3 Using the Connector

This chapter contains the following sections:

3.1 Summary of Steps to Use the Connector

The following is a summary of the steps to use the connector for full reconciliation:

Note:

It is assumed that you have performed all the procedures described in the preceding chapter.

  1. Configure and run the scheduled job to synchronize the lookup fields. See Configuring the Scheduled Jobs for Lookup Field Synchronization for more information.
  2. Generate XML files for the USER_PROFILE message for all users. See Performing Full Reconciliation for more information.
  3. Copy these XML files to a on the Oracle Identity Manager host computer.
  4. Configure and run the PeopleSoft User Management Target Reconciliation scheduled job for the USER_PROFILE message. The XML files are read by this scheduled job to generate reconciliation events. See Configuring the Scheduled Job for User Data Reconciliation for more information.

Change from full reconciliation to incremental reconciliation. See Performing Incremental Reconciliation for instructions.

3.2 Configuring the Scheduled Jobs for Lookup Field Synchronization

When you run the Connector Installer, scheduled jobs for lookup field synchronization are automatically created in Oracle Identity Manager. These scheduled jobs are used to synchronize the values of the lookup fields between the target system and Oracle Identity Manager.

This section contains the following topics:

3.2.1 Scheduled Jobs for Lookup Field Reconciliation

When you run the Connector Installer, the following scheduled jobs for lookup field synchronization are automatically created in Oracle Identity Manager:

  • Peoplesoft Currency Code Lookup Reconciliation

  • Peoplesoft Email Type Lookup Reconciliation

  • Peoplesoft Language Code Lookup Reconciliation

  • Peoplesoft Permission List Lookup Reconciliation

  • Peoplesoft Roles Lookup Reconciliation

  • Peoplesoft User Management Target Reconciliation

These scheduled jobs are used to synchronize the values of the lookup fields between the target system and Oracle Identity Manager. Table 3-1 describes the attributes of this scheduled job. See Configuring Scheduled Jobs for instructions on running the scheduled job.

Note:

Default attribute values are predefined in the connector XML file that is imported during the installation of the connector. Specify values only for those attributes that you want to change.

3.2.2 Scheduled Job Attributes

Table 3-1 describes the attributes of the scheduled jobs or lookup field synchronization.

Table 3-1 Scheduled Job Attributes for Lookup Field Synchronization

Attribute Description

IT Resource Name

Enter the name of the IT resource.

Default Value: PSFT User

FilePath

Enter the full path of the file in which the lookup data to be reconciled is stored. The operating system of the computer on which Oracle Identity Manager is installed must be able to access this file path. The data extracted from this file is stored in the Lookup Definition Name attribute of the scheduled job.

Default value: Enter a Value

Sample value: C:\PSFTUM\LookupRecon\Roles.properties

Lookup Definition Name

Enter the name of the lookup definitions created in Oracle Identity Manager that corresponds to the lookup fields in the target system.

The value can be any one of the following:

  • Lookup.PSFTUM.LanguageCode

  • Lookup.PSFTUM.EmailType

  • Lookup.PSFTUM.CurrencyCode

  • Lookup.PSFTUM.PermissionList

  • Lookup.PSFTUM.Roles

Task Name

Enter the name of the scheduled task.

Sample value: Peoplesoft Language Code Lookup Reconciliation

File Archival

Enter Yes if you want the lookup properties file used during lookup reconciliation to be archived. Enter No if you want the file to be deleted after data inside the files is reconciled.

Default value: No

File Archival Folder

Enter the full path and name of the in which you want the lookup properties file used during lookup reconciliation to be archived.

Default Value: Enter a Value

Note: You must change this value if the File Archival attribute is set to Yes.

Sample Value: C:\ArchiveFolder

3.3 Configuring Reconciliation

This section discusses the following topics related to configuring reconciliation:

3.3.1 Performing Lookup Reconciliation

This section describes the procedure to generate the properties file, which contains the lookup data to be consumed by the lookup reconciliation scheduled job.

You can run the Application Engine program by using PeopleSoft Internet Architecture to perform Lookup Reconciliation as follows:

Note:

You must run the Application Engine program periodically.

  1. Open a Web browser and enter the URL for PeopleSoft Internet Architecture. The URL is in the following format:
    http://IPADDRESS:PORT/psp/ps/?cmd=login
    

    For example:

    http://172.21.109.69:9080/psp/ps/?cmd=login
    
  2. Click People Tools, Process Scheduler, Processes, and then Add a new Value.
  3. Select Application Engine as the process type, and enter LOOKUP_RECON as the process name.
  4. Click Add.
  5. In the Process Definition Options tab, enter the following values for Component and Process Groups, and click Save:

    Component: AE_REQUEST

    Process Groups: TLSALL, STALL

  6. To make the Application Engine program run in PeopleSoft Internet Architecture, click People Tools, Application Engine, Request AE, and then click Add a new Value.
  7. Enter values for the following and then click Add:

    User ID: Enter your User ID

    Run Control ID: Enter a unique run control value

    Program Name: Enter LOOKUP_RECON

  8. Click Run.
  9. From the list that is displayed, select the LOOKUP_RECON process, which you created in Step 3.
  10. Click OK.
  11. To determine the progress status of the Application Engine program, click People Tools, Process Scheduler, and then Process Monitor. Click Refresh until Success message is displayed as the status.

    Note:

    If Status is displayed as "Queued," then you must check the status of the process scheduler. To do so, click People Tools, Process Scheduler, and then Process Monitor. Click the Server List tab and check the status of the server. If the status is not displayed, then start the process scheduler.

3.3.2 Performing Full Reconciliation

Full reconciliation involves reconciling all existing user profile records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation.

Note:

If the target version is PeopleSoft HRMS 9.1 with PeopleTools 8.51, you must use PeopleTools 8.51.13 release for full reconciliation.

The following sections discuss the procedures involved in full reconciliation:

3.3.2.1 Generating XML Files

You must generate XML files for all existing users in the target system.

Note:

  • Before performing the procedure to generate XML files, you must ensure that you have configured the USER_PROFILE message. See Configuring the Target System for Full Reconciliation for more information.

  • If you are using PeopleTools 8.50 and HCM 9.0, then before running Full Data Publish, you must apply the patch that addresses Bug 824529. This patch can be downloaded from Oracle Metalink.

  • You must run the Application Engine program if you are performing the full reconciliation for the first time. See Performing Lookup Reconciliation for more information.

To run the USER_PROFILE message:

  1. In PeopleSoft Internet Architecture, expand Enterprise Components, Integration Definitions, Initiate Processes, and then click Full Data Publish.
  2. Click the Add a New Value tab.
  3. In the Run Control ID field, enter a value and then click ADD.
  4. In the Process Request region, provide the following values:

    Request ID: Enter a request ID.

    Description: Enter a description for the process request.

    Process Frequency: Select Always.

    Message Name: Enter USER_PROFILE as the message name.

  5. Click Save to save the configuration.
  6. Click Run.
  7. From the Server Name list, select the appropriate server.
  8. Select Full Table Data Publish process list, and click OK.
  9. Click Process Monitor to verify the status of EOP_PUBLISHT Application Engine. The Run Status is Success if the transaction is successfully completed.

    On successful completion of the transaction, XML files for the USER_PROFILE message are generated at a location that you specified in the FilePath property while creating the OIM_FILE_NODE node for PeopleSoft Web Server. See About Configuring the PeopleSoft Integration Broker through Creating the Remote Node for more information.

    Copy these XML files to a on the Oracle Identity Manager host computer. Ensure that the permissions for these XML files are sufficiently restrictive. By default, the permissions are set to 644. You can set them to 640.

Note:

After you have performed this procedure:

3.3.2.2 Importing XML Files into Oracle Identity Manager

This section describes the procedure to import XML files into Oracle Identity Manager.

It contains the following topics:

3.3.2.2.1 Configuring the Scheduled Job for User Data Reconciliation

When you run the Connector Installer, the PeopleSoft User Management Target Reconciliation scheduled job is automatically created in Oracle Identity Manager.

