EFFDT node in XML provides the date on which the name becomes effective for the OIM User.
PRIMARY:
Specifies if the node is a mandatory field.
The following scenario illustrates how to map the entries in the lookup definition. On the target system, there is no direct equivalent for the Department
attribute of the OIM User. As a workaround, a combination of elements is used to decipher the value. See the sample XML file in Figure 1-5 for more information about each node in the WORKFORCE_SYNC message XML.
Figure 1-5 Sample XML File for WORKFORCE_SYNC Message
If you want to fetch the value for the Department
Code Key from the XML then the NODE is DEPTID.
The PARENT NODE for DEPTID
is JOB.
There is no Type Node defined for this attribute. Therefore, the value None
is specified in the Decode combination. But, you must locate the EFFDT
node in the XML for that parent node. In Oracle Identity Manager, you must specify a mandatory field, such as User ID
for reconciliation. In other words, it implies that you have to specify User ID
as the primary node to retrieve the value from XML.
This Lookup.PSFT.HRMS.WorkForceSync.Recon lookup definition maps the resource object field name with the value fetched from the Lookup.PSFT.HRMS.WorkForceSync.AttributeMapping lookup definition. The following is the format of the values stored in this lookup definition:
Code Key | Decode |
---|---|
Department |
Department |
Effective Start Date |
Start Date |
Employee Type |
|
Job Code |
Job ID |
Status |
|
Supervisor ID |
Supervisor ID |
User ID |
User ID |
Code Key: Name of the resource object field in Oracle Identity Manager
Decode: Combination of the following elements separated by a tilde (~) character:
ATTRIBUTE ~ LOOKUP DEF
In this format:
ATTRIBUTE: Refers to the Code Key of the Lookup.PSFT.HRMS.WorkForceSync.AttributeMapping lookup definition
LOOKUP DEF: Name of the lookup definition, if the value of the attribute is retrieved from a lookup. This lookup is specified in the message-specific configuration lookup.
Consider the scenario discussed in Lookup.PSFT.HRMS.WorkForceSync.AttributeMapping. In this example, you fetched the Department
defined in the Code Key column from the DEPTID
node of the XML file.
Now, you must map this Department
defined in the Lookup.PSFT.HRMS.WorkForceSync.AttributeMapping lookup definition with the resource object attribute, Department
defined in the Lookup.PSFT.HRMS.WorkForceSync.Recon lookup definition.
For example, if the name of the Code Key column in the Lookup.PSFT.HRMS.WorkForceSync.AttributeMapping lookup definition is Dept
, then you must define the mapping as follows:
Code Key: Department
Decode: Dept
In other words, this implies that the value for Department
in the Lookup.PSFT.HRMS.WorkForceSync.Recon lookup definition is fetched from Dept
defined in the attribute mapping lookup.
Similarly, values for all other attributes are fetched from the XML.
However, to fetch the value of the Employee Type
resource object, you must concatenate the values obtained from Per Org, Reg Temp,
and Full Part Time
resource objects defined in the attribute lookup. This value is then searched in the Employee Type Lookup. The values obtained from each node are combined using a double hash (##).
The Per Org
defined in the Lookup.PSFT.HRMS.WorkForceSync.AttributeMapping lookup definition has a value EMP
that is fetched from the PER_ORG
node in the XML. Similarly, the values obtained for Reg Temp
and Full Part Time
from XML are T
and P
, respectively. If you combine these values, it becomes a concatenated string of the following format:
EMP##T##P
Now, you must locate this value in the Employee Type Lookup, which is defined in the message-specific configuration, Lookup.PSFT.Message.WorkForceSync.EmpType lookup definition. The mapping is as follows:
Code Key: EMP##T##P
Decode: Temp
Therefore, during reconciliation, the value for the EMP##T##P employee type is reconciled into the corresponding Employee Type field of Oracle Identity Manager.
The Lookup.PSFT.HRMS.WorkForceSync.EmpStatus lookup definition maps the value retrieved from the ACTION node of the WORKFORCE_SYNC message XML with the status to be shown on Oracle Identity Manager for the employee.
The following is the format of the values stored in this table:
Code Key: ACTION value retrieved from the WORKFORCE_SYNC message XML
Decode: Active or Disabled in Oracle Identity Manager
Note:
You must define the mapping for all Actions to be performed on the target system in this lookup definition.
Code Key | Decode |
---|---|
ADD |
Active |
ADL |
Active |
ASG |
Disabled |
BON |
Active |
COM |
Disabled |
DEM |
Disabled |
DTA |
Disabled |
FSC |
Disabled |
HIR |
Active |
JED |
Disabled |
JRC |
Active |
LOA |
Disabled |
LOF |
Disabled |
LTO |
Disabled |
PAY |
Active |
PLA |
Disabled |
POI |
Active |
POS |
Disabled |
PRB |
Disabled |
PRO |
Active |
REC |
Active |
STD |
Disabled |
SUB |
Disabled |
TDL |
Disabled |
TER |
Disabled |
TWB |
Disabled |
TWP |
Disabled |
XFR |
Active |
For example, for the action HIRE for an employee, the data fetched from the ACTION node of the XML message is HIR.
