Go to main content
|
|
This chapter contains the following sections:
Configuring the Scheduled Jobs for Lookup Field Synchronization
Resending Messages That Are Not Received by the PeopleSoft Listener
Performing Provisioning Operations in Oracle Identity Manager 11.1.1.x
Performing Provisioning Operations in Oracle Identity Manager Release 11.1.2.x
Provisioning Operations Performed in an SoD-Enabled Environment
The following is a summary of the steps to use the connector for full reconciliation:
Note:
It is assumed that you have performed all the procedures described in the preceding chapter.
Change from full reconciliation to incremental reconciliation. See Performing Incremental Reconciliation for instructions.
When you run the Connector Installer, scheduled jobs for lookup field synchronization are automatically created in Oracle Identity Manager. These scheduled jobs are used to synchronize the values of the lookup fields between the target system and Oracle Identity Manager.
This section contains the following topics:
When you run the Connector Installer, the following scheduled jobs for lookup field synchronization are automatically created in Oracle Identity Manager:
Peoplesoft Currency Code Lookup Reconciliation
Peoplesoft Email Type Lookup Reconciliation
Peoplesoft Language Code Lookup Reconciliation
Peoplesoft Permission List Lookup Reconciliation
Peoplesoft Roles Lookup Reconciliation
Peoplesoft User Management Target Reconciliation
These scheduled jobs are used to synchronize the values of the lookup fields between the target system and Oracle Identity Manager. using-connector.htm#GUID-59415BB8-02DA-42D4-A1D9-19AC019965CA__CEGFIAGE describes the attributes of this scheduled job. See Configuring Scheduled Jobs for instructions on running the scheduled job.
Note:
Default attribute values are predefined in the connector XML file that is imported during the installation of the connector. Specify values only for those attributes that you want to change.
using-connector.htm#GUID-59415BB8-02DA-42D4-A1D9-19AC019965CA__CEGFIAGE describes the attributes of the scheduled jobs or lookup field synchronization.
Table 3-1 Scheduled Job Attributes for Lookup Field Synchronization
Attribute | Description |
---|---|
IT Resource Name |
Enter the name of the IT resource. Default Value: |
FilePath |
Enter the full path of the file in which the lookup data to be reconciled is stored. The operating system of the computer on which Oracle Identity Manager is installed must be able to access this file path. The data extracted from this file is stored in the Lookup Definition Name attribute of the scheduled job. Default value: Enter a Value Sample value: |
Lookup Definition Name |
Enter the name of the lookup definitions created in Oracle Identity Manager that corresponds to the lookup fields in the target system. The value can be any one of the following:
|
Task Name |
Enter the name of the scheduled task. Sample value: |
File Archival |
Enter Default value: |
File Archival Folder |
Enter the full path and name of the in which you want the lookup properties file used during lookup reconciliation to be archived. Default Value: Enter a Value Note: You must change this value if the File Archival attribute is set to Sample Value: |
This section discusses the following topics related to configuring reconciliation:
This section describes the procedure to generate the properties file, which contains the lookup data to be consumed by the lookup reconciliation scheduled job.
You can run the Application Engine program by using PeopleSoft Internet Architecture to perform Lookup Reconciliation as follows:
Note:
You must run the Application Engine program periodically.
Full reconciliation involves reconciling all existing user profile records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation.
Note:
If the target version is PeopleSoft HRMS 9.1 with PeopleTools 8.51, you must use PeopleTools 8.51.13 release for full reconciliation.
The following sections discuss the procedures involved in full reconciliation:
You must generate XML files for all existing users in the target system.
Note:
Before performing the procedure to generate XML files, you must ensure that you have configured the USER_PROFILE message. See Configuring the Target System for Full Reconciliation for more information.
If you are using PeopleTools 8.50 and HCM 9.0, then before running Full Data Publish, you must apply the patch that addresses Bug 824529. This patch can be downloaded from Oracle Metalink.
You must run the Application Engine program if you are performing the full reconciliation for the first time. See Performing Lookup Reconciliation for more information.
To run the USER_PROFILE message:
Note:
After you have performed this procedure:
Remove the permission list created in Setting Up the Security for the USER_PROFILE Service Operation section. This is for security purposes.
Ensure to disable the USER_PROFILE_HR_TO_UMFILE routing created earlier.
This section describes the procedure to import XML files into Oracle Identity Manager.
It contains the following topics:
When you run the Connector Installer, the PeopleSoft User Management Target Reconciliation scheduled job is automatically created in Oracle Identity Manager.
The PeopleSoft User Management Target Reconciliation scheduled job is used for target resource reconciliation. In addition, this same scheduled job is used to reconcile data of deleted users from a target resource into Oracle Identity Manager.
The scheduled job transfers data from the XML file to the parser. The parser then converts this data into reconciliation events. using-connector.htm#GUID-B40B95CB-4F3D-497A-8177-91077B0A0BE0__CEGIHBJE describes the attributes of this scheduled job. See Configuring Scheduled Jobs for instructions on configuring the scheduled job.
using-connector.htm#GUID-B40B95CB-4F3D-497A-8177-91077B0A0BE0__CEGIHBJE describes the attributes of the scheduled job for reconciliation of user data.
Table 3-2 Attributes of the Scheduled Job for Reconciliation of User Data
Attribute | Description |
---|---|
Archive Mode |
Enter If |
Archive Path |
Enter the full path and name of the in which you want XML files used during full reconciliation to be archived. You must enter a value for the Archive Path attribute only if you specify Sample value: |
File Path |
Enter the path of the on the Oracle Identity Manager host computer into which you copied the file containing XML data. Sample value: |
IT Resource Name |
Enter the name of the IT resource that you create by performing the procedure described in the Configuring the IT Resource section. Default value: |
Message Implementation Class |
Enter the name of the Implementation class for the message handler required to process the message. For example, the implementation class for the following messages are provided by default: For the USER_PROFILE message:
For the DELETE_USER_PROFILE message:
|
Message Name |
Use this attribute to specify the name of the delivered message used for full reconciliation. Sample value: Note: This value must match the entry in the Lookup.PSFT.Configuration lookup definition, as it is used to determine the class name of the message handler. See Lookup.PSFT.Configuration for information about the lookup. |
Task Name |
This attribute holds the name of the scheduled task. Default value: |
You do not require additional configuration for incremental reconciliation.
It is assumed that you have deployed the PeopleSoft listener as described in Deploying the PeopleSoft Listener.
You can configure limited reconciliation to specify the subset of target system records that must be fetched into Oracle Identity Manager.
This section contains the following topics:
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current incremental reconciliation run. For full reconciliation, all target system records are fetched into Oracle Identity Manager.
You can configure limited reconciliation to specify the subset of target system records that must be fetched into Oracle Identity Manager.
You configure limited reconciliation by specifying a query condition as the value of the Custom Query attribute of the PeopleSoft User Management Target Reconciliation scheduled job.
You must use the following format to specify a value for the Custom Query attribute:
RESOURCE_OBJECT_ATTRIBUTE_NAME=VALUE
For example, suppose you specify the following as the value of the Custom Query attribute:
Currency Code=1~USD
With this query condition, only records for users with currency code as 1~USD are considered for reconciliation.
You can add multiple query conditions by using the ampersand (&) as the AND operator and the vertical bar (|) as the OR operator. For example, the following query condition is used to limit reconciliation to records of those users for whom the Currency Code is 1~USD and User ID is John01:
Currency Code=1~USD & User ID=John01
The messages are generated and sent to Oracle Identity Manager regardless of whether the WAR file is running. Reconciliation events are not created for the messages that are sent to Oracle Identity Manager while the WAR file is unavailable.
This section contains the following topics:
If Oracle Identity Manager is not running when a message is published, then the message is added to a queue. You can check the status of the message in the queue in the Message Instance tab. This tab lists all the published messages in a queue. When you check the details of the particular message, the status is listed as Timeout
or Error.
To publish a message in the queue to Oracle Identity Manager, resubmit the message when Oracle Identity Manager is running.
If the status of the message is New
or Started
and it does not change to Timeout
or Done,
then you must restart the PeopleSoft application server after you restart Oracle Identity Manager.
Note:
PeopleSoft supports this functionality for a limited rights user described in Creating a Role for a Limited Rights User. But, you can specify users who have rights to perform this job based on the security policy of your organization.
Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a PeopleSoft account for the user.
The following are types of provisioning operations:
Direct provisioning
Request-based provisioning
Note:
The "Unable to access pstools.properties" message might be recorded in the server logs during provisioning operations. You can safely ignore this message.
This section discusses the following topics:
This section describes the prerequisites and the procedure to perform direct provisioning. It contains the following sections:
Note:
Perform the procedure in this section only in the following situations:
The first time you perform direct provisioning.
If you switch from request-based provisioning to direct provisioning.
When you install the connector on Oracle Identity Manager release 11.1.1, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.
If you configure the connector for request-based provisioning, then the process form is suppressed and object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then see Switching Between Request-Based Provisioning and Direct Provisioning.
A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:
Note:
The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.
The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:
The following steps are performed by the end user in a request-based provisioning operation:
The following topics describe switching between request-based provisioning and direct provisioning:
Switching From Request-Based Provisioning to Direct Provisioning
Switching From Direct Provisioning to Request-Based Provisioning
Note:
It is assumed that you have performed the procedure described in Enabling Request-Based Provisioning.
To switch from request-based provisioning to direct provisioning:
Log in to the Design Console.
Disable the Auto Save Form feature as follows:
Expand Process Management, and then double-click Process Definition.
Search for and open the Peoplesoft User Management process definition.
Deselect the Auto Save Form check box.
Click the Save icon.
If the Self Request Allowed feature is enabled, then:
Expand Resource Management, and then double-click Resource Objects.
Search for and open the Peoplesoft User resource object.
Deselect the Self Request Allowed check box.
Click the Save icon.
To switch from direct provisioning to request-based provisioning:
Log in to the Design Console.
Enable the Auto Save Form feature as follows:
Expand Process Management, and then double-click Process Definition.
Search for and open the Peoplesoft User Management process definition.
Select the Auto Save Form check box.
Click the Save icon.
If you want to enable end users to raise requests for themselves, then:
Expand Resource Management, and then double-click Resource Objects.
Search for and open the Peoplesoft User resource object.
Select the Self Request Allowed check box.
Click the Save icon.
To configure provisioning operations in Oracle Identity Manager release 11.1.2 or later:
Note:
The time required to complete a provisioning operation that you perform the first time by using this connector takes longer than usual.
Log in to Identity Self Service.
Create a user. See Managing Users in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for more information about creating a user.
If you want to provision a Microsoft Exchange mailbox to an existing OIM User, then, on the Users page, search for the required user.
On the Account tab, click Request Accounts.
In the Catalog page, search for and add to cart the application instance, and then click Checkout.
Specify values for fields in the application form and then click Ready to Submit.
Click Submit.
If you want to provision entitlements, then:
On the Entitlements tab, click Request Entitlements.
In the Catalog page, search for and add to cart the entitlement, and then click Checkout.
Click Submit.
This section describes the procedure to configure scheduled jobs. You can apply this procedure to configure the scheduled jobs for lookup field synchronization and reconciliation.
See Configuring the Scheduled Jobs for Lookup Field Synchronization for a list of scheduled jobs that you must configure.
To configure a scheduled job:
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
For Oracle Identity Manager release 11.1.1.x:
Log in to the Administrative and User Console.
On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
For Oracle Identity Manager release 11.1.2.x:
Log in to Identity System Administration.
In the left pane, under System Management, click Scheduler.
Search for and open the scheduled job as follows:
If you are using Oracle Identity Manager release 11.1.1.x, then on the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.
In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
In the search results table on the left pane, click the scheduled job in the Job Name column.
On the Job Details tab, you can modify the following parameters:
Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.
Note:
See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about schedule types.
Specify values for the attributes of the scheduled job. To do so:
On the Job Details tab, under the Parameters section, specify values for the attributes of the scheduled job. See using-connector.htm#GUID-B40B95CB-4F3D-497A-8177-91077B0A0BE0__CEGIHBJE for more information about the attributes of the scheduled job.
Note:
Attribute values are predefined in the connector XML file that is imported during the installation of the connector. Specify values only for the attributes that you want to change.
Click Apply to save the changes.
Note:
The Stop Execution option is not available in the Administrative and User Console. If you want to stop a job, then click Stop Execution on the Task Scheduler form of the Design Console.
Provisioning a resource for an OIM User involves using Oracle Identity Manager to create an PeopleSoft User account for the user.
The following are types of provisioning operations:
Direct provisioning
Request-based provisioning of accounts
Request-based provisioning of entitlements
Provisioning triggered by policy changes
See Also:
Oracle Identity Manager Connector Concepts for information about the types of provisioning
This section discusses the following topics:
The following is the sequence of steps that take places during a provisioning operation performed in an SoD-enabled environment:
The procedure for direct provisioning in an SoD-enabled environment is similar to the procedure for direct provisioning in a typical environment.
To provision a resource by using the direct provisioning approach:
Log in to the Administrative and User Console.
If you want to first create an OIM User and then provision a target system account, then:
On the Identity Manager - Self Service page, click Administration.
On the Welcome to Identity Administration page, in the Users section, click Create User.
On the Create User page, enter values for the OIM User fields, and then click Save.
If you want to provision a target system account to an existing OIM User, then:
On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the drop-down list on the left pane.
From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.
On the user details page, click the Resources tab.
From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.
On the Step 1: Select a Resource page, select the resource that you want to provision from the list and then click Continue.
On the Step 2: Verify Resource Selection page, click Continue.
On the Step 3: Provide Resource Data page for process data, enter the details of the account that you want to create on the target system and then click Continue.
On the Step 3: Provide Process Data page for role data, specify the role name for the account, and then click Add. If you want to add more than one role, repeat the process. Then, click Continue.
On the Step 4: Verify Process Data page, verify the data that you have provided and then click Continue.
The "Provisioning has been initiated" message is displayed. To view the newly provisioned resource, perform one of the following steps:
Close the window displaying the "Provisioning has been initiated" message.
On the Resource tab of the user details page, click Refresh to view the newly provisioned resource.
To view the process form, on the Resources tab of the user details page, select the row displaying the newly provisioned resource, and then click Open. The Edit Form page is displayed.
Note:
If Oracle Identity Manager is not SoD enabled, then SOD Check Status field shows SODCheckNotInitiated.
To view the Resource Provisioning Details page, on the Resources tab of the user details page, select Resource History.
Note:
SoD validation by Oracle Application Access Controls Governor is asynchronous. The validation process returns a result as soon as it is completed.
After the SoD validation process is initiated, the results of the process are brought to Oracle Identity Manager. To view the process form, on the Resources tab of the User Details page, select the row displaying the newly provisioned resource, and then click Open. The Edit Form page is displayed.
On this page, the SOD Check Status field shows SoDCheckCompleted. Because a violation by the SoD engine in this particular example, the SoD Check Violation field shows the details of the violation.
In addition, the Resource Provisioning Details page shows the status of the SODChecker and Holder tasks as Completed.
On this page, the status of the Add User Role tasks is Canceled because the request failed the SoD validation process.
As the administrator assigning a resource to a user, you can either end the process when a violation is detected or modify the assignment data and then resend it. To modify the assignment data, on the Resource tab of the user details page, select the row containing the resource, and then click Open.
In the Edit Form window that is displayed, you can modify the role and profile data that you had selected earlier.
Note:
To modify a set of entitlements In the Edit Form window, you must first remove all entitlements and then add the ones that you want to use.
After the SoD validation process is initiated, the results of the process are brought to Oracle Identity Manager. On the Resources tab of the user details page, select the row containing the resource, and then click Open. The process form is displayed.
On this form, the SOD Check Status field shows SoDCheckCompleted. Because no violation was detected by the SoD engine, the SoDCheckResult field shows Passed
.
In addition, the Resource Provisioning Details page shows the status of the SODChecker and Holder tasks as Completed.
On the Resource Provisioning Details page, the state of the Add Role to User task is completed.
Note:
This procedure is not applicable to Oracle Identity Manager release 11.1.2.x or later.
See Configuring SoD on Oracle Identity Manager for related information.
The request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The request-based provisioning process described in this section covers steps to be performed by both entities.
In the example used in this section, the end user creates a request for two roles on the target system. The request clears the SoD validation process and is approved by the approver.
The following steps are performed by the end user in a request-based provisioning operation:
This section discusses the role of the approver in a request-based provisioning operation.
The approver to whom the request is assigned can use the Pending Approvals feature to view details of the request.
In addition, the approver can click the View link to view details of the SoD validation process.
The approver can decide whether to approve or deny the request, regardless of whether the SoD engine accepted or rejected the request. The approver can also modify entitlements in the request.
The following are steps performed by the approver in a request-based provisioning operation: