Go to main content
|
|
This chapter discusses the following optional procedures:
Note:
From Oracle Identity Manager Release 11.1.2 onward, lookup queries are not supported. See Managing Lookups in Oracle Fusion Middleware Administering Oracle Identity Manager for information about managing lookups by using the Form Designer in the Oracle Identity Manager System Administration console.
You can configure a new attribute for provisioning, in addition to those provided by default.
Note:
If you do not want to add new attributes for provisioning, then you can ignore this section.
To add a new attribute for provisioning, perform the procedures described in the following sections. In these sections, the Worklist User attribute in the USER_PROFILE PeopleSoft Component Interface is added. You can follow the same procedures to add other attributes.
You must verify that the new attribute, Worklist User, is listed as one of the properties of the USER_PROFILE Component Interface. Only the attributes listed under properties are supported for provisioning. If the attribute exists, verify and note the definition of the attribute.
To verify the definition of the attribute in the USER_PROFILE Component Interface:
The PeopleSoft User Management connector performs user provisioning by invoking methods and setting properties on PeopleSoft Component Interfaces. Component Interface definitions are assigned in the PeopleSoft Component Interface configuration objects. You can add and modify the definitions by editing a copy of the PeopleSoftComponentInterfaces.xml
file located in the xml of the connector package.
See Also:
Connector Component Interfaces for the PeopleSoft User Management for more information about the PeopleSoft Component Interface map definition
To add the new attribute to the PeopleSoft Component Interface map definition XML file:
Configuring the attribute in Oracle Identity Manager involves the following steps:
Associating the New Lookup With the Worklist User Process Form
Adding a Mapping for the New AttributeUpdating the Request Dataset
Note:
If you are using Oracle Identity Manager release 11.1.2.x or later, create a new UI form and attach it to the application instance to make this new attribute visible. See Creating a New UI Form and Updating an Existing Application Instance with a New Form for the procedures.
Add a new column in the process form by performing the following:
UD_PSFT_BAS
in the Table Name field and click the Query for records button.UD_PSFT_BAS_WORKLIST
in the Name field and Worklist User
in the Field Label field. Specify other values as shown in the following figure.Create a new lookup definition of Lookup Type for the attribute, for example, Lookup.PSFT.UM.WorklistUser. Add the following Code Key and Decode entries:
Code Key | Decode |
---|---|
Y |
Yes |
N |
No |
The following figure shows the mapping for the new lookup:
Associate the new lookup, Lookup.PSFT.UM.WorklistUser, with the Worklist User process form. To do so:
Add a mapping for the new attribute to the Lookup.PSFT.UM.ProvAttrMap lookup definition. To do so:
Note:
To enable the update on the new attribute, perform the procedure described in Enabling Update on a New Attribute for Provisioning.
To enable the update of newly provisioned attributes:
Note:
Some of the steps in the following procedure are specific to the values that have been used. If you use other values, then these steps must be performed differently.
To add new attributes for provisioning, see Adding New Attributes for Provisioning.
Log in to Oracle Identity Manager Design Console.
Expand Process Management and then double-click Process definition.
In the Name field, enter Peoplesoft User Management
and then click the Query for records button.
Add a new task, for example WorkList User Updated
and save the task.
Note:
While creating a new task, ensure that the task name is same as the name of the field in the process form.
Click the Integration tab of the WorkList User Updated task, and then click Add.
Select Adapter as the handler type and then perform the following:
Select ADPPSFTUPDATEATTRIBUTEVALUE and click Save.
In the Adapter Variables region, double-click Adapter return value. A window is displayed for editing the data mapping for the variable.
From the Map To list, select Response Code and then click Save.
In the Adapter Variables region, double-click AttrFieldName. A window is displayed for editing the data mapping of the variable.
From the Map To list, select Literal.
In the Literal Value field, enter UD_PSFT_BAS_WORKLIST
as the column name for the new attribute that was added in the Lookup.PSFT.UM.ProvAttrMap lookup definition.
In the Adapter Variables region, double-click ITResourceFieldName. A window is displayed for editing the data mapping of the variable.
From the Map To list, select Literal.
In the Literal Value field, enter UD_PSFT_BAS_SERVER
as the column name of the ITResource field.
In the Adapter Variables region, double-click objectType. A window is displayed for editing the data mapping of the variable.
From the Map To list, select Literal.
In the Literal Value field, enter User
and then save.
In the Adapter Variables region, double-click procInstanceKey. A window is displayed for editing the data mapping of the variable.
From the Map To list, select Process Data and from the Qualifier list, select Process Instance and then save.
Perform the mappings and save the form.
Click the Responses tab of the Worklist Updated task. The SUCCESS
response should be mapped to status C and all other responses to status R.
Note:
You must enter Y
or N
in the WorklistUser field, because PeopleSoft accepts only these values.
You can modify the default field mappings between Oracle Identity Manager and the target system. For example, the Lookup.PSFT.UM.UserProfile.ReconAttrMap lookup definition for the USER_PROFILE message holds the default attribute mappings. If required, you can add to this predefined set of attribute mappings.
