1 About the Connector

The PeopleSoft User Management connector helps you to manage PeopleTools-based PSOPRDEFN user profile records in PeopleSoft applications including Role and Permission List assignments to these records.

This chapter contains the following sections:

1.1 Introduction to the PeopleSoft User Management Connector

Oracle Identity Manager automates access rights management, security, and provisioning of resources to various target systems. Oracle Identity Manager Connectors are used to integrate Oracle Identity Manager with target applications. This guide discusses the connector that enables you to use PeopleSoft Enterprise Applications as a managed (target) source of user profile data for Oracle Identity Manager.

Note:

In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.

At some places in this guide, PeopleSoft Enterprise Applications has been referred to as the target system.

The PeopleSoft User Management connector helps you to manage PeopleTools-based PSOPRDEFN user profile records in PeopleSoft applications including Role and Permission List assignments to these records. This is done through target resource reconciliation and provisioning.

In the target resource configuration, information about user accounts created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.

See Also:

Installing Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about connector deployment configurations

1.2 Certified Components

Table 1-1 lists the components certified for use with the connector.

Table 1-1 Certified Components

Item Requirement

Oracle Identity Governance or Oracle Identity Manager

You can use one of the following releases of Oracle Identity Governance or Oracle Identity Manager:

  • Oracle Identity Governance 12c (12.2.1.4.0)

  • Oracle Identity Governance 12c (12.2.1.3.0)

  • Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0)

  • Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0)

  • Oracle Identity Manager 11g Release 2 BP04 (11.1.2.0.4) and any later BP in this release track

  • Oracle Identity Manager 11g Release 1 BP06 (11.1.1.5.6) and any later BP in this release track

Target systems

The target system can be any one of the following:

  • PeopleTools 8.48

  • PeopleTools 8.49

  • PeopleTools 8.50

  • PeopleTools 8.51

  • PeopleTools 8.52

  • PeopleTools 8.53

  • PeopleTools 8.54

  • PeopleTools 8.55

  • PeopleTools 8.56

  • PeopleTools 8.57

Note: If you are using PeopleTools 8.54, full reconciliation operation may not work as expected. Apply PeopleSoft Patch 21109998 using the following URL for this operation to work successfully:

https://support.oracle.com/

Connector Server

11.1.2.1.0

Connector Server JDK

JDK 1.6 Update 24 or later, or JRockit 1.6 or later

If you are using PeopleTools 8.53, PeopleTools 8.54, or PeopleTools 8.55, see JDK Requirement for PeopleTools 8.53, PeopleTools 8.54, and PeopleTools 8.55, for information related to JDK requirement.

If you are using PeopleTools 8.56 or PeopleTools 8.57, see JDK Requirement for PeopleTools 8.56 and PeopleTools 8.57, for information related to JDK requirement.

Other Software

Ensure that the following components are installed and configured in the target system environment:

  • Tuxedo and Jolt (the application server)

  • PeopleSoft Internet Architecture

  • PeopleSoft Application Designer (2-tier mode)

The following standard PeopleSoft messages are available:

  • USER_PROFILE

  • DELETE_USER_PROFILE

SoD engine

If you want to enable and use the Segregation of Duties (SoD) feature of Oracle Identity Manager release 11.1.1.5 BP01 with this target system, then install Oracle Applications Access Controls Governor (OAACG) release 8.6.

See SoD Validation of Entitlement Provisioning for more information about the SoD feature.

1.3 Determining the Version of PeopleTools and the Target System

Before you deploy the connector, you might want to determine the version of PeopleTools and the target system you are using to check whether you are using the combination supported by this connector.

To determine the version of PeopleTools and the target system you are using:
  1. Open a Web browser and enter the URL of PeopleSoft Internet Architecture. The URL of PeopleSoft Internet Architecture is in the following format:.
    http://IPADDRESS:PORT/psp/ps/?cmd=login

    For example:

    http://172.21.109.69:9080/psp/ps/?cmd=login
  2. Click Change My Password. On the page that is displayed, press Ctrl+J. The versions of PeopleTools and the target system that you are using are displayed.

1.4 Usage Recommendation

Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:

  • If you are using an Oracle Identity Manager release 9.1.0.2 BP05 or later and earlier than Oracle Identity Manager 11g Release 1 BP06 (11.1.1.5.6), then you must use the 9.1.1 version of this connector.

  • If you are using Oracle Identity Manager 11g Release 1 BP06 (11.1.1.5.6) or later, Oracle Identity Manager 11g Release 2 BP04 (11.1.2.0.4) or later, or Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0), then use the latest 11.1.1.x version of this connector.

1.5 Certified Languages

The connector supports the following languages:

  • Arabic

  • Chinese Simplified

  • Chinese Traditional

  • Danish

  • English

  • French

  • German

  • Italian

  • Japanese

  • Korean

  • Portuguese (Brazilian)

  • Spanish

1.6 Connector Architecture

The architecture of the connector can be explained in terms of the connector operations it supports.

This section contains the following topics:

1.6.1 About the Connector Architecture

Figure 1-1 shows the architecture of the connector.

Figure 1-1 Architecture of the Connector

Description of Figure 1-1 follows
Description of "Figure 1-1 Architecture of the Connector"

The target system is configured as a trusted source of identity data for Oracle Identity Manager. In other words, identity data that is created and updated on the target system is fetched into Oracle Identity Manager and used to create and update OIM Users.

The connector is implemented using the Identity Connector Framework (ICF). The ICF provides a container that separates the connector bundle from the application. The ICF also provides common features that developers would otherwise need to implement on their own, such as connection pooling, buffering, time outs, and filtering.

For more information about the ICF, see Understanding the Identity Connector Framework in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.

1.6.2 Reconciliation

PeopleSoft Enterprise Application is configured as a target resource of Oracle Identity Manager. Through reconciliation, account data that is created and updated on the target system is fetched into Oracle Identity Manager and stored against the corresponding OIM Users.

Standard PeopleSoft XML files and messages are the medium of data interchange between PeopleSoft Enterprise Applications and Oracle Identity Manager.

The method by which account data is sent to Oracle Identity Manager depends on the type of reconciliation that you configure as follows:

1.6.2.1 Lookup Reconciliation

A lookup reconciliation run fetches the records of Email Types, Currency Codes, Language Codes, Permission Lists, and Roles from the target system. Running PeopleSoft's Application Engine process generates these properties files at a specified location. Lookup reconciliation stores the information from these properties files into Oracle Identity Manager as reference data for subsequent use in provisioning.

You must run lookup reconciliation at periodic intervals to ensure that all the lookup data is reconciled into Oracle Identity Manager. See Performing Lookup Reconciliation for instructions to perform Lookup reconciliation.

1.6.2.2 Full Reconciliation

Note:

To reconcile all existing target system records into Oracle Identity Manager, you must run full reconciliation the first time you perform a reconciliation run after deploying the connector. This is to ensure that the target system and Oracle Identity Manager contain the same data.

PeopleSoft uses its standard message format USER_PROFILE to send user profile data to external applications such as Oracle Identity Manager. Full reconciliation fetches all of these records from the target system to reconcile records in Oracle Identity Manager. Full reconciliation within Oracle Identity Manager is implemented using the USER_PROFILE XML file that PeopleSoft generates. See Support for Standard PeopleSoft Messages for more information about the message.