The Decode column of the lookup definition stores the corresponding mapping for this action. To display Active
on Oracle Identity Manager for the action HIRE, you must define the following mapping:
Code Key: HIR
Decode: Active
See Setting Up the Lookup.PSFT.HRMS.WorkForceSync.EmpStatus Lookup Definition for adding an entry in this lookup definition.
The connector can reconcile all valid person types that are stored in the target system, and all components of the Employee person type. The following example describes how this is done.
The record of a temporary, part-time, Contingent Worker is reconciled from the target system. During reconciliation, you use the Lookup.PSFT.HRMS.WorkForceSync.EmpType lookup definition to determine the Employee Type field to which the person type is mapped. In this lookup definition, the person type value from the target system is used as the Code Key, and its corresponding Decode value is used to fill the specific Employee Type field. Therefore, during reconciliation, the value of the temporary, part-time, Contingent Worker person type is reconciled into the corresponding Employee Type field of Oracle Identity Manager.
The Lookup.PSFT.HRMS.WorkForceSync.EmpType lookup definition has the following entries:
Note:
The Decode values are case-sensitive.
Code Key | Decode |
---|---|
CWR##R##D |
Consultant |
CWR##R##F |
Consultant |
CWR##R##P |
Full-Time |
CWR##T##D |
Consultant |
CWR##T##F |
Temp |
CWR#T##P |
Intern |
EMP##R##D |
Consultant |
EMP##R##F |
Full-Time |
EMP##R##P |
Temp |
EMP##T##D |
Consultant |
EMP##T##F |
Part-Time |
EMP##T##P |
Temp |
POI##R##D |
Consultant |
POI##R##F |
Full-Time |
POI##R##P |
Temp |
POI##T##D |
Consultant |
POI##T##F |
Part-Time |
POI##T##P |
Temp |
In the preceding table:
CWR represents Contingent Worker.
EMP represents Employee.
POI represents Person of Interest.
R represents Regular.
T represents Temporary.
D represents On-Demand.
F represents Full Time.
P represents Part Time.
The Lookup.PSFT.HRMS.WorkForceSync.Validation lookup definition is used to store the mapping between the attribute for which validation has to be applied and the validation implementation class.
The Lookup.PSFT.HRMS.WorkForceSync.Validation lookup is empty by default.
The Lookup.PSFT.HRMS.WorkForceSync.Transformation lookup definition is used to store the mapping between the attribute for which transformation has to be applied and the transformation implementation class.
The Lookup.PSFT.HRMS.WorkForceSync.Transformation lookup is empty by default.
The following are the predefined generic lookup definitions:
The Lookup.PSFT.HRMS.ExclusionList lookup definition provides a list of user IDs or person IDs that cannot be created on Oracle Identity Manager.
The following is the format of the values stored in this table:
Code Key: User ID resource object field name
Decode: List of user IDs separated by the tilde character (~)
See Setting Up the Lookup.PSFT.HRMS.ExclusionList Lookup Definition for more information.
You can configure limited reconciliation to specify the subset of target system records that must be fetched into Oracle Identity Manager. This subset is defined on the basis of attribute values that you specify in a query condition, which is then applied during reconciliation.
The Lookup.PSFT.HRMS.CustomQuery lookup definition maps resource object fields with OIM User form fields. It is used during application of the query condition that you create. See Limited Reconciliation for more information. Setting Up the Lookup.PSFT.HRMS.CustomQuery Lookup Definition provides instructions on how to add an entry in this lookup definition.
The following is the format of the values stored in this table:
Code Key: Resource object field name
Decode: Column name of the USR table
Code Key | Decode |
---|---|
Department |
USR_UDF_DEPARTMENT_ID |
Effective Start Date |
Users.Start Date |
Employee Type |
Users.Role |
First Name |
Users.First Name |
Last Name |
Users.Last Name |
Manager ID |
Users.Manager Login |
Manager Name |
USR_UDF_MANAGER_NAME |
Organization Name |
Organizations.Organization Name |
Status |
Users.Status |
Supervisor ID |
USR_UDF_SUPERVISOR_ID |
User ID |
Users.User ID |
User Type |
Users.Xellerate Type |
The following shows how information is organized in the rest of the guide:
Deploying the Connector describes procedures that you must perform on Oracle Identity Manager and the target system during each stage of connector deployment.
Using the Connector provides information about the tasks that must be performed each time you want to run reconciliation.
Extending the Functionality of the Connector describes procedures that you can perform to extend the functionality of the connector.
Testing and Troubleshooting provides information about testing the connector.
Known Issues and Workarounds lists the known issues associated with this release of the connector.
Determining the Root Audit Action Details provides information about root audit action.
Configuring the Connector Messages describes the procedure to configure the connector messages of release 9.1.0.x.y with that of the current release.
Setting Up SSL on Oracle WebLogic Server describes how to configure SSL on Oracle WebLogic Server for PeopleTools 8.50.
Changing Default Message Versions describes how to activate and deactivate message versions.