To add a new attribute for reconciliation:
Note:
If you do not want to add new attributes for reconciliation, then you need not perform this procedure.
In Oracle Identity Manager Design Console, make the required changes as follows:
See Also:
Adding Target System Attributes for Target Reconciliation in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for detailed instructions on performing the following steps
Add a new attribute on the process form. See Adding New Attributes for Provisioning for more information.
Expand Resource Management and then double-click Resource Objects.
In the Name field, enter the name of the object definition and then click the Query for records button.
On the Object Reconciliation tab, click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.
Add a reconciliation field corresponding to the new attribute in the Peoplesoft User resource object. For example, you can add the WorkList reconciliation field.
Modify the Peoplesoft User Management process definition to include the mapping between the newly added field and the corresponding reconciliation field.
Add the new attribute in the message-specific attribute mapping lookup definition, for example, the Lookup.PSFT.UM.UserProfile.ReconAttrMap lookup definition for the USER_PROFILE message.
The following is the format of the values stored in this table:
Code Key | Decode |
---|---|
AttributeName |
|
For example:
Code Key: WorkList
Decode: WORKLIST_USER_SW~PSROLEXLATOPRVW
In this example, WorkList is the reconciliation field, and its equivalent target system field is WORKLIST_USER_SW.
Add the new attribute in the Resource Object attribute reconciliation lookup definition, for example, the Lookup.PSFT.UM.UserProfile.Recon lookup definition for the USER_PROFILE message.
The following is the format of the values stored in this table:
Code Key | Decode |
---|---|
RO Attribute |
|
In this example, RO Attribute refers to the resource object attribute name added in the preceding steps. The Decode column refers to the Code Key value in the message-specific attribute mapping lookup definition.
For example:
Code Key: WorkList
Decode: WorkList
If you are using Oracle Identity Manager release 11.1.2.x or later, create a new UI form and attach it to the application instance to make this new attribute visible. See Creating a New UI Form and Updating an Existing Application Instance with a New Form for the procedures.
You can also add new ID types depending on the PeopleSoft application module being provisioned. The new ID type can then be linked to a user profile for provisioning.
This section contains the following topics:
A user profile describes a particular user of the PeopleSoft system. Each user of the system has an individual user profile, which in turn is linked to one or more roles. Typically, a user profile must be linked to at least one role to be a usable profile. To each role, you can add one or more permission lists, which control what a user can and cannot access. So, a user inherits permissions through the role.
You can categorize user profiles based on ID types. In addition, you can grant data access based on ID type, such as customer, employee, and so on.
The Human Resource system is designed to focus on employee user type. On the other hand, the financial system is designed to keep track of customer and supplier user types. The ID type enables you to link user types with records that are most relevant when a user interacts with the system. So, when a user logs in to the PeopleSoft application, they see information relevant to them.
The Attribute Value field is where you select the value associated with the attribute name for the ID type. For example, the value reflects the employee number, but it could be a customer number or a vendor number.
PeopleSoft supports Customer and Vendor ID types in addition to Employee ID type. You can also add new ID types depending on the PeopleSoft application module being provisioned. The new ID type can then be linked to a user profile for provisioning.
Note:
You can assign multiple ID types to a user profile on the PeopleSoft target system. However, a single instance of an ID type can be assigned to the same user.
For example, you can link a user profile to Employee ID and Vendor ID during provisioning. However, the same user cannot be linked to two Employee ID instances.
The ID type and attributes discussed in the following procedure are sample values, and might differ from the values in the actual environment. Therefore, you must follow the same procedure with the values applicable in your present environment.
Suppose you want to add a new ID type Equation SQL Auth Class with attribute EQS ID for provisioning. Perform the steps mentioned in the following procedure:
Note:
The ID type attribute that you decide to use while configuring the new user profile ID type must map to a field in the PSOPRALIAS table.
To add a new ID type for provisioning:
Add a new column to the process form by performing the following steps:
Log in to Oracle Identity Manager Design Console.
Expand Development Tools and then double-click Form Designer.
In the Table Name field, enter UD_PSFT_BAS
and click the Query for records button.
Click Create New Version.
In the Create a new version dialog box, specify the version name in the Label field, save the changes, and then close the dialog box.
From the Current Version list, select the newly created version.
On the Additional Columns tab, click Add.
Specify the new attribute name for the attribute EQS ID, for example Operator Alias Value
. In addition, enter other values, such as the field label as EQS ID
.
Click Make Version Active.
Add a mapping for the new ID type attribute. To do so:
Log in to the Oracle Identity Manager Design Console.
Expand Administration and then double-click Lookup Definition.
Enter Lookup.PSFT.UM.ProvAttrMap
as the name of the lookup definition in the Code field and click the Query for records button.