Full reconciliation involves the following steps:

See Performing Full Reconciliation for instructions to perform full reconciliation.

  1. The PeopleSoft Integration Broker populates the XML files for the USER_PROFILE message with all the user profile data.
  2. Copy these XML files to a on the Oracle Identity Manager host computer.
  3. Configure the PeopleSoft User Management Target Reconciliation scheduled task. The XML files are read by this scheduled task to generate reconciliation events.

1.6.2.3 Incremental Reconciliation

Incremental reconciliation involves real-time reconciliation of newly created or modified user data. It is achieved by PeopleSoft standard messages, such as USER_PROFILE and DELETE_USER_PROFILE. See Support for Standard PeopleSoft Messages for more information about these messages. You use incremental reconciliation to reconcile individual data changes after an initial, full reconciliation run has been performed. Incremental reconciliation is performed using PeopleSoft application messaging.

Incremental reconciliation involves the following steps:

See Performing Incremental Reconciliation for instructions to perform incremental reconciliation.

  1. When user data is added, updated, or deleted in the target system, a PeopleCode event is activated.
  2. The Integration Broker generates an XML message, such as USER_PROFILE or DELETE_USER_PROFILE, which contains the modified or deleted user data and sends it in real time to the PeopleSoft listener over HTTP. The PeopleSoft listener is a Web application that is deployed on the Oracle Identity Manager host computer. If SSL is configured, then the message is sent to the PeopleSoft listener over HTTPS.
  3. The PeopleSoft listener parses the XML message and creates a reconciliation event in Oracle Identity Manager.

Note:

During connector deployment, the PeopleSoft listener is deployed as an EAR file.

1.6.3 Provisioning

PeopleSoft Enterprise Application is configured as a target resource of Oracle Identity Manager. Through provisioning operations performed on Oracle Identity Manager, accounts are created and updated on the target system for OIM Users.

During a provisioning operation, the adapters pass on to PeopleSoft Enterprise Applications user data that are created, modified or deleted in Oracle Identity Manager.

The connector, by default, supports Customer and Vendor ID types in addition to the Employee ID type. The connector is enhanced to support new ID types depending on the PeopleSoft application module being provisioned. The new ID type can then be linked to a user profile for provisioning. See Adding New ID Types for more information.

See SoD Validation of Entitlement Provisioning for information about the process followed for provisioning of role entitlements in an SoD-enabled environment.

1.6.4 Deployment Options

The PeopleSoft Internet Architecture is flexible; this means that you have many options to consider for deploying PeopleSoft across your enterprise. The following section describes a split-deployment scenario where the Jolt listener resides on a different computer than the Integration Broker.

Figure 1-2 shows the architecture of the connector that supports a split-deployment scenario.

Figure 1-2 Architecture of the Connector for a Split-Deployment Scenario

Description of Figure 1-2 follows
Description of "Figure 1-2 Architecture of the Connector for a Split-Deployment Scenario"

In this configuration:

  1. The Application Engine is run to generate the properties files for lookup reconciliation at a user-specified location on PeopleSoft Application Server. These files are then fed to the respective scheduled tasks in Oracle Identity Manager for lookup reconciliation. See Configuring the Scheduled Jobs for Lookup Field Synchronization for more information.
  2. Similarly, the Integration Broker creates PeopleSoft standard XML files at a user specified location on PeopleSoft Application Server for full reconciliation. These XML files are read by PeopleSoft User Management Target Reconciliation scheduled task to generate reconciliation events.
  3. Incremental reconciliation is achieved by sending in real time standard PeopleSoft XML messages directly from PeopleSoft Integration Broker to the PeopleSoft listener over HTTP. The PeopleSoft listener is a Web application that is deployed on the Oracle Identity Manager host computer.
  4. Provisioning of PeopleSoft user accounts is implemented from Oracle Identity Manager through the PeopleSoft Component Interface-based Java APIs. These APIs connect to the Application Server Jolt port through a limited rights user who has the privilege to add, update, and delete PeopleSoft user accounts.

1.7 Features of the Connector

The following are the features of the connector:

1.7.1 Full and Incremental Reconciliation

The connector supports reconciliation in two ways:

In a full reconciliation run, all records are fetched from the target system to Oracle Identity Manager in the form of XML files. In incremental reconciliation, records that are added, modified, or deleted are directly sent to the listener deployed on the Oracle Identity Manager host computer. The listener parses the records and sends reconciliation events to Oracle Identity Manager.

1.7.2 Support for Standard PeopleSoft Messages

PeopleSoft provides standard messages to synchronize user profiles with external applications, such as Oracle Identity Manager. The connector uses these standard PeopleSoft messages that are delivered as part of PeopleSoft installation to achieve full reconciliation and incremental reconciliation. They are listed as follows:

  • USER_PROFILE

  • DELETE_USER_PROFILE

    The USER_PROFILE message contains information about user accounts that are created or modified. The DELETE_USER_PROFILE message contains information about user accounts that are deleted.

    Fetching all the records present in PeopleSoft to Oracle Identity Manager is implemented by running the USER_PROFILE message. Similarly, when a user profile is updated in PeopleSoft, the USER_PROFILE message is triggered. Oracle Identity Manager uses this message for incremental reconciliation. Similarly, when a user profile is deleted in PeopleSoft, the DELETE_USER_PROFILE message is triggered from PeopleSoft to delete the corresponding provisioned resource in Oracle Identity Manager. The DELETE_USER_PROFILE is supported through incremental reconciliation.

    To distinguish between the full and incremental reconciliation USER_PROFILE XML messages, you must identify the number of transaction nodes in the message. In case of full reconciliation, the USER_PROFILE message has multiple transaction nodes. But, in incremental reconciliation, the USER_PROFILE message has a single transaction node for a particular user.

1.7.3 Support for Resending Messages That Are Not Processed

Standard messages provided by PeopleSoft are asynchronous. In other words, if a message is not delivered successfully, the PeopleSoft Integration Broker marks that message as not delivered. The message can then be retried manually.

If the connector is not able to process the message successfully, it sends an error code and PeopleSoft Integration Broker marks that message as Failed. A message marked as Failed can be resent to the listener. See Resending Messages That Are Not Received by the PeopleSoft Listener for details.

See Also:

Resubmitting and Canceling Service Operations for Processing topic in the PeopleBook Enterprise PeopleTools 8.49 PeopleBook: PeopleSoft Integration Broker available on Oracle Technology Network:

http://download.oracle.com/docs/cd/E13292_01/pt849pbr0/eng/psbooks/tibr/book.htm

1.7.4 Target Authentication

Target authentication is done to validate whether Oracle Identity Manager should accept messages from the target system or not. Target authentication is done by passing the name of the IT resource in the Integration Broker node. You must ensure that the correct value of the IT resource name is specified in the node. See Configuring PeopleSoft Integration Broker for setting up the node.

In addition, the flag IsActive is used to verify whether the IT resource is active or not. The value of this flag is Yes, by default. When this value is Yes, target authentication is carried out. Target authentication fails if it is set to No.

Target authentication is also carried out during a ping request from the PeopleSoft node.

1.7.5 SoD Validation of Entitlement Provisioning

This connector supports the SoD feature in Oracle Identity Manager release 11.1.1.5 BP01.