The PeopleSoft User Management Target Reconciliation scheduled job is used for target resource reconciliation. In addition, this same scheduled job is used to reconcile data of deleted users from a target resource into Oracle Identity Manager.

The scheduled job transfers data from the XML file to the parser. The parser then converts this data into reconciliation events. Table 3-2 describes the attributes of this scheduled job. See Configuring Scheduled Jobs for instructions on configuring the scheduled job.

3.3.2.2.2 Attributes of the Scheduled Job for Reconciliation of User Data

Table 3-2 describes the attributes of the scheduled job for reconciliation of user data.

Table 3-2 Attributes of the Scheduled Job for Reconciliation of User Data

Attribute Description

Archive Mode

Enter yes if you want XML files used during full reconciliation to be archived. After archival, the file is deleted from the original location.

If no, then the XML file is not archived.

Archive Path

Enter the full path and name of the in which you want XML files used during full reconciliation to be archived.

You must enter a value for the Archive Path attribute only if you specify yes as the value for the Archive Mode attribute.

Sample value: /usr/archive

File Path

Enter the path of the on the Oracle Identity Manager host computer into which you copied the file containing XML data.

Sample value: /usr/data

IT Resource Name

Enter the name of the IT resource that you create by performing the procedure described in the Configuring the IT Resource section.

Default value: PSFT User

Message Implementation Class

Enter the name of the Implementation class for the message handler required to process the message. For example, the implementation class for the following messages are provided by default:

For the USER_PROFILE message:

oracle.iam.connectors.psft.common.handler.impl.PSFTUserProfileReconMessageHandlerImpl

For the DELETE_USER_PROFILE message:

oracle.iam.connectors.psft.common.handler.impl.PSFTDeleteUserReconMessageHandlerImpl

Message Name

Use this attribute to specify the name of the delivered message used for full reconciliation.

Sample value: USER_PROFILE.VERSION_84

Note: This value must match the entry in the Lookup.PSFT.Configuration lookup definition, as it is used to determine the class name of the message handler. See Lookup.PSFT.Configuration for information about the lookup.

Task Name

This attribute holds the name of the scheduled task.

Default value: PeopleSoft User Management Target Reconciliation

3.3.3 Performing Incremental Reconciliation

You do not require additional configuration for incremental reconciliation.

It is assumed that you have deployed the PeopleSoft listener as described in Deploying the PeopleSoft Listener.

3.3.4 Limited Reconciliation

You can configure limited reconciliation to specify the subset of target system records that must be fetched into Oracle Identity Manager.

This section contains the following topics:

3.3.4.1 About Limited Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current incremental reconciliation run. For full reconciliation, all target system records are fetched into Oracle Identity Manager.

You can configure limited reconciliation to specify the subset of target system records that must be fetched into Oracle Identity Manager.

You configure limited reconciliation by specifying a query condition as the value of the Custom Query attribute of the PeopleSoft User Management Target Reconciliation scheduled job.

You must use the following format to specify a value for the Custom Query attribute:

RESOURCE_OBJECT_ATTRIBUTE_NAME=VALUE

For example, suppose you specify the following as the value of the Custom Query attribute:

Currency Code=1~USD

With this query condition, only records for users with currency code as 1~USD are considered for reconciliation.

You can add multiple query conditions by using the ampersand (&) as the AND operator and the vertical bar (|) as the OR operator. For example, the following query condition is used to limit reconciliation to records of those users for whom the Currency Code is 1~USD and User ID is John01:

Currency Code=1~USD  & User ID=John01

3.3.4.2 Configuring Limited Reconciliation

To configure limited reconciliation:

  1. Create the query condition. Apply the following guidelines when you create the query condition:
    • Use only the equal sign (=), the ampersand (&), and the vertical bar (|) in the query condition. Do not include any other special characters in the query condition. Any other character that is included is treated as part of the value that you specify.

    • Add a space before and after the ampersand and vertical bar signs used in the query condition. For example:

      Currency Code=1~USD & User ID=John01

      Currency Code=1~USD | User ID=John01

      This is to help the system distinguish between ampersands and vertical bars used in the query and the same characters included as part of attribute values specified in the query condition.

    • You must not include unnecessary blank spaces between operators and values in the query condition.

      A query condition with spaces separating values and operators would yield different results as compared to a query condition that does not contain spaces between values and operators. For example, the output of the following query conditions would be different:

      Currency Code=1~USD & User ID=John01

      Currency Code= 1~USD & User ID= John01

      In the second query condition, the reconciliation engine would look for Currency Code and User ID values that contain a space at the start.

    • Ensure that attribute names that you use in the query condition are in the same case (uppercase or lowercase) as the case of the attribute defined in PeopleSoft User resource object. For example, the following query condition would fail:

      cUrReNcY Code= 1~USD

  2. Configure the message-specific configuration lookup with the query condition as the value of the Custom Query attribute. For example, to specify the query condition for the USER_PROFILE message, search and open the Lookup.PSFT.Message.UserProfile.Configuration lookup. Specify the query condition in the Decode column of the Custom Query attribute.

3.4 Resending Messages That Are Not Received by the PeopleSoft Listener

The messages are generated and sent to Oracle Identity Manager regardless of whether the WAR file is running. Reconciliation events are not created for the messages that are sent to Oracle Identity Manager while the WAR file is unavailable.

This section contains the following topics:

3.4.1 About Resending Messages

If Oracle Identity Manager is not running when a message is published, then the message is added to a queue. You can check the status of the message in the queue in the Message Instance tab. This tab lists all the published messages in a queue. When you check the details of the particular message, the status is listed as Timeout or Error.

To publish a message in the queue to Oracle Identity Manager, resubmit the message when Oracle Identity Manager is running.

If the status of the message is New or Started and it does not change to Timeout or Done, then you must restart the PeopleSoft application server after you restart Oracle Identity Manager.

Note:

PeopleSoft supports this functionality for a limited rights user described in Creating a Role for a Limited Rights User. But, you can specify users who have rights to perform this job based on the security policy of your organization.

3.4.2 Resending Messages Manually

To ensure that all the messages generated on the target system reach Oracle Identity Manager, manually resend messages in Error or TimeOut status. To do so:

  1. In PeopleSoft Internet Architecture, expand PeopleTools, Integration Broker, Service Operations Monitor, Monitoring, and then click Asynchronous Services.
  2. From the Group By list, select Service Operation or Queue to view the number of messages in Error, TimeOut, Done, and so on.
    groupby list

    The number is in the form of a link, which when clicked displays the details of the message.

  3. Click the link pertaining to the message to be resent, for example, the link under the Error or the TimeOut column.

    You are taken to the Operation Instance tab.

    Operation Instance tab
  4. Click the Details link of the message to be resent. A new window appears.
    details link
  5. Click the Error Messages link to check the error description.
  6. Click Resubmit after you have resolved the issue.

3.5 Performing Provisioning Operations in Oracle Identity Manager 11.1.1.x

Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a PeopleSoft account for the user.

The following are types of provisioning operations:

  • Direct provisioning

  • Request-based provisioning

Note:

The "Unable to access pstools.properties" message might be recorded in the server logs during provisioning operations. You can safely ignore this message.

This section discusses the following topics:

3.5.1 Direct Provisioning on Oracle Identity Manager

This section describes the prerequisites and the procedure to perform direct provisioning. It contains the following sections:

3.5.1.1 Prerequisites

Note:

Perform the procedure in this section only in the following situations:

  • The first time you perform direct provisioning.

  • If you switch from request-based provisioning to direct provisioning.

When you install the connector on Oracle Identity Manager release 11.1.1, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.

If you configure the connector for request-based provisioning, then the process form is suppressed and object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then see Switching Between Request-Based Provisioning and Direct Provisioning.

3.5.1.2 Performing Direct Provisioning

To provision a resource by using the direct provisioning approach:

  1. Log in to the Administrative and User Console.
  2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced.
  3. Click the Administration tab.
  4. If you want to first create the OIM User and then provision a resource, then:
    • On the Welcome to Identity Administration page, in the Users region, click Create User.

    • On the Create User page, enter values for the OIM User fields, and then click Save.

  5. If you want to provision a target system account to an existing OIM User, then:
    • On the Welcome to Identity Administration page, in the Users region, click Advanced Search - Users.

    • Search for the OIM User by using the Search feature, and then click the link for the OIM User from the list of users displayed in the search results table.

  6. Click the Resources tab.
  7. Click Add. The Provision Resource to User page is displayed in a new window.
  8. On the Select a Resource page, select Peoplesoft User from the list, and then click Continue.
  9. On the Verify Resource Selection page, click Continue.
    Verify Resource Selection
  10. On Provide Process Data page, enter the details of the account that you want to create on the target system, and then click Continue.

    Note:

    You can assign multiple ID types to a user profile on the PeopleSoft target system. However, a single instance of an ID type can be assigned to the same user.

    For example, you can link a user profile to Employee ID and Vendor ID during provisioning. However, the same user cannot be linked to two Employee ID instances.

    Provide Process Data
  11. On the Provide Process Data page for child data, search for and select the child data for the user on the target system. For instance, on the Provide Process Data page for e-mail data, specify the e-mail address and e-mail type for the account and then click Add. If you want to add more than one e-mail, repeat the process. Then, click Continue.
    Prepopulate process data
  12. On the Provide Process Data page for role data, specify the role name, and then click Add. If you want to add more than one role, repeat the process. Then, click Continue.
    PeopleSoft roles
  13. On the Verify Process Data page, verify the data that you entered, and then click Continue.

    The account is created on the target system and provisioned as a resource to the OIM User.

    Verify process data
  14. The "Provisioning has been initiated" message is displayed. Close this window, and click Refresh to view details of the newly provisioned resource.

    See Also:

    Connector Objects Used During Provisioning for more information about the provisioning functions supported by this connector and the process form fields used for provisioning

3.5.2 Request-Based Provisioning in Oracle Identity Manager

A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:

Note:

The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.

The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:

3.5.2.1 End User's Role in Request-Based Provisioning

The following steps are performed by the end user in a request-based provisioning operation:

  1. Log in to the Administrative and User Console.
  2. On the Welcome page, click Advanced in the upper-right corner of the page.
  3. On the Welcome to Identity Administration page, click the Administration tab, and then click the Requests tab.
  4. From the Actions menu on the left pane, select Create Request.

    The Select Request Template page is displayed.

  5. From the Request Template list, select Provision Resource and then click Next.
  6. On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specified is displayed in the Available Users list.
  7. From the Available Users list, select the user to whom you want to provision the account.

    If you want to create a provisioning request for more than one user, then from the Available Users list, select the users to whom you want to provision the account.

  8. Click Move or Move All to include your selection in the Selected Users list, and then click Next.
  9. On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.
  10. From the Available Resources list, select PeopleSoft User, move it to the Selected Resources list, and then click Next.
  11. On the Resource Details page, enter details of the account that must be created on the target system. and then click Next.
  12. On the Justification page, you can specify values for the following fields, and then click Finish.
    • Effective Date

    • Justification

    On the resulting page, a message confirming that your request has been sent is displayed along with the Request ID.

  13. If you click the request ID, then the Request Details page is displayed.
  14. To view details of the approval, on the Request Details page, click the Request History tab.

3.5.2.2 Approver's Role in Request-Based Provisioning

The approver in a request-based provisioning operation performs the following steps:

  1. Log in to the Administrative and User Console.
  2. On the Welcome page, click Self-Service in the upper-right corner of the page.
  3. On the Welcome to Identity Manager Self Service page, click the Tasks tab.
  4. On the Approvals tab, in the first region, you can specify a search criterion for the request task that is assigned to you.
  5. From the search results table, select the row containing the request you want to approve, and then click Approve Task.

    A message confirming that the task was approved is displayed.

3.5.3 Switching Between Request-Based Provisioning and Direct Provisioning

The following topics describe switching between request-based provisioning and direct provisioning:

Note:

It is assumed that you have performed the procedure described in Enabling Request-Based Provisioning.

3.5.3.1 Switching From Request-Based Provisioning to Direct Provisioning

To switch from request-based provisioning to direct provisioning:

  1. Log in to the Design Console.

  2. Disable the Auto Save Form feature as follows:

    1. Expand Process Management, and then double-click Process Definition.

    2. Search for and open the Peoplesoft User Management process definition.

    3. Deselect the Auto Save Form check box.

    4. Click the Save icon.

  3. If the Self Request Allowed feature is enabled, then:

    1. Expand Resource Management, and then double-click Resource Objects.

    2. Search for and open the Peoplesoft User resource object.

    3. Deselect the Self Request Allowed check box.

    4. Click the Save icon.

3.5.3.2 Switching From Direct Provisioning to Request-Based Provisioning

To switch from direct provisioning to request-based provisioning:

  1. Log in to the Design Console.

  2. Enable the Auto Save Form feature as follows:

    1. Expand Process Management, and then double-click Process Definition.

    2. Search for and open the Peoplesoft User Management process definition.

    3. Select the Auto Save Form check box.

    4. Click the Save icon.

  3. If you want to enable end users to raise requests for themselves, then:

    1. Expand Resource Management, and then double-click Resource Objects.

    2. Search for and open the Peoplesoft User resource object.

    3. Select the Self Request Allowed check box.

    4. Click the Save icon.

3.6 Performing Provisioning Operations in Oracle Identity Manager Release 11.1.2.x

To configure provisioning operations in Oracle Identity Manager release 11.1.2 or later:

Note:

The time required to complete a provisioning operation that you perform the first time by using this connector takes longer than usual.

  1. Log in to Identity Self Service.

  2. Create a user. See Managing Users in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for more information about creating a user.

    If you want to provision a Microsoft Exchange mailbox to an existing OIM User, then, on the Users page, search for the required user.

  3. On the Account tab, click Request Accounts.

  4. In the Catalog page, search for and add to cart the application instance, and then click Checkout.

  5. Specify values for fields in the application form and then click Ready to Submit.

  6. Click Submit.

  7. If you want to provision entitlements, then:

    1. On the Entitlements tab, click Request Entitlements.

    2. In the Catalog page, search for and add to cart the entitlement, and then click Checkout.

    3. Click Submit.

3.7 Configuring Scheduled Jobs

This section describes the procedure to configure scheduled jobs. You can apply this procedure to configure the scheduled jobs for lookup field synchronization and reconciliation.

See Configuring the Scheduled Jobs for Lookup Field Synchronization for a list of scheduled jobs that you must configure.

To configure a scheduled job:

  1. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

    • For Oracle Identity Manager release 11.1.1.x:

      1. Log in to the Administrative and User Console.

      2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.

    • For Oracle Identity Manager release 11.1.2.x:

      1. Log in to Identity System Administration.

      2. In the left pane, under System Management, click Scheduler.

  2. Search for and open the scheduled job as follows:

    1. If you are using Oracle Identity Manager release 11.1.1.x, then on the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.

    2. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.

    3. In the search results table on the left pane, click the scheduled job in the Job Name column.

  3. On the Job Details tab, you can modify the following parameters:

    • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

    • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

    Note:

    See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about schedule types.

  4. Specify values for the attributes of the scheduled job. To do so:

    On the Job Details tab, under the Parameters section, specify values for the attributes of the scheduled job. See Table 3-2 for more information about the attributes of the scheduled job.

    Note:

    Attribute values are predefined in the connector XML file that is imported during the installation of the connector. Specify values only for the attributes that you want to change.

  5. Click Apply to save the changes.

    Note:

    The Stop Execution option is not available in the Administrative and User Console. If you want to stop a job, then click Stop Execution on the Task Scheduler form of the Design Console.

3.8 Provisioning Operations Performed in an SoD-Enabled Environment

Provisioning a resource for an OIM User involves using Oracle Identity Manager to create an PeopleSoft User account for the user.

The following are types of provisioning operations:

  • Direct provisioning

  • Request-based provisioning of accounts

  • Request-based provisioning of entitlements

  • Provisioning triggered by policy changes

See Also:

Oracle Identity Manager Connector Concepts for information about the types of provisioning

This section discusses the following topics:

3.8.1 Overview of the Provisioning Process in an SoD-Enabled Environment

The following is the sequence of steps that take places during a provisioning operation performed in an SoD-enabled environment:

  1. The provisioning operation triggers the appropriate adapter.
  2. The adapter carries provisioning data to the corresponding BAPI on the target system.
  3. If you select an account or entitlements to be provisioned to the OIM User, then the SoD check is initiated. The SoDChecker task submits the User Account and Entitlements details in a form of Duties list to Oracle Application Access Controls Governor. In other words, the SoD validation process takes place asynchronously.
  4. The Web service of Oracle Application Access Controls Governor receives the entitlement data.
  5. After Oracle Application Access Controls Governor runs the SoD validation process on the entitlement data, the response from the process is returned to Oracle Identity Manager.
  6. The status of the process task that received the response depends on the response. If the entitlement data clears the SoD validation process, then the status of the process task changes to Completed. This translates into the entitlement being granted to the user. If the SoD validation process returns the failure response, then status of the process task changes to Canceled.

3.8.2 Direct Provisioning in an SoD-Enabled Environment

The procedure for direct provisioning in an SoD-enabled environment is similar to the procedure for direct provisioning in a typical environment.

To provision a resource by using the direct provisioning approach:

  1. Log in to the Administrative and User Console.

  2. If you want to first create an OIM User and then provision a target system account, then:

    1. On the Identity Manager - Self Service page, click Administration.

    2. On the Welcome to Identity Administration page, in the Users section, click Create User.

    3. On the Create User page, enter values for the OIM User fields, and then click Save.

  3. If you want to provision a target system account to an existing OIM User, then:

    1. On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the drop-down list on the left pane.

    2. From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.

  4. On the user details page, click the Resources tab.

  5. From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.

  6. On the Step 1: Select a Resource page, select the resource that you want to provision from the list and then click Continue.

  7. On the Step 2: Verify Resource Selection page, click Continue.

  8. On the Step 3: Provide Resource Data page for process data, enter the details of the account that you want to create on the target system and then click Continue.

  9. On the Step 3: Provide Process Data page for role data, specify the role name for the account, and then click Add. If you want to add more than one role, repeat the process. Then, click Continue.

  10. On the Step 4: Verify Process Data page, verify the data that you have provided and then click Continue.

  11. The "Provisioning has been initiated" message is displayed. To view the newly provisioned resource, perform one of the following steps:

    1. Close the window displaying the "Provisioning has been initiated" message.

    2. On the Resource tab of the user details page, click Refresh to view the newly provisioned resource.

  12. To view the process form, on the Resources tab of the user details page, select the row displaying the newly provisioned resource, and then click Open. The Edit Form page is displayed.

    Note:

    If Oracle Identity Manager is not SoD enabled, then SOD Check Status field shows SODCheckNotInitiated.

  13. To view the Resource Provisioning Details page, on the Resources tab of the user details page, select Resource History.

    Note:

    SoD validation by Oracle Application Access Controls Governor is asynchronous. The validation process returns a result as soon as it is completed.

  14. After the SoD validation process is initiated, the results of the process are brought to Oracle Identity Manager. To view the process form, on the Resources tab of the User Details page, select the row displaying the newly provisioned resource, and then click Open. The Edit Form page is displayed.

    On this page, the SOD Check Status field shows SoDCheckCompleted. Because a violation by the SoD engine in this particular example, the SoD Check Violation field shows the details of the violation.

    In addition, the Resource Provisioning Details page shows the status of the SODChecker and Holder tasks as Completed.

    On this page, the status of the Add User Role tasks is Canceled because the request failed the SoD validation process.

  15. As the administrator assigning a resource to a user, you can either end the process when a violation is detected or modify the assignment data and then resend it. To modify the assignment data, on the Resource tab of the user details page, select the row containing the resource, and then click Open.

  16. In the Edit Form window that is displayed, you can modify the role and profile data that you had selected earlier.

    Note:

    To modify a set of entitlements In the Edit Form window, you must first remove all entitlements and then add the ones that you want to use.

  17. After the SoD validation process is initiated, the results of the process are brought to Oracle Identity Manager. On the Resources tab of the user details page, select the row containing the resource, and then click Open. The process form is displayed.

    On this form, the SOD Check Status field shows SoDCheckCompleted. Because no violation was detected by the SoD engine, the SoDCheckResult field shows Passed.

    In addition, the Resource Provisioning Details page shows the status of the SODChecker and Holder tasks as Completed.

    On the Resource Provisioning Details page, the state of the Add Role to User task is completed.

3.8.3 Request-Based Provisioning in an SoD-Enabled Environment

Note:

This procedure is not applicable to Oracle Identity Manager release 11.1.2.x or later.

See Configuring SoD on Oracle Identity Manager for related information.

The request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The request-based provisioning process described in this section covers steps to be performed by both entities.

In the example used in this section, the end user creates a request for two roles on the target system. The request clears the SoD validation process and is approved by the approver.

3.8.3.1 End-User's Role in Request-Based Provisioning

The following steps are performed by the end user in a request-based provisioning operation:

  1. Log in to the Administrative and User Console.
  2. On the Welcome page, click Advanced in the upper-right corner of the page.
  3. On the Welcome to Identity Manager Advanced Administration page, click the Administration tab, and then click the Requests tab.
  4. From the Actions menu on the left pane, select Create Request.

    The Select Request Template page is displayed.

  5. From the Request Template list, select Provision Resource and click Next.
  6. On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specified is displayed in the Available Users list.
  7. From the Available Users list, select the user to whom you want to provision the account.

    If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.

  8. Click Move or Move All to include your selection in the Selected Users list, and then click Next.
  9. On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.
  10. From the Available Resources list, select PeopleSoft User, move it to the Selected Resources list, and then click Next.
  11. On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.
  12. On the Justification page, you can specify values for the following fields, and then click Finish:
    • Effective Date

    • Justification

    On the resulting page, a message confirming that your request has been sent successfully is displayed along with the Request ID.

  13. If you click the request ID, then the Request Details page is displayed.
  14. On the Resource tab of the Request Details page, click the View Details link in the row containing the resource for which the request was created. The Resource data page in displayed in a new window.

    One of the fields on this page is the SODCheckStatus field. The value in this field can be SoDCheckResultPending or SoDCheckCompleted. When the request is placed, the SODCheckStatus field contains the SoDCheckResultPending status.

    Note:

    If Oracle Identity Manager is not SoD enabled, then the SOD Check Status field shows SODCheckNotInitiated.

  15. To view details of the approval, on the Request Details page, click the Approval Tasks tab.

    On this page, the status of the SODChecker task is pending.

  16. To initiate SoD validation of pending requests, the approver must run the Get SOD Check Results Approval scheduled task.
  17. After the Get SOD Check Results Approval scheduled task is run, on the Request Details page, click the Approval Tasks tab. The status of the SODChecker task is Completed and the Approval task status is Pending. This page also shows details of the administrator who must now approve the request.

3.8.3.2 Approver's Role in Request-Based Provisioning

This section discusses the role of the approver in a request-based provisioning operation.

The approver to whom the request is assigned can use the Pending Approvals feature to view details of the request.

In addition, the approver can click the View link to view details of the SoD validation process.

The approver can decide whether to approve or deny the request, regardless of whether the SoD engine accepted or rejected the request. The approver can also modify entitlements in the request.

The following are steps performed by the approver in a request-based provisioning operation:

  1. Log in to the Administrative and User Console.
  2. On the Welcome page, click Self-Service in the upper-right corner of the page.
  3. On the Welcome to Identity Manager Self Service page, click the Tasks tab.
  4. On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.
  5. From the search results table, select the row containing the request you want to approve, and then click Approve Task.

    A message confirming that the task was approved is displayed.