This chapter contains the following sections:
These are the guidelines that you must apply while using the connector for reconciliation and provisioning operations.
Apply these guidelines while configuring reconciliation.
Before a target resource reconciliation run is performed, lookup definitions must be synchronized with the lookup fields of the target system. In other words, scheduled tasks for lookup field synchronization must be run before user reconciliation runs.
If you are using Oracle Identity Manager 11.1.2.x or later, then you must also run the Entitlement List and Catalog Synchronization Job scheduled jobs.
The scheduled task for user reconciliation must be run before the scheduled task for reconciliation of deleted user data.
Apply these guidelines while performing provisioning operations.
Before performing provisioning operations, you must reconcile all lookup definitions.
Before provisioning Exchange User, you must provision AD User.
If you select the user type as UserMailbox, then the Database field on the process form is mandatory. If you select the user type as MailUser, then External E-mail Address field on the process form is mandatory.
Specifying multibyte values for fields
Some Asian languages use multibyte character sets. If the character limit for fields on the target system is specified in bytes, then the number of Asian-language characters that you can enter in a particular field may be less than the number of English-language characters that you can enter in the same field. The following example illustrates this point:
Suppose you can enter 50 characters of English in the Display Name field of the target system. If you have configured the target system for the Japanese language, then you would not be able to enter more than 25 characters in the same field.
The character length of target system fields must be taken into account when specifying values for the corresponding Oracle Identity Manager fields
During a provisioning operation, you must keep the lengths of target system fields in mind while entering values for Oracle Identity Manager process form fields. The character limit specified for some process form fields may be more than that of the corresponding target system field.
Scheduled tasks for lookup field synchronization fetch the most recent values from specific fields in the target system to lookup definitions in Oracle Identity Manager. These lookup definitions are used as an input source for lookup fields in Oracle Identity Manager.
The following are the scheduled tasks for lookup field synchronization:
Note:
The procedure to configure these scheduled tasks is described later in the guide.
Exchange User Distribution Group Lookup Reconciliation
This scheduled task fetches all mail-enabled universal distribution groups present in the forest into the Lookup.Exchange.DistributionGroups lookup definition.
Exchange User Mailbox Database Group Lookup Reconciliation
This scheduled task is used to synchronize mailbox database lookup fields in Oracle Identity Manager with mailbox databases in the target system.
Table 3-1 describes the attributes of both scheduled tasks.
Table 3-1 Attributes of the Scheduled Tasks for Lookup Field Synchronization
| Attribute | Description |
|---|---|
|
Code Key Attribute |
Name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: Note: Do not change the value of this attribute. |
|
Decode Attribute |
Name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: Note: Do not change the value of this attribute. |
|
IT Resource Name |
Name of the IT resource for the target system installation from which you want to reconcile records. Default value: |
|
Lookup Name |
Name of the lookup definition in Oracle Identity Manager that must be populated with values fetched from the target system. Depending on the scheduled task you are using, the default values are as follows:
|
|
Object Type |
Name of the type of object you want to reconcile. Depending on the scheduled task you are using, the default values are as follows:
|
|
Resource Object Name |
Name of the resource object for the target system installation from which you want to reconcile records. Default value: |
When you run the Connector Installer, scheduled tasks for user reconciliation are automatically created in Oracle Identity Manager. Configuring reconciliation involves providing values for the attributes of these scheduled tasks.
The following sections provide information about the attributes of the scheduled tasks:
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation. In addition, you can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Manager.
You can perform a full and incremental reconciliation against a single domain by providing a value for the DomainController parameter of the scheduled task. If the DomainController parameter is blank, reconciliation is performed against a forest.
To perform a full reconciliation run, ensure that no values are specified for the following attributes of the scheduled tasks for reconciling user records:
Filter
Incremental Recon Attribute
Latest Token
You can perform limited reconciliation by creating filters for the reconciliation module. This connector provides a Filter attribute (a scheduled task attribute) that allows you to use Exchange resource attributes to filter the target system records.