This section contains the following topics:

1.7.5.1 About SoD Validation of Entitlement Provisioning

The following are the focal points of this feature:

  • The SoD Invocation Library (SIL) is bundled with Oracle Identity Manager release. The SIL acts as a pluggable integration interface with any SoD engine.

  • The connector is preconfigured to work with Oracle Applications Access Controls Governor as the SoD engine. To enable this, changes have been made in the provisioning workflows of the connector.

  • The SoD engine processes role entitlement requests that are sent through the connector. Potential conflicts in role assignments can be automatically detected.

1.7.5.2 SoD Validation Process

When you enable SoD, an entitlement is provisioned only after the SoD validation clears the request for the entitlement. Users can create entitlement requests for themselves. Alternatively, administrators can submit entitlement requests on behalf of users.

Note:

The connector supports the scenario in which a single request is created for multiple roles and a single approver is assigned the entire request.

The SoD validation process is asynchronous. The response from the SoD engine must be brought to Oracle Identity Manager by a scheduled task.

Request-based provisioning of roles involves the following steps:

  1. A request for a role is created.

    Provisioning Operations Performed in an SoD-Enabled Environment describes the procedure to create the request.

  2. After the standard approval process, the SoD Checker process task is triggered. This process task is completed by running the GetSODCheckResultApproval scheduled task from the task scheduler.

    Note:

    The approver should not approve/deny this task manually while approving the request.

    After the SoD Checker process task is run and the SoD Check result is passed, the Human Approval task (if it has been defined) is triggered.

  3. If the approval process clears the request, then the request data is sent to the process form. When this data reaches the target system, the role is assigned to the user.

    Note:

    If SoD is not enabled or if the provisioning operation does not include entitlement provisioning, then the SODCheckStatus field remains in the SODCheckNotInitiated state.

    If the approval process does not clear the request, then the status of the request is set to Denied.

1.7.6 Validation and Transformation of Account Data

You can configure validation and transformation of account data that is brought into or sent from Oracle Identity Manager during reconciliation and provisioning.

1.7.7 Connection Pooling

A connection pool is a cache of objects that represent physical connections to the target. Oracle Identity Manager connectors can use these connections to communicate with target systems. At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads such as network latency, memory allocation, and authentication.

One connection pool is created for each IT resource. For example, if you have three IT resources for three installations of the target system, then three connection pools are created, one for each target system installation.

Setting up the Lookup.PSFT.Configuration Lookup Definition for Connection Pooling provides information about connection pooling.

Note:

The connector does not support connection pooling for provisioning multiple versions of the target system. In other words, connection pooling is supported only when provisioning is done for one version of the target system. In this case, the Multiple Version Support parameter is set to No in the Lookup.PSFT.Configuration lookup definition.

1.7.8 Adding New ID Types

You can configure the connector to support additional ID types effortlessly. The connector by default supports the following ID types other than the Employee (EMP) ID type:

  • Customer (CST)

  • Vendor (VND)

The following additional attributes are provided in the Oracle Identity Manager process form to support these ID types:

For Customer:

  • Customer ID

  • Customer Set ID

For Vendor:

  • Vendor ID

  • Vendor Set ID

The Adding New ID Types for Provisioning describes the procedure to add ID types.

1.7.9 Deleting User Accounts

The DELETE_USER_PROFILE component interface definition is used to delete user profile definitions. The delCompIntfcKey key is defined in the PeopleSoft Component Interface map definition file, PeopleSoftComponentInterfaces.xml.

The Lookup.PSFT.Configuration lookup definition contains a mapping for the delCompIntfcKey key to determine the user profile to be used for delete operations.

1.7.10 Specifying Accounts to Be Excluded from Reconciliation and Provisioning Operations

You can specify a list of accounts that must be excluded from all reconciliation and provisioning operations. Accounts whose user IDs you specify in the exclusion list are not affected by reconciliation and provisioning operations.

Lookup Definitions for Exclusion Lists describes the lookup definitions where you specify the user IDs to be excluded during reconciliation and provisioning operations. Setting Up the Lookup Definitions for Exclusion Lists describes the procedure to add entries in these lookup definitions.

1.7.11 Support for Multiple Versions of the Target System

Note:

See Certified Components for information about the supported PeopleTools versions. If you are using a PeopleTools version that is not supported, then you are likely to encounter issues that might be difficult to resolve.

The connector can be configured to work with different versions of the target system at the same time without any custom class loader. The connector uses the Identity Connector Framework (ICF) connector class loader for this feature. For example, you can use a single instance of the connector to integrate Oracle Identity Manager with a PeopleTools 8.48 installation and a PeopleTools 8.49 installation.

See Configuring the Connector to Support Multiple Versions of the Target System for more information.

1.7.12 Features Provided by the Identity Connector Framework

The Identity Connector Framework (ICF) is a component that provides basic provisioning, reconciliation, and other functions that all Oracle Identity Manager connectors require. The ICF also uses classpath isolation, which allows the PeopleSoft connector to co-exist with legacy versions of the connector.

For more information, see Understanding the Identity Connector Framework in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.

1.7.13 Support for the Connector Server

If required by your deployment, you can deploy the connector in the Connector Server. For more information, see Installing and Configuring the Connector Server.

1.8 Lookup Definitions Used During Connector Operations

Lookup definitions used during connector operations can be categorized as follows:

1.8.1 Lookup Definitions Synchronized with the Target System

During a provisioning operation, you use a lookup field to specify a single value from a set of values. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.

Note:

As an implementation best practice, lookup fields should be synchronized before you perform reconciliation or provisioning operations.

Table 1-2 lists the lookup fields that are synchronized with their corresponding lookup definitions in Oracle Identity Manager.

Table 1-2 Lookup Fields That Are Synchronized

Lookup Definition Target System Lookup Field Synchronization Method

Lookup.PSFT.UM.LanguageCode

Language Code

You use the Language Code Lookup Reconciliation scheduled task to synchronize this lookup definition.

Lookup.PSFT.UM.CurrencyCode

Currency Code

You use the Currency Code Lookup Reconciliation scheduled task to synchronize this lookup definition.

Lookup.PSFT.UM.PermissionList

Permission Lists

You use the Permission List Lookup Reconciliation scheduled task to synchronize this lookup definition.

Lookup.PSFT.UM.EmailType

Email Type

You use the Email Type Lookup Reconciliation scheduled task to synchronize this lookup definition.

Lookup.PSFT.UM.Roles

Role Name

You use the Roles Lookup Reconciliation scheduled task to synchronize this lookup definition.

1.8.2 Preconfigured Lookup Definitions

This section describes the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. Either lookup definitions are prepopulated with values or values must be manually entered in them after the connector is deployed.

The predefined lookup definitions can be categorized as follows:

1.8.2.1 Lookup.PSFT.Configuration

The Lookup.PSFT.Configuration lookup definition is used to store configuration information that is used by the connector. See Configuring the IT Resource for information about the entries in this lookup definition.

The Lookup.PSFT.Configuration lookup definition has the following entries:

Code Key Decode Description

Bundle Name

org.identityconnectors.peoplesoftintfc

Name of the connector bundle package. Do not modify this entry.

Bundle Version

1.0.5963

Version of the connector bundle class. Do not modify this entry.

Connector Name

org.identityconnectors.peoplesoft.compintfc.PeopleSoftCompIntfcConnector

Name of the connector class. Do not modify this entry.

Constants Lookup

Lookup.PSFT.UM.Constants

Name of the lookup definition that is used to store constants used by the connector.

delCompIntfcKey

DELETE_USER_PROFILE

Name of the component interface used for delete operations.

DELETE_USER_PROFILE

Lookup.PSFT.Message.DeleteUserProfile.Configuration

Name of the lookup definition for the DELETE_USER_PROFILE message.

Ignore Root Audit Action

No

Use this value if the Root PSCAMA audit action is required to be considered while parsing the XML message.

Use Yes if PSCAMA Audit Action is not taken into account. Here, the Root Audit Action is considered as a Change event.

Use No if PSCAMA Audit Action is taken into account. If Root PSCAMA Audit Action is NULL or Empty, then the Root Audit Action is considered as an ADD event.

See Also: Determining the Root Audit Action Details

mappingFactoryClassName

org.identityconnectors.peoplesoft.common.mapping.idm.IDMSAXComponentInterfacesFactory

TBD

maxFindItems

300

TBD

Recon Exclusion List

Lookup.PSFT.UM.Recon.ExclusionList

Name of the lookup for specifying exclusions during reconciliation

rwCompIntfcKey

USER_PROFILE_8_4X

Note: If you want to support a different component interface, you must change this value. See Connector Component Interfaces for the PeopleSoft User Management for more information.

Name of the component interface used for create and update operations.

Target Date Format

yyyy-MM-dd

Data format of the Date type data in the XML file and messages

Do not modify this entry.

USER_PROFILE.VERSION_84

Lookup.PSFT.Message.UserProfile.Configuration

Name of the lookup definition for the USER_PROFILE message

See Lookup.PSFT.Message.UserProfile.Configuration for more information about this lookup definition.

User Configuration Lookup

Lookup.PSFT.UM.Prov.Configuration

Name of the lookup definition that contains user-specific configuration properties for provisioning. Do not modify this entry.

xmlMapping[LOADFROMURL]

Enter the path to the PeopleSoft Component Interface map definition file.

Sample value: file://PATHTOXML/PeopleSoftComponentInterfaces.xml

This file contains the definitions used by the connector for various operations.

By default, the file is located in the /xml of the connector package.

Note: See Connector Component Interfaces for the PeopleSoft User Management for more information about this definition file.

If you deploy the connector on a cluster, you must copy this file to the same location on all the nodes.

The combination of the following fields form the Identity Connector Framework (ICF) connector key used for identifying the right connector bundle:

  • Bundle Name

  • Bundle Version

  • Connector Name

You can configure the message names, such as USER_PROFILE and DELETE_USER_PROFILE defined in this lookup definition. See Setting Up the Lookup.PSFT.Configuration Lookup Definition for instructions on configuring these message names in the lookup definition.

1.8.2.2 Lookup Definitions Used to Process USER_PROFILE Messages

1.8.2.2.1 Lookup.PSFT.Message.UserProfile.Configuration

The Lookup.PSFT.Message.UserProfile.Configuration lookup definition provides configuration-related information for the USER_PROFILE message.

The Lookup.PSFT.Message.UserProfile.Configuration lookup definition has the following entries:

Code Key Decode Description

Attribute Mapping Lookup

Lookup.PSFT.UM.UserProfile.ReconAttrMap

Name of the lookup definition that maps Oracle Identity Manager attributes with the attributes in the USER_PROFILE message during reconciliation operations.

See Lookup.PSFT.UM.UserProfile.ReconAttrMap for more information about this lookup definition.

Child Table Lookup Definition

Lookup.PSFT.UM.UserProfile.ChildTables

Name of the lookup definition that maps resource object fields and multivalued target system attributes during reconciliation operations.

Custom Query

Enter a Value

If you want to implement limited reconciliation, then enter the query condition that you create by following the instructions given in Limited Reconciliation.

Data Node Name

Transaction

Name of the node in the XML files to run a transaction

Default value: Transaction

You must not change the default value.

IT Resource Name

PSFT User

Name of the IT resource

Message Handler Class

oracle.iam.connectors.psft.common.handler.impl.PSFTUserProfileReconMessageHandlerImpl

Name of the Java class that accepts the XML payload, configuration information, and a handle to Oracle Identity Manager. Depending on the message type, it retrieves the appropriate configuration from Oracle Identity Manager and processes the message. To parse a specific message type, it relies on a Message Parser factory.

If you want a customized implementation of the message, then you must extend the MessageHandler.java class.

Message Parser

oracle.iam.connectors.psft.common.parser.impl.UserMessageParser

Name of the parser implementation class that contains the logic for message parsing

If you want a customized implementation of the message, then you must extend the MessageParser.java class.

Primary Email Lookup

Lookup.PSFT.UM.PrimaryEmail

Name of the lookup definition used to specify whether an e-mail ID is primary or not

Recon Lookup Definition

Lookup.PSFT.UM.UserProfile.Recon

Name of the lookup definition that maps the Oracle Identity Manager attributes with the Resource Object attributes

Resource Object

Peoplesoft User

Name of the resource object

Transformation Lookup Definition

Lookup.PSFT.UM.UserProfile.Transformation

Name of the transformation lookup definition

See Configuring Transformation of Data During Reconciliation for more information about adding entries in this lookup definition.

User Status Lookup

Lookup.PSFT.UM.UserProfile.UserStatus

Name of the lookup definition that provides the user status

See Lookup.PSFT.UM.UserProfile.UserStatus for more information about this lookup definition.

Use Transformation

No

Use this parameter to perform transformation.

Use Validation

No

Use this parameter to perform validation.

Validation Lookup Definition

Lookup.PSFT.UM.ReconValidation

Name of the validation lookup definition for reconciliation

See Configuring Validation of Data During Reconciliation for more information about adding entries in this lookup definition.

1.8.2.2.2 Lookup.PSFT.UM.UserProfile.ReconAttrMap

The Lookup.PSFT.UM.UserProfile.ReconAttrMap lookup definition maps OIM User attributes with the attributes defined in the USER_PROFILE message XML. The following is the format of the values stored in this lookup definition:

Code Key Decode

Currency Code

CURRENCY_CD~PSOPRDEFN

Customer ID

CUST_ID~PSOPRALIAS~OPRALIASTYPE=CST

Customer Set ID

SETID~PSOPRALIAS~OPRALIASTYPE=CST

Email ID

EMAILID~PSUSEREMAIL~None~None~CHILD=Email IDs

Email Type

EMAILTYPE~PSUSEREMAIL~None~None~CHILD=Email IDs

Employee ID

EMPLID~PSOPRALIAS~OPRALIASTYPE=EMP

Language Code

LANGUAGE_CD~PSOPRDEFN

Multi Language Code

MULTILANG~PSOPRDEFN

Navigator Home Permission List

DEFAULTNAVHP~PSOPRDEFN

Primary Email

EMAILID~PSUSEREMAIL~PRIMARY_EMAIL=Y

Primary Permission List

OPRCLASS~PSOPRDEFN

Process Profile Permission List

PRCSPRFLCLS~PSOPRDEFN

Return ID

OPRID~PSOPRDEFN~None~None~PRIMARY

Role

ROLENAME~PSROLEUSER_VW~None~None~CHILD=Roles

Row Security Permission List

ROWSECCLASS~PSOPRDEFN

Symbolic ID

SYMBOLICID~PSOPRDEFN

User Description

OPRDEFNDESC~PSOPRDEFN

User ID

OPRID~PSOPRDEFN~None~None~PRIMARY

User ID Alias

USERIDALIAS~PSOPRDEFN

User Status

ACCTLOCK~PSOPRDEFN

Vendor ID

VENDOR_ID~PSOPRALIAS~OPRALIASTYPE=VND

Vendor Set ID

SETID~PSOPRALIAS~OPRALIASTYPE=VND

Code Key: Name of the OIM User field

Decode: Combination of the following elements separated by the tilde (~) character:

NODE~PARENT NODE~TYPE NODE=Value~EFFECTIVE DATED NODE~PRIMARY or CHILD=Multivalued Child Table RO Field

In this format:

NODE: Name of the node in the USER_PROFILE message XML from which the value is read. You must specify the name of the NODE in the lookup definition. It is a mandatory field.