Modify the Lookup.PSFT.UM.ProvAttrMap lookup definition by adding a new row with the following values:
Code Key: Column name of the form
Decode: Enter a combination of elements similar to the following Decode for the EQS ID type:
IDTypes~UM_IDTypes[IDType=EQS]~Attributes~UM_Attributes[AttributeName=Operator Alias Value]~AttributeValue
In this format:
IDTypes: Refers to the Identity Connector Framework (ICF) Parent Attribute Name
UM_IDTypes: Refers to the embedded ICF object class that contains IDType and Attributes. The default value of IDType is EQS.
Attributes: Refers to the ICF embedded object class that contains AttributeName and AttributeValue. The default value of AttributeName is Operator Alias Value.
The value of AttributeValue is retrieved from the form field.
See Lookup.PSFT.UM.ProvAttrMap for more information about the format of the elements in Decode.
To add Equation SQL Auth Class ID type with ID type value EQS, and attribute name Operator Alias Value, you must define a mapping similar to the Employee ID mapping in the Lookup.PSFT.UM.ProvAttrMap lookup definition.
If you are using Oracle Identity Manager release 11.1.2.x or later, create a new UI form and attach it to the application instance to make this ID type visible. See Creating a New UI Form and Updating an Existing Application Instance with a New Form for the procedures.
Suppose, you want to update the EQS ID field as described in Adding New ID Types for Provisioning. Then, perform the following procedure:
To update the newly added ID type attributes:
Log in to Oracle Identity Manager Design Console.
Expand Development Tools and then double-click Adapter Factory.
Enter PSFT UM Update ID Types
in the Adapter Name field, and then click the Query for records button.
In the Adapter Tasks tab, expand PSFT UM Update ID Types, and then select updateIdType.
Click the Variable List tab and add the attribute names along with their types and mappings based on your entries in Adding New ID Types for Provisioning. Click the save button.
In the Adapter Tasks tab, expand PSFT UM Update ID Types, and then double-click updateIdType.
In the Edit Adapter Factory Task Parameters dialog, in the Application Method Parameters section, expand Method, and then right-click on the Input: String[] type of parameter. Click on Add String and add the attributes that you added in Step 5 one at a time. For each attribute, select values for the MapTo and Name fields. Click the save button.
Expand Process Management and then double-click Process definition.
Enter Peoplesoft User Management
in the Name field, and then click the Query for records button.
Add a new task, for example EQS ID Updated,
and save the task.
Double-click the EQS ID Updated task, click the Integration tab, and then click Add.
Select Adapter as the handler type and then perform the following:
Select ADPPSFTUPDATEIDTYPE as shown in the following mapping, and then click the save button.
In the Adapter Variables region, double-click Adapter return value and select Response Code from the Map To list. Click the save button.
In the Adapter Variables region, double-click objectType and select Literal from the Map To list.
Enter User
in the Literal Value field and click the save button.
In the Adapter Variables region, double-click ITResourceName and select Literal from the Map To list.
In the Literal Value field, enter UD_PSFT_BAS_SERVER
as the column name for the new attribute that was added in the Lookup.PSFT.UM.ProvAttrMap lookup definition.
In Adapter Variables region, double-click ProcessInstanceKey.
From the Map To list, select Process Data, and from the Qualifier list, select Process Instance and then click the save button.
Perform the mappings and save the format.
Click the Responses tab of the EQS ID Updated task. The SUCCESS response should be mapped with status C and all other responses with status R.
Suppose, you want to reconcile the EQS ID field as described in Adding New ID Types for Provisioning, then perform the following procedure:
To add a new ID type for reconciliation:
Add new ID Type attribute on the process form. For the procedure to add a new ID Type attribute, see Adding New ID Types for Provisioning.
Create a reconciliation profile for the new ID type attribute. To do so:
Expand Resource Management and then double-click Resource Objects.
In the Name field, enter the name of the object definition and then click the Query for records button.
Click the Object Reconciliation tab and add a reconciliation field corresponding to the new attribute in the Peoplesoft User resource object. Click the save button.
Click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.
Modify the Peoplesoft User Management process definition to include the mapping between the newly added field and the corresponding reconciliation field.
Add the new attribute in the message-specific attribute mapping lookup definition, for example, the Lookup.PSFT.UM.UserProfile.ReconAttrMap lookup definition for the USER_PROFILE message.
The following is the format of the values stored in this table:
Code Key | Decode |
---|---|
AttributeName |
|
For example:
Code Key: EQS
Decode: EQS_ID~PSOPRALIAS
In this example, EQS
is the reconciliation field and its equivalent target system field is EQS_ID.
Add the new attribute in the Resource Object attribute reconciliation lookup definition, for example, the Lookup.PSFT.UM.UserProfile.Recon lookup for the USER_PROFILE message.
In this example, the following values must be added to this lookup:
Code Key | Decode |
---|---|
EQS ID |
EQS ID |
If you are using Oracle Identity Manager release 11.1.2.x or later, create a new UI form and attach it to the application instance to make this ID type visible. See Creating a New UI Form and Updating an Existing Application Instance with a New Form for the procedures.