Table 3-2 lists the filter syntax that you can use and the corresponding description and sample values.
Note:
Filters with wildcard characters are not supported.
Table 3-2 Keywords and Syntax for the Filter Attribute
| Filter Syntax | Description |
|---|---|
|
String Filters |
|
|
startsWith('ATTRIBUTE_NAME','PREFIX') |
Records whose attribute value starts with the specified prefix are reconciled. Example: In this example, all records whose display name begins with 'John' are reconciled. |
|
endsWith('ATTRIBUTE_NAME','SUFFIX') |
Records whose attribute value ends with the specified suffix are reconciled. Example: In this example, all records whose display name ends with 'Doe' are reconciled. |
|
contains('ATTRIBUTE_NAME','STRING') |
Records where the specified string is contained in the attribute's value are reconciled. Example: In this example, all records whose display name contains 'Smith' are reconciled. |
|
Equality and Inequality Filters |
|
|
equalTo('ATTRIBUTE_NAME','VALUE') |
Records whose attribute value is equal to the value specified in the syntax are reconciled. Example: In this example, all records whose display name is Sales Organization are reconciled. |
|
greaterThan('ATTRIBUTE_NAME','VALUE') |
Records whose attribute value (string or numeric) is greater than (in lexicographical or numerical order) the value specified in the syntax are reconciled. Example: In this example, all records whose display name is present after the common name 'bob' in the lexicographical order (or alphabetical order) are reconciled. |
|
greaterThanOrEqualTo('ATTRIBUTE_NAME','VALUE') |
Records whose attribute value (string or number) is lexographically or numerically greater than or equal to the value specified in the syntax are reconciled. Example: In this example, all records whose display name is equal to 'S' or greater than 'S' in lexicographical order are reconciled. |
|
lessThan('ATTRIBUTE_NAME','VALUE') |
Records whose attribute value (string or numeric) is less than (in lexicographical or numerical order) the value specified in the syntax are reconciled. Example: In this example, all records whose display name is present after the last name 'Smith' in the lexicographical order (or alphabetical order) are reconciled. |
|
lessThanOrEqualTo('ATTRIBUTE_NAME','VALUE') |
Records whose attribute value (string or numeric) is lexographically or numerically less than or equal to the value specified in the syntax are reconciled. Example: In this example, all records whose display name is equal to 'A' or less than 'A' in lexicographical order are reconciled. |
|
Complex Filters |
|
|
<FILTER1> & <FILTER2> |
Records that satisfy conditions in both filter1 and filter2 are reconciled. In this syntax, the logical operator & (ampersand symbol) is used to combine both filters. Example: In this example, all records whose display name starts with John and ends with Doe are reconciled. |
|
<FILTER1> | <FILTER2> |
Records that satisfy either the condition in filter1 or filter2 are reconciled. In this syntax, the logical operator | (vertical bar) is used to combine both filters. Example: In this example, all records that contain 'Andy' in the display name attribute or records that contain 'Brown' in the display name are reconciled. |
|
not(<FILTER>) |
Records that do not satisfy the given filter condition are reconciled. Example: In this example, all records that does not contain the display name 'Mark' are reconciled. |
The following attributes are supported in the filters:
ArchiveQuota
ProhibitSendQuota
ArchiveWarningQuota
Database
IssueWarningQuota
ProhibitSendQuota
ProhibitSendReceiveQuota
UseDatabaseQuotaDefaults
ExternalEmailAddress
DisplayName
SimpleDisplayName
EmailAddressPolicyEnabled
HiddenFromAddressListsEnabled
MaxSendSize
MaxReceiveSize
Name
Alias
PrimarySmtpAddress
RecipientLimits
RecipientType
WhenChanged
CustomAttribute1, CustomAttribute2, and so on up to CustomAttribute15
When you run the Connector Installer, reconciliation scheduled tasks are automatically created in Oracle Identity Manager.
The Microsoft Exchange connector provides the following scheduled tasks for reconciliation:
See Also:
Scheduled Tasks for Lookup Field Synchronization for information about the Exchange User Distribution Group Lookup Reconciliation and the Exchange User Mailbox Database Group Lookup Reconciliation scheduled tasks
The Exchange Target Resource User Reconciliation scheduled task is used to reconcile data from active mailboxes and mail users. Table 3-3 lists the attributes of this scheduled task.
Table 3-3 Attributes of the Exchange Target Resource User Reconciliation Scheduled Task
| Attribute | Description |
|---|---|
|
Database |
Specifies distinguished name of the database. Note: Distinguished name of the database is available in the Lookup.Exchange.MailboxDatabase lookup definition. |
|
DomainController |
This attribute indicates if you want to reconcile from a particular domain. If no domain controller is provided, then a reconciliation run fetches users from all the domains in the forest. By default, this value is blank. |
|
Filter |
Expression for filtering records that must be reconciled by the scheduled task. See Table 3-2 for the syntax. Default value: None For example, if you set the |
|
Incremental Recon Attribute |
Name of the target system attribute that holds last update-related number, non-decreasing value. For example, The value in this attribute is used during incremental reconciliation to determine the newest or most youngest record reconciled from the target system. Default value: Note: Do not change the value of this attribute. |
|
IT Resource Name |
Name of the IT resource instance that the connector must use to reconcile data. Default value: |
|
Latest Token |
Time stamp at which the last reconciliation run started. Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute. |
|
Object Type |
Type of object you want to reconcile. Default value: |
|
OrganizationalUnit |
Specifies the distinguished name of the OU from which you want to reconcile mailboxes. |
|
Resource Object Name |
Name of the resource object against which reconciliation runs must be performed. Default value: Note: For the resource object shipped with this connector, you must not change the value of this attribute. However, if you create a copy of the resource object, then you can enter the unique name for that resource object as the value of this attribute. |
|
Scheduled Task Name |
Name of the scheduled task. Default value: Note: For the scheduled task shipped with this connector, you must not change the value of this attribute. However, if you create a copy of the task, then you can enter the unique name for that scheduled task as the value of this attribute. |
If there are large number of mailboxes on the target system, it is recommended that you specify values for the following parameters to improve performance of the connector:
Database
DomainController
OrganizationalUnit
Note:
When an Exchange user is disabled from Oracle Identity Manager, the Max Incoming Size and Max Outgoing Size parameters of the mailbox are set to zero in the target system as Exchange does not support enable/disable operations. Similarly, during reconciliation when the Exchange user's MaxSendSize and MaxReceiveSize parameters are set to zero in the target system, the status in Oracle Identity Manager account can be configured to be disabled.
To achieve this behavior during reconciliation:
In the Design Console, under Administration, click Lookup Definition.
Add the following entries in Lookup.Exchange.UM.ReconTransformation:
Code Key: Status
Decode: oracle.iam.connectors.exchange.extension.StatusReconTransformer
The Exchange Target Resource Delete User Reconciliation scheduled task is used to reconcile data about deleted mailboxes and mail users. Table 3-4 lists the attributes of this scheduled task.
Table 3-4 Attributes of the Exchange Target Resource Delete User Reconciliation Scheduled Task
| Attribute | Description |
|---|---|
|
IT Resource Name |
Name of the IT resource instance that the connector must use to reconcile data. Default value: |
|
Object Type |
This attribute holds the type of object you want to reconcile. Default value: |
|
Resource Object Name |
Name of the resource object against which reconciliation runs must be performed. Default value: Note: For the resource object shipped with this connector, you must not change the value of this attribute. However, if you create a copy of the resource object, then you can enter the unique name for that resource object as the value of this attribute. |
The Exchange Leave Of Absence Update Task sets the HiddenFromAddressListsEnabled attribute on Microsoft Exchange for a user.
To run this task, you must specify the name of the resource object against which reconciliation runs must be performed.
This task runs only if the Leave Start Date and Leave End Date values are provided on the process form. For example, if the date falls between the Leave Start Date and the Leave End Date, then this task runs and sets the HiddenFromAddressListsEnabled attribute on Microsoft Exchange for that user. Otherwise, this task resets the HiddenFromAddressListsEnabled attribute for that user.
Configure scheduled jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Manager.
You can apply this procedure to configure the scheduled jobs for lookup field synchronization and reconciliation.
To configure a scheduled task:
Log in to the Administrative and User Console.
On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
Search for and open the scheduled task as follows:
On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.
On the left pane, in the Search field, enter the name of the scheduled task as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
In the search results table on the left pane, click the scheduled task in the Job Name column.
Modify the details of the scheduled task. To do so:
On the Job Details tab, you can modify the following parameters:
Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the task before assigning the Stopped status to the task.
Schedule Type: Depending on the frequency at which you want the task to run, select the appropriate schedule type.
See Also:
See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about schedule types.
In addition to modifying the task details, you can enable or disable a task.
Specify values for the attributes of the scheduled task. To do so:
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.
Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.
Reconciliation can be run in partial mode or in custom mode depending on values configured for the Filter scheduled task attribute.
On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.
After specifying the attributes, click Apply to save the changes.
Note:
Depending on the Oracle Identity Manager release that you are using, you can use the Scheduler Status page in the Administrative and User Console or Identity System Administration to either start, stop, or reinitialize the scheduler.
Provisioning involves creating or modifying mailbox data on the target system through Oracle Identity Manager.
This section discusses the following topics:
Apply this guideline when you start using the connector for provisioning operations.
Before you provision the Microsoft Exchange resource object to a user, ensure that the user has an account in Microsoft Active Directory. If the user does not have a Microsoft Active Directory account, then the provisioning operation fails.
To create a Microsoft Active Directory account for the user, you can provision the Microsoft Active Directory resource object to the user in Oracle Identity Manager.
Note:
Mail redirection function can be set during Microsoft Active Directory provisioning. If mail redirection is set, then there is no need to provision Microsoft Exchange resource object.
Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a Microsoft Exchange account for the user.
When you install the connector on Oracle Identity Manager, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.
If you have configured the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then perform the steps described in Switching Between Request-Based Provisioning and Direct Provisioning.
The following are types of provisioning operations:
Direct provisioning
Request-based provisioning
Provisioning triggered by policy changes
This section discusses the following topics:
To provision a resource by using the direct provisioning approach:
Note:
Before you provision a Microsoft Exchange resource, ensure that a Microsoft Active Directory resource is already provisioned.
If the Allow Multiple check box of the resource object is selected, then you can provision more than one mailbox for an OIM User. However, the target system supports only one mailbox for each user.
Log in to the Administrative and User Console.
On the Welcome to Identity Administration page, from the Users region, click Create User.
On the Create User page, enter values for the OIM User fields, and then click Save.
If you want to provision a Microsoft Exchange mailbox to an existing OIM User, then:
On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the list on the left pane.
From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.
On the user details page, click the Resources tab.
From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.
On the Step 1: Select a Resource page, select Exchange from the list, and then click Continue.
On the Step 2: Verify Resource Selection page, click Continue.
On the Step 5: Provide Process Data page, enter the details of the mailbox that you want to create on the target system and then click Continue.
On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.
Close the window displaying the "Provisioning has been initiated" message.
On the Resources tab, click Refresh to view the newly provisioned resource.
A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:
Note:
The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.
The following steps are performed by the end user in a request-based provisioning operation:
If you have configured the connector for request-based provisioning, you can always switch to direct provisioning. Similarly, you can always switch back to request-based provisioning any time.
This section discusses the following topics:
Note:
It is assumed that you have performed the procedure described in Configuring Oracle Identity Manager for Request-Based Provisioning.
If you want to switch from request-based provisioning to direct provisioning, then:
Log in to the Design Console.
Disable the Auto Save Form feature as follows:
Expand Process Management, and then double-click Process Definition.
Search for and open the Exchange process definition.
Deselect the Auto Save Form check box.
Click the Save icon.
If the Self Request Allowed feature is enabled, then:
Expand Resource Management, and then double-click Resource Objects.
Search for and open the Exchange resource object.
Deselect the Self Request Allowed check box.
Click the Save icon.
If you want to switch from direct provisioning back to request-based provisioning, then:
Log in to the Design Console.
Enable the Auto Save Form feature as follows:
Expand Process Management, and then double-click Process Definition.
Search for and open the Exchange process definition.
Select the Auto Save Form check box.
Click the Save icon.
If you want to enable end users to raise requests for themselves, then:
Expand Resource Management, and then double-click Resource Objects.
Search for and open the Exchange resource object.
Select the Self Request Allowed check box.
Click the Save icon.
You can configure provisioning in Oracle Identity Manager release 11.1.2 by using the Oracle Identity Administrative and User console.
To configure provisioning operations in Oracle Identity Manager release 11.1.2.x:
Note:
The time required to complete a provisioning operation that you perform the first time by using this connector takes longer than usual.
Log in to Oracle Identity Administrative and User console.
Create a user. See Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for more information about creating a user.
On the Account tab, click Request Accounts.
In the Catalog page, search for and add to cart the application instance, and then click Checkout.
Specify values for fields in the application form and then click Ready to Submit.
Click Submit.
If you want to provision a Microsoft Exchange mailbox to an existing OIM User, then:
On the Users page, search for the required user.
On the user details page, click Accounts.
Click the Request Accounts button.
Search for the Exchange application instance in the catalog search box and select it.
Click Add to Cart.
Click Checkout.
Specify values for fields in the application form and then click Ready to Submit.
Click Submit.
Actions are scripts that you can configure to run before or after any provisioning operation. For example, you can run custom PowerShell scripts before or after creating, updating, or deleting a mailbox.
The following are topics pertaining to action scripts:
This is a summary of the procedure to configure action scripts:
On the computer hosting the connector server, create the custom PowerShell script in a directory. This script should be self-sufficient, that is, it should be able to create, maintain, and delete sessions with the target Exchange server and complete all actions against it.
On the computer hosting Oracle Identity Manager, create a batch (.bat) file. This batch file runs on the computer hosting the connector server, which in turn calls custom PowerShell script available on the connector server host computer. Even if Oracle Identity Manager is installed on a UNIX-based computer, create a batch file.
The batch file runs custom PowerShell script using the Powershell.exe program. For more information on Powershell.exe, see http://technet.microsoft.com/en-us/library/hh847736.aspx.
Open Oracle Identity Manager Design Console and add the following entries to the Lookup.Exchange.UM.Configuration lookup definition. The entries specified in italics are generic, which need actual entries based on when the scripts need to be run.
| Code Key | Decode |
|---|---|
|
TIMING Action Language |
Shell Note: Do not change this value. |
|
TIMING Action File |
Enter full path to the batch file on the computer hosting Oracle Identity Manager. |
|
TIMING Action Target |
Resource Note: Do not change this value. |
Based on when the script needs to run, you can update actual entry for TIMING Action in the preceding table as per the following table:
| When the Script Needs to Run | Actual value for TIMING Action |
|---|---|
|
Before the create operation |
Before Create Action |
|
After the create operation |
After Create Action |
|
Before the update operation |
Before Update Action |
|
After the update operation |
After Update Action |
|
Before the delete operation |
Before Delete Action |
|
After the delete operation |
After Delete Action |
During various operations, there is a difference in terms of what data is available:
During create operations, all attributes part of the process form are available to the script.
During update operations, only the attribute that is being updated is available to the script.
If other attributes are also required, then a new adapter calling ICProvisioningManager# updateAttributeValues(String objectType, String[] labels) should be created and used. During adapter mapping in process task, add the form field labels of the dependent attributes.
During delete operations, only the __UID__ (GUID) attribute is available to the script.