PARENT NODE: Name of the parent node for the NODE. You must specify the name of the parent node in the lookup definition. It is a mandatory field.

TYPE NODE=Value: Type of the node associated with the Node value. Value defines the type of the Node.

EFFECTIVE DATED NODE: Effective-dated node for the NODE element, if any.

PeopleSoft supports effective-dated events. The value refers to the name of the node that provides information about the date on which the event becomes effective.

The USER_PROFILE message does not support effective-dated information. Therefore, the value of this parameter in the preceding syntax is None.

PRIMARY or Child=Multivalued Child Table RO Field: Specifies whether the node is a mandatory field or a multivalued attribute on Oracle Identity Manager.

In case of multivalued attribute data, CHILD specifies that this is a Child data followed by the name of the table defined in the resource object to which the data corresponds.

1.8.2.2.3 Mapping Entries in the Lookup.PSFT.UM.UserProfile.ReconAttrMap Lookup Definition

The following scenario illustrates how to map the entries in the lookup definition.

You want to retrieve the value for the Email Type Code Key that is defined as a multivalued attribute in Oracle Identity Manager. In PeopleSoft, the PSUSEREMAIL rowset lists the e-mail IDs assigned to a user. The NODE will be EMAILTYPE as depicted in the XML file. See the sample XML file in Figure 1-3 for more information about each node in the USER_PROFILE message.

Figure 1-3 Sample XML File for USER_PROFILE Message

Description of Figure 1-3 follows
Description of "Figure 1-3 Sample XML File for USER_PROFILE Message"

The parent node for the EMAILTYPE node will be PSUSEREMAIL. Now suppose, you have a scenario where want to retrieve the e-mail IDs that are not defined as Primary. In this case, you must identify the TYPE NODE value for the parent node that has the value N. In this example, the type node is PRIMARY_EMAIL with the value N.

The effective-dated node will be None, because the USER_PROFILE message does not provide this information.

The Multivalued Child Table RO Field in this scenario is Email IDs. It is the name of the table defined in the Resource Object for the Email ID child attribute.

If you do not want to provide any element in the Decode column, then you must specify None. This is implemented for the User ID attribute.

Now, you can concatenate the various elements of the syntax by using a tilde (~) to create the Decode entry for Email Type, as follows:

NODE: EMAILTYPE

PARENT NODE: PSUSEREMAIL

TYPE NODE=Value: PRIMARY_EMAIL=N

EFFECTIVE DATED NODE: None

Child=Multivalued Child Table RO Field: CHILD=Email IDs

So, the Decode column for Email Type is as follows:

EMAILTYPE~PSUSEREMAIL~PRIMARY_EMAIL=N~None~CHILD=Email IDs

1.8.2.2.4 Lookup.PSFT.UM.UserProfile.Recon

The Lookup.PSFT.UM.UserProfile.Recon lookup definition maps the resource object field name with the value fetched from the Lookup.PSFT.UM.UserProfile.ReconAttrMap lookup.

The Lookup.PSFT.UM.UserProfile.Recon lookup definition has the following entries:

Code Key Decode

Currency Code

Currency Code~None~LKF

Customer ID

Customer ID

Customer Set ID

Customer Set ID

Email Address

Email ID~None~None~Child

Email Type

Email Type~None~LKF~Child

Employee ID

Employee ID

ITResource Name

IT Resource Name

Language Code

Language Code~None~LKF

MultiLanguage code

Multi Language Code

Navigator Home Page

Navigator Home Permission List~None~LKF

Primary Email Address

Primary Email ID

Primary Email Type

Primary Email Type~None~LKF

Primary Permission

Primary Permission List~None~LKF

Process Profile

Process Profile Permission List~None~LKF

Role Name

Role~None~LKF~Child

Row Security

Row Security Permission List~None~LKF

Symbolic ID

Symbolic ID

User Description

User Description

User ID

User ID

User ID Alias

User ID Alias

User Status

User Status~User Status Lookup

Vendor ID

Vendor ID

Vendor Set ID

Vendor Set ID

Code Key: Name of the resource object field in Oracle Identity Manager

Decode: Combination of the following elements separated by a tilde (~) character:

ATTRIBUTE ~ LOOKUP DEF ~LKF

In this format:

ATTRIBUTE: Refers to the Code Key of the Lookup.PSFT.UM.UserProfile.ReconAttrMap lookup definition

LOOKUP DEF: Name of the lookup definition, if the value of the attribute is retrieved from a lookup. This lookup is specified in the message-specific configuration lookup.

LKF: Specifies that the attribute is a lookup field on the process form.

1.8.2.2.5 Mapping the Entries in the Lookup.PSFT.UM.UserProfile.Recon Lookup Definition

Consider the scenario discussed in Mapping Entries in the Lookup.PSFT.UM.UserProfile.ReconAttrMap Lookup Definition. In that example, you fetched the Email Type in the Code Key column from the EMAILTYPE node of the XML file.

Now, you must map this Email Type defined in the Lookup.PSFT.UM.UserProfile.ReconAttrMap lookup definition with the resource object attribute Email Type defined in the Lookup.PSFT.UM.UserProfile.Recon lookup definition Code Key.

For example, if the name of the Code Key column in the Lookup.PSFT.UM.UserProfile.ReconAttrMap lookup definition is E_Type then you define the mapping in the Lookup.PSFT.UM.UserProfile.Recon lookup definition as follows:

Code Key: Email Type

Decode: E_Type~None~LKF

In other words, this implies that the value for Email Type in the Lookup.PSFT.UM.UserProfile.Recon lookup definition is fetched from E_Type defined in the attribute mapping lookup definition.

The same process holds true for other attributes defined in the lookup.

However, to fetch the value of the User Status resource object field, you must consider the User Status lookup definition. User Status is defined in the message-specific attribute lookup, Lookup.PSFT.UM.UserProfile.ReconAttrMap, which has a value 0 that is fetched from the ACCTLOCK node in the XML.

Now, the User Status Lookup lookup definition is defined in the message-specific configuration, Lookup.PSFT.Message.UserProfile.Configuration lookup definition. The mapping is as follows:

Code Key: User Status Lookup

Decode: Lookup.PSFT.UM.UserProfile.UserStatus

In other words, you must search for the value 0 in the Lookup.PSFT.UM.UserProfile.UserStatus lookup definition. The mapping in Lookup.PSFT.UM.UserProfile.UserStatus lookup definition is defined as follows:

Code Key: 0

Decode: Enabled

The resource is updated with the user status as Enabled.

1.8.2.2.6 Lookup.PSFT.UM.UserProfile.UserStatus

The Lookup.PSFT.UM.UserProfile.UserStatus lookup definition maps the value of the ACCTLOCK node in the USER_PROFILE message XML with the status to be shown in Oracle Identity Manager for the user.

The Lookup.PSFT.UM.UserProfile.UserStatus lookup definition has the following entries:

Code Key Decode

0

Enabled

1

Disabled

Setting Up the Lookup.PSFT.UM.UserProfile.UserStatus Lookup Definition describes the procedure to modify the Decode values in this lookup definition.

1.8.2.2.7 Lookup.PSFT.UM.UserProfile.ChildTables

The Lookup.PSFT.UM.UserProfile.ChildTables lookup definition maps the resource object fields with the multivalued target system attributes.

Code Key: Multivalued Child Table resource object field

Decode: Child Table attributes defined in the resource object separated by the tilde (~) character

The following screenshot displays the link between the table and the resource object attribute:

link between the table and the resource object attribute

The Lookup.PSFT.UM.UserProfile.ChildTables lookup definition has the following entries:

Code Key Decode

Email IDs

Email Address~Email Type~Primary Email

Roles

Role Name

1.8.2.2.8 Lookup.PSFT.UM.UserProfile.Transformation

The Lookup.PSFT.UM.UserProfile.Transformation lookup definition is used to store the mapping between the attribute for which transformation has to be applied and the transformation implementation class.

The Lookup.PSFT.UM.UserProfile.Transformation lookup definition is empty, by default.

See Configuring Transformation of Data During Reconciliation for more information about adding entries in this lookup definition.

1.8.2.3 Lookup Definitions Used to Process DELETE_USER_PROFILE Messages

1.8.2.3.1 Lookup.PSFT.Message.DeleteUserProfile.Configuration

The Lookup.PSFT.Message.DeleteUserProfile.Configuration lookup definition provides configuration-related information for the DELETE_PROFILE message.

The Lookup.PSFT.Message.DeleteUserProfile.Configuration lookup definition has the following entries:

Code Key Decode Description

Attribute Mapping Lookup

Lookup.PSFT.UM.DeleteUserProfile.AttributeMapping

Name of the lookup definition that maps Oracle Identity Manager attributes with attributes in the DELETE_PROFILE message

See Lookup.PSFT.UM.DeleteUserProfile.AttributeMapping for more information about this lookup definition.

Data Node Name

Transaction

Name of the node in the XML files to run a transaction

Default value: Transaction

You must not change the default value.

IT Resource Name

PSFT User

Name of the IT resource

Message Handler Class

oracle.iam.connectors.psft.common.handler.impl.PSFTDeleteUserReconMessageHandlerImpl

Name of the Java class that accepts the XML payload, configuration information, and a handle to Oracle Identity Manager. Depending on the message type, it retrieves the appropriate configuration from Oracle Identity Manager and processes the message. To parse a specific message type, it relies on a Message Parser factory.

If you want a customized implementation of the message, then you must extend the MessageHandler.java class.

Message Parser

oracle.iam.connectors.psft.common.parser.impl.DeleteUserMessageParser

Name of the parser implementation class that contains the logic for message parsing

If you want a customized implementation of the message, then you must extend the MessageParser.java class.

Recon Lookup Definition

Lookup.PSFT.UM.DeleteUserProfile.Recon

Name of the lookup definition that maps the Oracle Identity Manager attributes with the Resource Object attributes

See Lookup.PSFT.UM.DeleteUserProfile.Recon for more information about this lookup definition.

Resource Object

Peoplesoft User

Name of the resource object

1.8.2.3.2 Lookup.PSFT.UM.DeleteUserProfile.AttributeMapping

The Lookup.PSFT.UM.DeleteUserProfile.AttributeMapping lookup definition maps OIM User attributes with the attributes defined in the DELETE_PROFILE message XML.

The following is the format of the values stored in this lookup definition:

Code Key Decode

User ID

OPRID~PRG_USR_PROFILE~None~None~PRIMARY

Note: If you are using PeopleTools 8.52, replace the preceding default Decode value with the following value:

EMPLID~PER_ORG_ASGN~None~None~PRIMARY

Code Key: Name of the OIM User field

Decode: Combination of the following elements separated by a tilde (~) character:

NODE~PARENT NODE~TYPE NODE=Value~EFFECTIVE DATED NODE~PRIMARY

For more information about the preceding syntax, see Lookup.PSFT.UM.UserProfile.ReconAttrMap.

1.8.2.3.3 Lookup.PSFT.UM.DeleteUserProfile.Recon

The Lookup.PSFT.UM.DeleteUserProfile.Recon lookup definition maps the resource object field name with the value fetched from the Lookup.PSFT.UM.DeleteUserProfile.AttributeMapping lookup definition.

The following is the format of the values stored in this table:

Code Key Decode

User ID

User ID

ITResource Name

IT Resource Name

1.8.2.4 Other Lookup Definitions

1.8.2.4.1 Lookup.PSFT.UM.Prov.Configuration

The Lookup.PSFT.UM.Prov.Configuration lookup definition maps the provisioning configurations with the lookups.

The Lookup.PSFT.UM.Prov.Configuration lookup definition has the following entries:

Code Key Decode

Provisioning Attribute Map

Lookup.PSFT.UM.ProvAttrMap

Provisioning Exclusion List

Lookup.PSFT.UM.Prov.ExclusionList

Provisioning Validation Lookup

Lookup.PSFT.UM.ProvValidation

You can enable exclusions and validations during provisioning by adding the entries as shown in this lookup. To disable exclusions or validations, remove the corresponding entries in this lookup.

1.8.2.4.2 Lookup.PSFT.UM.ProvAttrMap

The Lookup.PSFT.UM.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. These lookup definitions are used during provisioning.

The Lookup.PSFT.UM.ProvAttrMap lookup definition has the following entries:

Code Key Decode

Currency Code[Lookup]

CurrencyCode

Customer ID

IDTypes~UM_IDTypes[IDType=CST]~Attributes~UM_Attributes[AttributeName=Customer ID]~AttributeValue

Customer Set ID

IDTypes~UM_IDTypes[IDType=CST]~Attributes~UM_Attributes[AttributeName=Set ID]~AttributeValue

Note: For People Tools 8.48, the AttributeName is SetID (without space).

Employee ID

IDTypes~UM_IDTypes[IDType=EMP]~Attributes~UM_Attributes[AttributeName=Empl ID]~AttributeValue

Note: For People Tools 8.48, the AttributeName is EmplID (without space).

