The Database User Management connector is built on a framework designed for JDBC-based connectors. If your target system is a JDBC-based database other than the certified databases listed in connector.htm#GUID-C2D995F1-879C-4568-A002-394B33262D5B__BABEJCJF, then you can create a connector for your target system by following the instructions given in this chapter.
Note:
In this chapter, MyDatabase has been used as the sample JDBC-based database to explain the procedures.
For Oracle Identity Manager hosted on a Microsoft Windows computer, if you have a previously installed connector, then you must extract the connector bundle zip file again before installing a new connector.
The following sections describe the procedure to create each object of the connector:
This section describes the attributes and the queries of MyDatabase, the sample database used in the procedures in this chapter.
The following table lists the attributes of the database user:
Attribute | Type of Attribute |
---|---|
User Name |
String |
User Password |
String |
Database ID |
String List of values available in the DBNames table. |
Status |
String Sample values: ACTIVE, DISABLED |
lastModifiedToken |
Long |
The database users are stored in the MYDBUsers table, which has read-only access. Stored procedures are used to add or modify the users in this table.
The following stored procedures are used in the provisioning queries:
Call CREATE_USER(usrid, passwd, dbid)
Call RESET_PASSWD(usrid, passwd)
Call ENABLE_USER(usrid)
Call DISABLE_USER(usrid)
Call DELETE_USER(usrid)
Call UPDATE_DBID(usrid, dbid)
The following SQL query used to fetch lookup values:
Select id from DBNames
The following SQL queries are used for reconciliations:
Full reconciliation query
Select USRNAME, DBID, Status, lastModifiedToken from MYDBUsers
Incremental reconciliation query
Select USRNAME, DBID, Status, lastModifiedToken from MYDBUsers where lastModifiedToken > @lastRunToken
Limited reconciliation query
This query is similar to a full or incremental reconciliation query, with the filter converted to the WHERE condition. For example, the query for all users with DBID='master'
is as follows:
Select USRNAME, DBID, Status, lastModifiedToken from MYDBUsers where lastModifiedToken > @lastRunToken AND DBID='master'
This section describes the MyDatabase queries to be created and configured in the connector bundle.
See Also:
The following sections for information about the syntax and samples of the queries used for the certified databases listed in connector.htm#GUID-C2D995F1-879C-4568-A002-394B33262D5B__BABEJCJF:
This section describes the procedure to update the connector bundle with the MyDatabase query files created in the proceeding section.
To update the query files:
You must specify values for the parameters of the IT resource for MyDatabase as follows:
If you are using Oracle Identity Manager release 11.1.1.x:
Log in to the Administrative and User Console.
On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.
If you are using Oracle Identity Manager release 11.1.2.x or later:
Log in to Oracle Identity System Administration.
Create and activate a sandbox. For detailed instructions on creating and activating a sandbox, see Managing Sandboxes in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
In the left pane, under Configuration, click IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter the name of the IT resource, and then click Search.
For example: Oracle DB
Click the edit icon for the IT resource.
From the list at the top of the page, select Details and Parameters.
Specify values for the following parameters of the IT resource. All other parameters of the IT resource will remain unchanged.
configuring-connector-jdbc-based-database.htm#GUID-726C3286-E108-446F-BE32-1E3FC466F105__BABHGGCJ describes the parameters to be updated for MyDatabase.
Table 8-1 IT Resource Parameters for New Database
Parameter | Description |
---|---|
DB Type |
This field identifies database type (such as Oracle and MSSQL) and its used for loading respective scripts. Sample value: |
JDBC Driver |
Specify the value of the JDBC driver class name for MyDatabase. |
JDBC URL |
Specify the JDBC URL for MyDatabase. |
Login Password |
Enter the password for the user name of the MyDatabase account to be used for connector operations. |
Login User |
Enter the user name of the MyDatabase account to be used for connector operations. |
To save the values, click Update.
You must update the process form with the attributes of a MyDatabase user. Do not change the IT Resource and Reference ID fields on the process form.
To configure the process form:
Log into Oracle Identity Manager Design Console.
Create a new lookup definition to hold the Database ID attribute mappings as follows:
Expand Administration.
Double-click Lookup Definition.
Create a new lookup definition, Lookup.DBUM.MYDB.DBNames.
This lookup definition will be empty and will be populated with entries after you run the scheduled jobs for lookup field synchronization.
Click the save icon.
Create a new version of the process form:
Expand Development Tools.
Double-click Form Designer.
Search for and open the UD_DB_ORA_U process form.
Click Create New Version.
On the Create a new version dialog box, enter a new version in the Label field, and then click the save icon.
Add the new fields for the MyDatabase user attributes on the process form.
Click Add.
A field is added to the list. Enter the details of the field.
Add details for all other attributes as new fields.
Click the save icon, and then click Make Version Active.
A sample screenshot of the process form is as follows:
A sample screenshot for the Database ID attribute is as follows:
You must rename the resource object to MYDB User and modify the reconciliation fields as required for MyDatabase. Do not change the IT Resource and Reference ID fields.
Note:
You must remove the process task mappings before removing the reconciliation fields in the resource object.
To rename the resource object:
A sample screenshot of the updated resource object with reconciliation fields is as follows:
You must rename the process definition to MY Database User and remove the unused process tasks from the process definition.
To integrate the Create User process task with the adpORACREATESETFORM adapter:
A sample screenshot of the updated process task is as follows:
After you create the resource object, you must define the attributes on the target resources that must be used for reconciliation. In addition, you must also map these attributes to the corresponding fields on Oracle Identity Manager. Note that the attributes that you add to the resource object are mapped for reconciliation between Oracle Identity Manager and the target system.
A sample screenshot of the attribute mappings for the MY Database User process definition is as follows:
In Oracle Identity Manager, you must configure lookup definitions of the following types that will be used during connector operations:
Lookup definitions corresponding to lookup fields on the target system
Lookup definitions that store configuration and other generic information
To modify the values of these lookup definitions:
Log in to the Design Console.
Expand Administration, and then double-click Lookup Definition.
Update the Lookup.DBUM.Oracle.Configuration lookup definition as follows:
Search for and open the Lookup.DBUM.Oracle.Configuration lookup definition.
Update the Decode column of disabledValuesSet to Disabled.
Update the Decode column of reservedWordsList and unsupportedChars if you want to add any restrictions on the user inputs.
A sample screenshot of the updated lookup definition is as follows:
Update the Lookup.DBUM.Oracle.UM.ProvAttrMap lookup definition as follows:
Search for and open the Lookup.DBUM.Oracle.UM.ProvAttrMap lookup definition.
Update the provisioning attribute mappings as per MyDatabase. This lookup definition holds user-specific mappings between process form fields (Code Key values) and target system attributes (Decode values) used during provisioning operations (same as the attributes in the Provisioning.queries file).
If an attribute is of type Lookup, then it has to be tagged with [LOOKUP].
A sample screenshot of the updated lookup definition is as follows:
Update the Lookup.DBUM.Oracle.UM.ReconAttrMap lookup definition as follows:
Search for and open the Lookup.DBUM.Oracle.UM.ReconAttrMap lookup definition.
Update the reconciliation attribute mappings as per MyDatabase. This lookup definition holds user-specific mappings between reconciliation attribute names as specified in the resource object (Code Key values) and target system attributes (Decode values) used during reconciliation operations.
If an attribute is of type Lookup, then it has to be tagged with [LOOKUP].
Do not modify the Reference ID mapping.
A sample screenshot of the updated lookup definition is as follows:
Click the save icon.
See Also:
Lookup Definitions Used During Connector Operations for Oracle Database for descriptions of the entries in the lookup definitions
You need scheduled jobs for the following reasons:
Configuring Scheduled Jobs for Lookup Field Synchronization
For synchronizing lookup field values with the target system.
Configuring Scheduled Jobs for Reconciliation
For fetching data from the target system for reconciliation with Oracle Identity Manager.
You need not create scheduled jobs for lookup field synchronization. Instead, you can use the lookup reconciliation scheduled jobs that are shipped with this connector. See Scheduled Jobs for Lookup Field Synchronization for Oracle Database for more information about these scheduled jobs.
For example, to perform Database ID lookup reconciliation, update the DBUM Oracle Roles Lookup Reconciliation scheduled job parameters as follows:
Attribute | Description |
---|---|
Code Key Attribute |
Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). For example: Note: Do not change the value of this attribute. |
Decode Attribute |
Enter the name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). For example: |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. For example: |
Lookup Name |
This attribute holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched. For example: |
Object Type |
Enter the type of object whose values must be synchronized. For example: |
Resource Object Name |
Enter the name of the resource object that is used for reconciliation. For example: |
Note:
Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.1.x and want to configure request-based provisioning.
A request-based provisioning operation involves an end user (a requester) who creates a request for a resource and an approver (an OIM User with the required privileges) who approves the request.
To perform request-based provisioning operations, you must configure a request workflow that suits your requirements. You must update the process form attribute names in request datasets. For complete information on configuring the request workflow.
See Also:
Configuring Request-Based Provisioning for Oracle Database for a similar procedure for the Oracle Database
As a best practice, you must test the connector after completing all customizations for the new database to ensure that it functions as expected.
You can use the testing utility to identify the cause of problems associated with connecting to the target system and performing basic operations on the target system.
To run the testing utility, see Testing the Connector.