You can configure validation of reconciled and provisioned single-valued data according to your requirements. For example, you can validate data entered in the User ID field on the process form so that the number sign (#) is not sent to the Oracle Identity Manager during reconciliation operation.
For data that fails the validation check, the following message is displayed or recorded in the log file:
Value returned for field
FIELD_NAME
is false.
To configure validation of data:
Write code that implements the required validation logic in a Java class.
See Also:
The Javadocs shipped with the connector for more information about this interface
You must create a class with the following signature:
public boolean validate(HashMap arg0, HashMap arg1, String arg2)
In this signature code:
arg0
contains primary table field values
arg1
contains child table field values
arg2
is the field on which validation needs to be done
The following sample validation class checks if the value in the User ID attribute contains the number sign (#):
package com.validate; import java.util.*; public class MyValidation { public boolean validate(HashMap hmUserDetails, HashMap hmEntitlementDetails, String field) { /* * You must write code to validate attributes. Parent * data values can be fetched by using hmUserDetails.get(field) * For child data values, loop through the * ArrayList/Vector fetched by hmEntitlementDetails.get("Child Table") * Depending on the outcome of the validation operation, * the code must return true or false. */ /* * In this sample code, the value "false" is returned if the field * contains the number sign (#). Otherwise, the value "true" is * returned. */ boolean valid=true; String sUserID=(String) hmUserDetails.get(field); for(int i=0;i<sUserID.length();i++){ if (sUserID.charAt(i) == '#'){ valid=false; break; } } return valid; } } /* End */
Create a JAR file to hold the Java class.
Run the Oracle Identity Manager Upload JARs utility to post the JAR file created in Step 2 to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:
Note:
Before you use this utility, verify that the WL_HOME
environment variable is set to the in which Oracle WebLogic Server is installed.
For Microsoft Windows:
OIM_HOME/server/bin/UploadJars.bat
For UNIX:
OIM_HOME/server/bin/UploadJars.sh
When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Specify 1 as the value of the JAR type.
If you created the Java class for validating a process form field for reconciliation, then:
Log in to the Design Console.
Search for and open the message-specific configuration lookup definition, in this example, the Lookup.PSFT.Message.UserProfile.Configuration lookup definition for the USER_PROFILE message. See Lookup.PSFT.Message.UserProfile.Configuration for information about this lookup definition. Check for the Validation Lookup Definition parameter in this lookup definition. The Decode value specifies the name of the validation lookup. In this example, the Decode value is Lookup.PSFT.UM.ReconValidation.
Search for and open the Lookup.PSFT.UM.ReconValidation lookup definition.
In the Code Key column, enter User ID
.
In the Decode column, enter com.validate.MyValidation.
Here, the Code Key value specifies the column name of the field you want to validate. The Decode value is the complete package name of the Java class that has the validation logic.
Save the changes to the lookup definition.
Search for and open the message-specific configuration lookup definition, in this example, the Lookup.PSFT.Message.UserProfile.Configuration lookup definition.
Set the value of the Use Validation entry to yes.
Save the changes to the lookup definition.
Remove the PeopleSoftOIMListener.ear file from the application server.
Copy the validation JAR file created in Step 2 to the following :
PeoplSoftOIMListener.ear/PeoplSoftOIMListener.war/WEB-INF/lib
Redeploy the PeopleSoftOIMListener.ear file on the application server. See Deploying the PeopleSoft Listener for the procedure.
You can configure the transformation of reconciled single-valued data according to your requirements. For example, you can use the Currency Code value to create a value for the Currency Code field in Oracle Identity Manager.
To configure the transformation of data:
Write code that implements the required transformation logic in a Java class.
See Also:
The Javadocs shipped with the connector for more information about this interface
The following sample transformation class modifies a value for the Currency Code attribute by prefixing a dollar sign ($) in the Currency Code value received from the target system:
package com.transform; import java.util.*; public class MyTransform { /* Description:Abstract method for transforming the attributes param hmUserDetails<String,Object> HashMap containing parent data details param hmEntitlementDetails <String,Object> HashMap containing child data details */ public Object transform(HashMap hmUserDetails, HashMap hmEntitlementDetails,String sField) { /* * You must write code to transform the attributes. Parent data attribute values can be fetched by using hmUserDetails.get("Field Name"). *To fetch child data values, loop through the * ArrayList/Vector fetched by hmEntitlementDetails.get("Child Table") * Return the transformed attribute. */ System.out.println("sfield =" + sField); String sCurrencyCode= (String)hmUserDetails.get(sField); sCurrencyCode = "$"+sCurrencyCode; return sCurrencyCode; } } /* End */
Create a JAR file to hold the Java class.
Run the Oracle Identity Manager Upload JARs utility to post the JAR file created in Step 2 to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:
Note:
Before you use this utility, verify that the WL_HOME
environment variable is set to the in which Oracle WebLogic Server is installed.
For Microsoft Windows:
OIM_HOME/server/bin/UploadJars.bat
For UNIX:
OIM_HOME/server/bin/UploadJars.sh
When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Specify 1 as the value of the JAR type.
If you created the Java class for transforming a process form field for reconciliation, then:
Log in to the Design Console.
Search for and open the message-specific configuration lookup definition, in this example, the Lookup.PSFT.Message.UserProfile.Configuration lookup definition for the USER_PROFILE message. See Lookup.PSFT.Message.UserProfile.Configuration for information about this lookup definition. Check for the Transformation Lookup Definition parameter in this lookup definition. The Decode value specifies the name of the transformation lookup. In this example, the Decode value is Lookup.PSFT.UM.UserProfile.Transformation.
Search for and open the Lookup.PSFT.UM.UserProfile.Transformation lookup definition.
In the Code Key column, enter Currency Code.
In the Decode column, enter com.transform.MyTransform.
Here, the Code Key value specifies the column name of the field you want to validate. The Decode value is the complete package name of the Java class that has the transformation logic.
Save the changes to the lookup definition.
Search for and open the message-specific configuration lookup definition, in this example, the Lookup.PSFT.Message.UserProfile.Configuration lookup definition.
Set the value of the Use Transformation entry to yes.
Save the changes to the lookup definition.
Remove the PeopleSoftOIMListener.ear file from the application server.
Copy the transformation JAR file created is Step 2 to the following :
PeoplSoftOIMListener.ear/PeoplSoftOIMListener.war/WEB-INF/lib
Redeploy the PeopleSoftOIMListener.ear file on the application server. See Deploying the PeopleSoft Listener for the procedure.
You can configure the validation of provisioned single-valued data according to your requirements. For example, you can validate the user ID provisioned to ensure that it does not contain the number sign (#).
For data that fails the validation check, the following message is displayed or recorded in the log file:
Value returned for field
FIELD_NAME
is false.
In this format, FIELD_NAME
is the name of the field on which you perform validation.
To configure validation of data:
Write code that implements the required validation logic in a Java class.
See Also:
The Javadocs shipped with the connector for more information about this interface
You must create a class with the following signature:
public boolean validate(HashMap arg0, HashMap arg1, String arg2)
In this signature code:
arg0
contains primary table field values
arg1
contains child table field values
arg2
is the field on which validation needs to be done
The following sample validation class checks whether the value in the user ID attribute contains the number sign (#):
package com.validation; import java.util.HashMap; public class Validator { public boolean validate(HashMap hmUserDetails, HashMap hmEntitlementDetails, String sField) { /* You must write code to validate attributes. Parent * data values can be fetched by using hmUserDetails.get(field) * For child data values, loop through the * ArrayList/Vector fetched by hmEntitlementDetails.get("Child Table") * Depending on the outcome of the validation operation, * the code must return true or false. */ /* * In this sample code, the value "false" is returned if the field * contains the number sign (#). Otherwise, the value "true" is * returned. */ boolean valid = true; String sGivenName = (String) hmUserDetails.get(sField); for (int i = 0; i < sGivenName.length(); i++) { if (sGivenName.charAt(i) == '#') { valid = false; break; } } return valid; } } /* End */
Create a JAR file to hold the Java class.
Update the Lookup.PSFT.UM.Prov.Configuration lookup definition by performing the following steps:
See Also:
Lookup.PSFT.UM.Prov.Configuration for more information about the lookup
Log in to the Design Console.
Search for and open the Lookup.PSFT.UM.Prov.Configuration lookup definition.
In the Code Key column, enter Provisioning Validation Lookup
.
In the Decode column, enter Lookup.PSFT.UM.ProvValidation.
Save the changes to the lookup definition.
Create a new lookup definition Lookup.PSFT.UM.ProvValidation and update the lookup by performing the following steps:
See Also:
Creating Lookups in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for detailed information about creating a new lookup definition
In the Code Key column, enter User ID
.
In the Decode column, enter com.validation.Validator.
Here, the Code Key value specifies the column name of the field you want to validate. The Decode value is the complete package name of the Java class that has the validation logic.
Save the changes to the lookup definition.
Run the Oracle Identity Manager Upload JARs utility to post the JAR file created in Step 2 to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:
Note:
Before you use this utility, verify that the WL_HOME
environment variable is set to the in which Oracle WebLogic Server is installed.
For Microsoft Windows:
OIM_HOME/server/bin/UploadJars.bat
For UNIX:
OIM_HOME/server/bin/UploadJars.sh
When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Specify 1 as the value of the JAR type.
Run the PurgeCache utility to purge the Oracle Identity Manager cache.
See Clearing Content Related to Connector Resource Bundles from the Server Cache for more information about the PurgeCache utility.
You might want to modify the lengths of the fields (attributes) on the process form. For example, if you use a Japanese locale, then you might want to increase the lengths of the process form fields to accommodate multibyte data from the target system.
To modify the length of a field on the OIM User form:
You can configure the connector for multiple installations of the target system by creating copies of the connector objects, such as the IT resource, process form, process definition, and resource object.
This section contains the following topics:
You might want to configure the connector for multiple installations of the target system. The following example illustrates this requirement:
The London and New York offices of Example Multinational Inc. have their own installations of the target system. The company has recently installed Oracle Identity Manager, and wants to configure Oracle Identity Manager to link all the installations of the target system.
The company has a trusted (authoritative) source of identity data for Oracle Identity Manager, for example PSFT_TRST. The company uses the PeopleSoft Employee Reconciliation connector to reconcile person records, which in turn creates OIM Users.
The company now needs to provision resources on two different target systems, PSFT_LDN and PSFT_NY for London and New York offices, respectively, using the PeopleSoft User Management connector.
The resources in the London office have five mandatory fields to be provisioned. But, the New York office has an additional field to provision, for example the Social Security Number (SSN). In this scenario, you must create a clone of the User Management connector to provision PSFT_LDN and PSFT_NY target systems. The connector for the PSFT_NY target system has an additional SSN field to provision.
extending-functionality-connector.htm#GUID-20E11AEE-0D63-4F74-8CAD-2CAB3793CF4A__BCGHJJAD shows the architecture for multiple installations of the target system in Example Multinational Inc.
Figure 4-1 Architecture for Multiple Installations of the Target System
To meet the requirement posed by such a scenario, you can create copies of connector objects, such as the IT resource, process form, process definition, and resource object.
The decision to create a copy of a connector object is based on a requirement. For example, an IT resource can hold connection information for one target system installation. Therefore, it is mandatory to create a copy of the IT resource for each target system installation.
With some other connector objects, you do not need to create copies at all. For example, a single attribute-mapping lookup definition can be used for all installations of the target system.
All connector objects are linked. For example, a scheduled task holds the name of the IT resource. Similarly, the IT resource holds the name of the common configuration lookup definition, which is Lookup.PSFT.Configuration. If you create a copy of an object, then you must specify the name of the copy in other connector object. extending-functionality-connector.htm#GUID-19998A97-1DAE-4027-BBEC-620458C7679F__BCGFIAFH lists the association between connector objects whose copies can be created and the other objects that reference these objects. When you create a copy of an object, use this information to change the associations of that object with other objects.
extending-functionality-connector.htm#GUID-19998A97-1DAE-4027-BBEC-620458C7679F__BCGFIAFH lists the association between connector objects whose copies can be created and the other objects that reference these objects. When you create a copy of an object, use this information to change the associations of that object with other objects.
Table 4-1 Connector Objects and Their Associations
Connector Object | Name | Referenced By | Description |
---|---|---|---|
IT Resource |
PSFT User |
|
You need to create a copy of IT Resource with a different name. |
Resource Object |
Peoplesoft User |
Message-specific configuration lookup definitions:
|
It is optional to create a copy of a resource object. If you are reconciling the same set of attributes from the other target system, then you need not create a new resource object. Note: Create copies of this resource object only if there are differences in attributes between two installations of the target system. |
Process Definition |
Peoplesoft User Management |
NA |
It is optional to create a copy of a process definition. If you are reconciling or provisioning the same set of attributes, then you need not create a copy of this connector object. Note: Create copies of this process definition only if there are differences in attributes between two installations of the target system. |
Process Form |
UD_PSFT_BAS |
NA |
It is optional to create a copy of the process form. If you are provisioning different sets of attributes, then you need to create a copy of this connector object. |
Common Configuration Lookup Definition |
Lookup.PSFT.Configuration |
Message-specific configuration lookup definitions:
|
It is optional to create a copy of the common configuration lookup definition. Note: Create copies of this lookup definition only if there are differences in attributes between two installations of the target system. |
Message-specific Configuration Lookup Definition |
|
Attribute mapping lookup definitions:
|
It is optional to create a copy of the message-specific lookup definitions. Note: Create copies of this lookup definition only if there are differences in attributes between two installations of the target system. |
Attribute Mapping Lookup Definition |
|
NA |
This lookup definition holds the information of the attributes reconciled from the XML message file from the target system. Note: Create copies of this lookup definition only if there are differences in attributes between two installations of the target system. |
Recon Map Lookup Definition |
|
NA |
This lookup definition maps the resource object field with the data reconciled from the message. Note: Create copies of this lookup definition only if there are differences in attributes between two installations of the target system. |
When you perform a provisioning operation, lookup fields on the Administrative and User Console allow you to select values from lists. Some of these lookup fields are populated with values copied from the target system.
In earlier releases of the connector, if you had multiple installations of the target system, then entries in the lookup field were linked to the target system installation from which the entries were copied. This allowed you to select lookup field values that were specific to the target system installation on which the provisioning operation was to be performed.
You can enable this feature after you deploy the Oracle Identity Manager. To enable the Dependent Lookup Fields feature, perform the following procedures:
Note:
To provision a resource, you enter the required values in the process form with at least one lookup value selected, for example, Currency Code and then click Continue. But, if you click the Back button now, the description of the Code Key on the process form changes to the Decode value. If you proceed with provisioning now, the following exception is thrown:
Column data length is too long
This section describes how to update the UD_PSFT_BAS form. It contains the following topics:
To create a new version of the UD_PSFT_BAS form:
To add properties for the Primary Permission List lookup field:
From the Current Version list, select the version that you created.
Open the Properties tab.
Add properties for the Primary Permission List lookup field as follows:
Select the Lookup Code= Name of Lookup Definition property, and then click Delete Property.
For example:
Lookup Code = Lookup.PSFT.UM.PermissionList
Select Primary Permission List, and then click Add Property.
In the Add Property dialog box:
From the Property Name list, select Lookup Column Name.
In the Property Value field, enter lkv_encoded
.
Click the Save icon, and then close the dialog box.
Select Primary Permission List, and then click Add Property.
In the Add Property dialog box:
From the Property Name list, select Column Names.
In the Property Value field, enter lkv_encoded
.
Click the Save icon, and then close the dialog box.
Select Primary Permission List, and then click Add Property.
In the Add Property dialog box:
From the Property Name list, select Column Widths.
In the Property Value field, enter 234
.
Select Primary Permission List, and then click Add Property.
In the Add Property dialog box:
From the Property Name list, select Column Captions.
In the Property Value field, enter lkv_decoded
.
Click the Save icon, and then close the dialog box.
Select Primary Permission List, and then click Add Property.
In the Add Property dialog box:
From the Property Name list, select Lookup Query.
In the Property Value field, enter the following if Oracle Identity Manager is running on Oracle:
SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key AND lku_type_string_key = 'Lookup.PSFT.UM.PermissionList' AND lkv_encoded like CONCAT('$Form data.UD_PSFT_BAS_SERVER$','~%')
In the Property Value field, enter the following if Oracle Identity Manager is running on Microsoft SQL Server:
SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key AND lku_type_string_key = 'Lookup.PSFT.UM.PermissionList' AND lkv_encoded like '$Formdata.UD_PSFT_BAS_SERVER$' + '~%'
Click the Save icon, and then close the dialog box.
The procedure that you perform to update the UD_PS_EMAIL form is almost the same as the procedure described in Updating the UD_PSFT_BAS Form:
On the Design Console, expand Development Tools and double-click Form Designer.
Search for and open the UD_PS_EMAIL form.
Click Create New Version, enter a new version number, and then save the version.
From the Current Version list, select the version that you created.
Open the Properties tab.
Add properties for the Email Type lookup field as follows:
When you perform Step 6b of the procedure described in Updating the UD_PSFT_BAS Form, select Email Type instead of Primary Permission List.
Perform Steps 6c through 6j. Add the properties that you added for the Email Type field on the UD_PS_EMAIL form.
When you perform Step 6k, enter the following in the Property Value field for the lookup query:
For Oracle:
SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key AND lku_type_string_key = 'Lookup.PSFT.UM.EmailType' AND lkv_encoded like CONCAT('$Form data.UD_PSFT_BAS_SERVER$', '~%')
For Microsoft SQL Server:
SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key=lku.lku_key AND lku_type_string_key='Lookup.PSFT.UM.EmailType'AND lkv_encoded like'$Formdata.UD_PSFT_BAS_SERVER$' + '~%'
Click the Save icon to save the changes to the form.
Click Make Version Active.
The procedure that you perform to update the UD_PSROLES form is almost the same as the procedure described in Updating the UD_PSFT_BAS Form:
On the Design Console, expand Development Tools and double-click Form Designer.
Search for and open the UD_PSROLES form.
Click Create New Version, enter a new version number, and then save the version.
From the Current Version list, select the version that you created.
Open the Properties tab.
Add properties for the Role Name lookup field as follows:
When you perform Step 6b of the procedure described in Updating the UD_PSFT_BAS Form, select Role Name instead of Primary Permission List.
Perform Steps 6c through 6j. Add the properties that you added for the Role Name field on the UD_PSROLES form.
When you perform Step 6k, enter the following in the Property Value field for the lookup query:
For Oracle:
SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key = lku.lku_key AND lku_type_string_key = 'Lookup.PSFT.UM.Roles' AND lkv_encoded like CONCAT('$Form data.UD_PSFT_BAS_SERVER$', '~%')
For Microsoft SQL Server:
SELECT lkv_encoded,lkv_decoded FROM lkv lkv,lku lku WHERE lkv.lku_key=lku.lku_key ANDlku_type_string_key='Lookup.PSFT.UM.Roles' AND lkv_encoded like'$Formdata.UD_PSFT_BAS_SERVER$' + '~%'
Click the Save icon to save the changes to the form.
Click Make Version Active.
The PeopleSoft User Management connector performs user provisioning by invoking methods and setting properties on PeopleSoft Component -Interfaces. Component interface definitions are assigned in the PeopleSoft Component Interface configuration objects. You can modify the definitions by editing a copy of the PeopleSoftComponentInterfaces.xml
file located in the xml of the connector package. This XML file is mapped to the xmlMapping entry in the Lookup.PSFT.Configuration lookup definition.
This section includes the following information about configuring and implementing component interfaces with the PeopleSoft User Management connector:
The component interface map contains the list of component interfaces available to the connector. The interfaces
object contains a list of component interfaces. If you have a custom component interface, you must define your own component interface definition in the map. Edit the PeopleSoft Component Interfaces Configuration object and add your definition as an additional Object into the <List>
element under the <Attribute name='interfaces'>
element.
This section contains the following topics:
Each available component interface has its own definition. Key elements of a component interface definition include:
name.
The label of a component interface. It often matches the value of the componentInterface
attribute, but this is not a requirement. The value will be displayed in the drop-down menu on the connector's Resource Parameters page.
componentInterface
attribute. The name of the component interface, as defined in PeopleSoft.
getKey
attribute. The name of the component interface property that is set when performing a PeopleSoft GET operation. If getKey
is not defined, then the key
attribute is used instead.
findKey
attribute. The name of the component interface property that is set when performing a PeopleSoft FIND operation. If findKey
is not defined, then the key
attribute is used instead.
createKey
attribute. The name of the component interface property that is set when performing a PeopleSoft CREATE operation. If createKey
is not defined, then key
attribute is used instead.
key
attribute. Deprecated. Use getKey
, findKey
, or createKey
instead.
properties
attribute. A list of properties that can be read or set from the PeopleSoft component interface.
Each Object in the properties list must have the following attribute:
name.
The name of the property. This must match exactly with the name of a property exposed by the PeopleSoft component interface identified by the componentInterface
property. The names of the properties are candidates to be listed as resource user attributes on the Account Attributes page.
If this a collection property, then you must define additional attributes. A collection property defines its key property and its own nested set of simple and/or complex properties:
isCollection
attribute. If the property is a collection, then set this to true.
key
attribute. If the property is a collection, set this to the name of the property that uniquely identifies each item of the collection.
properties
attribute. The list of properties that can be read/set for each item of the collection. To support arbitrary complexity, each member of this list is an Object with the same allowed attributes as the parent. That is, it can contain its own name
, isCollection
, key
, and properties
attributes.
disableRule
attribute. An Object that defines the logic to compute and set the user disable state.
This attribute contains the following attributes:
property
attribute. The property to check. The value must be listed in the properties
attribute for the componentInterface
object.
trueValue
attribute. A value that indicates the user is disabled.
falseValue
attribute. A value that indicates the user is enabled.
supportedObjectTypes
attribute. A list of supported resource object types. Each object defines a set of features.
features
attribute. A list supported features. Possible feature types include view, get, list, find, create, saveas, update, rename, and delete.
The default Component Interface configuration object defines the following interfaces:
USER_PROFILE. Performs create, read, and update actions. See USER_PROFILE Component Interface.
DELETE_USER_PROFILE. Deletes user accounts. See DELETE_USER_PROFILE Component Interface.
The default USER_PROFLE component interface definition is used to perform create, read, and update actions. The key
and findKey
attributes are set to UserID, because the USER_PROFILE component interface assigns the UserID field for the GETKEYS and FINDKEYS keys.
The default definition for the USER_PROFILE component interface does not define all of the possible properties. It has been simplified to include those used in the sample user form. If you need to add more resource user attributes to the Account Attributes page, then the component interface definition must be updated first. A resource user attribute cannot be added to that page unless it is listed in the component interface definition.
Most properties are defined in USER_PROFILE are simple objects. However, the IDTypes and Roles objects are collections and can have multiple values. IDTypes contains a collection of its own, Attributes. These objects must include the isCollection
attribute, the key name for the collection, and at least one property.
The PeopleSoft Component Interface map definition file can be edited so that resource objects can be managed. Use a text editor to add an ObjectType
element to the definition file. For example, to add support for the Role resource object, add an ObjectType
element similar to the following example:
<ObjectTypes> <ObjectType name='Role' icon='role'> <ObjectFeatures> <ObjectFeature name='find'/> </ObjectFeatures> <ObjectAttributes idAttr='ROLENAME' displayNameAttr='ROLENAME' descriptionAttr='DESCR'> <ObjectAttribute name='ROLENAME' type='string'/> <ObjectAttribute name='DESCR' type='string'/> <ObjectAttribute name='ROLESTATUS' type='string'/> </ObjectAttributes> </ObjectType> </ObjectTypes>
The ObjectType
name (for example, Role) must match the name of one of the objects in the supportedObjectTypes
list of exactly one component interface definition. Each ObjectFeature
(for example, find) must have a corresponding feature in the features
list in that same supportedObjectTypes
. The matched component interface is used to perform the resource feature. If there are multiple matches, the first one found will be used.
The following example is part of the component interface definition for the ROLE_MAINT component interface in the component interface map. Note that the Object name Role is found and that an item in the features list is named find.
<Attribute name='supportedObjectTypes' > <List> <Object name='Role'> <Attribute name='features' > <List> <Object name='find' /> <Object name='get' /> </List> </Attribute> </Object> </List> </Attribute>