Language Code[Lookup]

LanguageCode

Multi Language Code

MultiLanguageEnabled

Navigator Home Permission List[Lookup]

NavigatorHomePermissionList

Password

__PASSWORD__

Primary Permission List[Lookup]

PrimaryPermissionList

Process Profile Permission List[Lookup]

ProcessProfilePermissionList

Return ID

__UID__

Row Security Permission List[Lookup]

RowSecurityPermissionList

Symbolic ID

SymbolicID

UD_PS_EMAIL~Email Address

EmailAddresses~UM_EmailAddresses~EmailAddress

UD_PS_EMAIL~Email Type[Lookup]

EmailAddresses~UM_EmailAddresses~EmailType

UD_PS_EMAIL~Primary Email

EmailAddresses~UM_EmailAddresses~PrimaryEmail

UD_PSROLES~Role Name[Lookup]

Roles~UM_Roles~RoleName

User Description

UserDescription

User ID

__NAME__

User ID Alias

UserIDAlias

Vendor ID

IDTypes~UM_IDTypes[IDType=VND]~Attributes~UM_Attributes[AttributeName=Vendor ID]~AttributeValue

Vendor Set ID

IDTypes~UM_IDTypes[IDType=VND]~Attributes~UM_Attributes[AttributeName=Set ID]~AttributeValue

Note: For People Tools 8.48, the AttributeName is SetID (without space).

1.8.2.4.3 Mappings in the Lookup.PSFT.UM.ProvAttrMap Lookup Definition

The mappings in this lookup definition follow the Identity Connector Framework (ICF) conventions. The following is the format of the Code Key and Decode values in this lookup definition:

  • SUFFIX[Lookup] means that the value of the attribute is retrieved from a lookup. For example, the value of the CurrencyCode attribute is retrieved from the Currency Code[Lookup] Code Key.

  • For the Employee ID Code Key, Decode is the combination of the following elements separated by a tilde (~) character:

    IDTypes~UM_IDTypes[IDType=EMP]~Attributes~UM_Attributes[AttributeName=Empl ID]~AttributeValue

    In this format:

    • IDTypes: Refers to the ICF Parent Attribute Name

    • UM_IDTypes: Refers to the embedded ICF object class that contains IDType and Attributes. The default value of IDType is EMP.

    • Attributes: Refers to the ICF embedded object class that contains AttributeName and AttributeValue. The default value of AttributeName is Empl ID. The value of AttributeValue is retrieved from the form field.

    The following ICF hierarchy is created for the lookup:

    IDTypes [Objectclass UM_IDTypes]
            IDType : EMP
            Attributes [Objectclass UM_Attributes]
                    AttributeName : Empl ID
                    Attribute Value : <Form field mapping>
    

    This hierarchy is similar to the definition in PeoplesoftComponentInterfaces.xml, which is the default component interface map definition file.

    The same format holds true for the Customer ID, Customer Set ID, Vendor ID, and Vendor Set ID Code Keys.

  • For the child form mappings, Code Key is the combination of the child form name and the child form attribute separated by a tilde (~) character.

    Decode is the combination of the following elements separated by a tilde (~) character:

    ICF Parent Attribute Name~ICF Embedded Object Class Name~Embedded Object Class Attribute

    The following ICF hierarchy is created for the email lookups:

    EmailAddresses (Objectclass UM_EmailAddresses)
            EmailAddress
            EmailType
            PrimaryEmail
    

    The same format holds true for the roles lookups.

  • The following Code Keys are used for special configurations:

    • User ID: Refers to the key identifier for operations

    • Return ID: Refers to the UID returned after a create operation. This UID is used for further provisioning operations such as update and delete. This connector returns the User ID.

    • Password: Refers to the password field.

1.8.2.4.4 Lookup.PSFT.UM.ProvValidation

The Lookup.PSFT.UM.ProvValidation lookup definition is used to store the mapping between the attribute for which validation during provisioning has to be applied and the validation implementation class.

The Lookup.PSFT.UM.ProvValidation lookup definition is empty, by default.

See Configuring Validation of Data During Provisioning for more information about adding entries in this lookup definition.

1.8.2.4.5 Lookup.PSFT.UM.ReconValidation

The Lookup.PSFT.UM.ReconValidation lookup definition is used to store the mapping between the attribute for which validation during reconciliation has to be applied and the validation implementation class.

The Lookup.PSFT.UM.ReconValidation lookup definition is empty, by default.

See Configuring Validation of Data During Reconciliation for more information about adding entries in this lookup definition.

1.8.2.4.6 Lookup Definitions for Exclusion Lists

The Lookup.PSFT.UM.Prov.ExclusionList and Lookup.PSFT.UM.Recon.ExclusionList lookup definitions hold user IDs of target system accounts for which you do not want to perform provisioning and reconciliation operations, respectively.

The following is the format of the values stored in these lookups:

Code Key Decode Sample Values

User ID resource object field name

User ID of a user

Code Key: User ID

Decode: User001

User ID resource object field name with the [PATTERN] suffix

A regular expression supported by the representation in the java.util.regex.Pattern class

Code Key: User ID[PATTERN]

To exclude users matching any of the user ID 's User001, User002, User088, then:

Decode: User001|User002|User088

To exclude users whose user ID 's start with 00012, then:

Decode: 00012*

See Also: For information about the supported patterns, visit http://download.oracle.com/javase/6/docs/api/java/util/regex/Pattern.html

Setting Up the Lookup Definitions for Exclusion Lists describes the procedure to add entries in these lookup definitions.

1.9 Connector Objects Used During Reconciliation

Target resource reconciliation involves fetching the data of newly created or modified users on the target system and using this data to add or modify resources assigned to OIM Users.

See Also:

Managing Reconciliation in Oracle Fusion Middleware Administering Oracle Identity Manager for conceptual information about target resource reconciliation

This section discusses the following topics:

1.9.1 User Attributes for Reconciliation

Table 1-3 lists the target system attributes whose values are fetched during a target resource reconciliation run.

Table 1-3 Attributes Used for Reconciliation

Resource Object Field Target System Attribute Description

Single-Valued Fields

   

User Id

PSOPRDEFN.OPRID

Login ID of the user profile

This is a mandatory field.

Employee Id

PSOPRDEFN.EMPLID

Employee ID of the employee linked with the user profile

User Description

PSOPRDEFN.OPRDEFNDESC

Description of the user profile

Multi Language Code

PSOPRDEFN.MULTILANG

Multilanguage code

Language Code

PSOPRDEFN.LANGUAGE_CD

Language code

Currency Code

PSOPRDEFN.CURRENCY_CD

Currency code

User Id Alias

PSOPRDEFN.USERIDALIAS

Alias of user login ID

Row Security Permission List

PSOPRDEFN.ROWSECCLASS

Row security parameter

Process Profile Permission List

PSOPRDEFN.PRCSPRFLCLS

Process profile parameter

Navigator Home Permission List

PSOPRDEFN.DEFAULTNAVHP

Navigator home page address

Primary Permission List

PSOPRDEFN.OPRCLASS

Primary permission list

Multivalued Fields

   

RoleName

PSROLEUSER_VW.ROLENAME

The role name that is assigned to the user profile

Email Address

Email Type

Primary Email

Note: To specify the e-mail address for an account, you must also specify the e-mail type of that e-mail address.

You must have only one primary e-mail address if you provide e-mail addresses.

PSUSEREMAIL.EMAILID

PSUSEREMAIL.EMAILTYPE

PSUSEREMAIL.PRIMARYEMAIL

E-mail address

E-mail type

Specifies if the e-mail address is primary

User Profile Type

Note: PeopleSoft stores values corresponding to a user profile type, such as Employee ID, Customer ID, and Vendor ID in the PSOPRALIAS. OPRALIASVALUE target system field.

PSOPRALIAS. OPRALIASTYPE

A user profile can be attached to several user profile types, such as Employee (EMP), Customer (CST), and Vendor (VND)

1.9.2 Reconciliation Rules

The following sections provide information about the reconciliation rules for this connector:

1.9.2.1 Overview of the Reconciliation Rule

The following reconciliation rule is used for target resource reconciliation:

Rule Name: PSFT UM Target Recon Rule

Rule Element: User Login Equals User ID

In this rule:

  • User Login represents the User ID field on the OIM User form.

  • User ID represents the OPRID field of the user on the target system.

1.9.2.2 Viewing the Reconciliation Rules in the Design Console

After you deploy the connector, you can view the reconciliation rule by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

  1. Log in to the Oracle Identity Manager Design Console.
  2. Expand Development Tools.
  3. Double-click Reconciliation Rules.
  4. Search for and open PSFT UM Target Recon Rule. Figure 1-4 shows this reconciliation rule.

Figure 1-4 Reconciliation Rule

Description of Figure 1-4 follows
Description of "Figure 1-4 Reconciliation Rule"

1.9.3 Reconciliation Action Rules

Application of the matching rule on reconciliation events would result in one of multiple possible outcomes. The action rules for reconciliation define the actions to be taken for these outcomes.

Note:

For any rule condition that is not predefined for this connector, no action is performed and no error message is logged.

The following sections provide information about the reconciliation action rules for this connector:

1.9.3.1 Overview of the Reconciliation Action Rules

Table 1-4 lists the reconciliation action rules for this connector.

Table 1-4 Action Rules for Target Resource Reconciliation

Rule Condition Action

No Matches Found

Assign to Administrator With Least Load

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

1.9.3.2 Viewing the Reconciliation Action Rules in the Design Console

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

  1. Log in to the Oracle Identity Manager Design Console.
  2. Expand Resource Management.
  3. Double-click Resource Objects.
  4. Search for and open the Peoplesoft User resource object.
  5. Click the Object Reconciliation tab and then the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector.

    Figure 1-5 shows these reconciliation action rules.

    Figure 1-5 Reconciliation Action Rules

    Description of Figure 1-5 follows
    Description of "Figure 1-5 Reconciliation Action Rules"

1.10 Connector Objects Used During Provisioning

Provisioning involves creating, modifying, or deleting a user's account information on the target system through Oracle Identity Manager.

See Also:

Managing Provisioning Tasks in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for conceptual information about provisioning

This section discusses the following topics:

1.10.1 User Provisioning Functions

Table 1-5 lists the supported user provisioning functions and the adapters that perform these functions. The functions listed in the table correspond to either a single or a multiple process tasks.

See Also:

Developing Provisioning Processes and Using the Adapter Factory in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for generic information about process tasks and adapters

Table 1-5 User Provisioning Functions Supported by the Connector

Function Adapter

Create a user

PSFT UM Create User

Update the password of a user

PSFT UM Update Password

Update the description of a user

PSFT UM Update User

Update the multilanguage code of a user

PSFT UM Update User

Update the language code of a user

PSFT UM Update User

Update the currency code of a user

PSFT UM Update User

Update the Primary Permission list of a user

PSFT UM Update User

Update the Employee Id

PSFT UM Update ID Types

Update the Vendor Set Id

PSFT UM Update ID Types

Update the Vendor Id

PSFT UM Update ID Types

Update the Customer Set Id

PSFT UM Update ID Types

Update the Customer Id

PSFT UM Update ID Types

Update the Process Profile Permission list of a user

PSFT UM Update User

Update the Navigator Home Permission list of a user

PSFT UM Update User

Update the Row Security Permission list of a user

PSFT UM Update User

Update the User Id alias of a user

PSFT UM Update User

Add a role to a user

PSFT UM Modify Multiple Attr Data

Revoke a role from a user

PSFT UM Modify Multiple Attr Data

Update Role

PSFT UM Modify Multiple Attr Data

Add an e-mail address

PSFT UM Modify Multiple Attr Data

Revoke an e-mail address

PSFT UM Modify Multiple Attr Data

Update an e-mail address

PSFT UM Modify Multiple Attr Data

Lock or disable a user

PSFT UM Modify Lock Unlock User

Unlock or enable a user

PSFT UM Modify Lock Unlock User

Delete a user

PSFT UM Delete User

1.10.2 User Attributes for Provisioning

Table 1-6 lists the user attributes for which you can specify or modify values during provisioning operations.

Table 1-6 User Attributes for Provisioning

OIM PeopleSoft UM Resources Process Form Field Target System Attribute Description Adapter

Single-Valued Fields

     

User ID

PSOPRDEFN.OPRID

Login Id of the user profile

PSFT UM Create User

User Description

PSOPRDEFN.OPRDEFNDESC

Description of the user profile

PSFT UM Create User

Employee ID

PSOPRDEFN.EMPLID

Employee Id of the employee to which the user profile is assigned

PSFT UM Create User

Multi Language Code

PSOPRDEFN.MULTILANG

Multilanguage code

PSFT UM Create User

Language Code

PSOPRDEFN.LANGUAGE_CD

Language code

PSFT UM Create User

Currency Code

PSOPRDEFN.CURRENCY_CD

Currency code

PSFT UM Create User

User Id Alias

PSOPRDEFN.USERIDALIAS

Alias of user login Id

PSFT UM Create User

Row Security Permission List

PSOPRDEFN.ROWSECCLASS

Row security parameter

PSFT UM Create User

Process Profile Permission List

PSOPRDEFN.PRCSPRFLCLS

Process profile parameter

PSFT UM Create User

Navigator Permission List

PSOPRDEFN.DEFAULTNAVHP

Navigator home page address

PSFT UM Create User

Primary Permission List

PSOPRDEFN.OPRCLASS

Primary permission list

PSFT UM Create User

Customer ID

CUST_AL_SRCH.CUST_ID (CRM Table)

Customer ID

Note: A user profile can be attached to several ID types, such as None (NON), Employee (EMP), Customer (CST), and Vendor (VND).

PSFT UM Create User

Customer Set ID

SETID_TBL.SETID (CRM Table)

Customer's SetID

PSFT UM Create User

Vendor ID

VENDOR.VENDOR_ID (FSCM Table)

Vendor ID

PSFT UM Create User

Vendor Set ID

SETID_TBL.SETID (FSCM Table)

Vendor's Set ID

PSFT UM Create User

Multivalued Fields

     

Role Name

PSROLEUSER_VW.ROLENAME

The role name that is assigned to the user profile

PSFT UM Update Child Table Values

Email Address

PSUSEREMAIL.EMAILID

E-mail address (e-mail account)

PSFT UM Update Child Table Values

Email Type

PSUSEREMAIL.EMAILTYPE

Email type (e-mail account)

PSFT UM Update Child Table Values

Primary Email

PSUSEREMAIL.PRIMARY_EMAIL

Specifies if the e-mail address is primary

PSFT UM Update Child Table Values

Note:

The name of the process form in the first column of the preceding table is UD_PSFT_BAS.

1.11 Roadmap for Deploying and Using the Connector

The following shows how information is organized in the rest of the guide: