5 Using and Extending the Connector for MySQL

You can use the Database User Management Connector for MySQL for performing reconciliation and provisioning operations after configuring it to meet your requirements. You can also extend the functionality of the connector to address your specific business requirements.

This chapter contains the following topics:

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

For Oracle Identity Manager hosted on a Microsoft Windows computer, if you have a previously installed connector, then you must extract the connector bundle zip file again before installing a new connector.

5.1 Configuring Secure Communication Between MySQL and Oracle Identity Manager

Note:

It is recommended that you perform the procedure described in this section to secure communication between the target system and Oracle Identity Manager.

Perform the following steps to configure secure communication between MySQL and Oracle Identity Manager:

See MySQL documentation for information about enabling SSL communication between MySQL and a client system. In this context, the client is Oracle Identity Manager.
Export the certificate on the MySQL host computer.
Restart the MySQL database service by using the certificate exported in the preceding step. See MySQL documentation for information on restarting the database service.
Copy the ca-cert.pem and client-cert.pem certificates to the Oracle Identity Manager host computer.

Import the certificates into the JVM truststore of the application server on which Oracle Identity Manager is running.

To import the certificates into the truststore, run the following command for each certificate:

keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS

In this command:

Replace FILE_LOCATION with the full path and name of the certificate file.
Replace ALIAS with an alias for the certificate.
Replace TRUSTSTORE_PASSWORD with a password for the truststore.
Replace TRUSTSTORE_LOCATION with one of the truststore paths from using-and-extending-connector-mysql.htm#GUID-380FCE0F-E36B-4A05-AE98-28999B7DA5C3__CHDGBFEB. This table shows the location of the truststore for each of the supported application servers.

Note:

In an Oracle Identity Manager cluster, import the file into the truststore on each node of the cluster.

Table 5-1 Truststore Locations on Supported Application Servers

Application Server	Truststore Location
Oracle WebLogic Server	If you are using Oracle jrockit_R27.3.1-jdk, then import the certificate into the keystore in the following directory: JROCKIT_HOME/jre/lib/security If you are using the default Oracle WebLogic Server JDK, then import the certificate into the keystore in following directory: WEBLOGIC_HOME/java/jre/lib/security/cacerts If you are using a JDK other than Oracle jrockit_R27.3.1-jdk or Oracle WebLogic Server JDK, then import the certificate into your keystore at the following directory: JAVA_HOME/jre/lib/security/cacerts

Application Server

Truststore Location

Oracle WebLogic Server

If you are using Oracle jrockit_R27.3.1-jdk, then import the certificate into the keystore in the following directory:

JROCKIT_HOME/jre/lib/security
If you are using the default Oracle WebLogic Server JDK, then import the certificate into the keystore in following directory:

WEBLOGIC_HOME/java/jre/lib/security/cacerts
If you are using a JDK other than Oracle jrockit_R27.3.1-jdk or Oracle WebLogic Server JDK, then import the certificate into your keystore at the following directory:

JAVA_HOME/jre/lib/security/cacerts

To enable secure communication between MySQL and Oracle Identity Manager, set the value of the UseSSL IT resource parameter to true. You must provide a value for this parameter while performing the procedure described in Configuring the IT Resource for the Connector Server.

5.2 Guidelines on Determining Values for the JDBC URL and Connection Properties Parameters for MySQL

This section discusses the JDBC URL and Connection Properties parameters. You apply the information in this section while performing the procedure described in Configuring the IT Resource for the Target System.

The following are guidelines on specifying the JDBC URL and Connection Properties parameters:

JDBC URL parameter

Enter the following component of the connection URL as the value of the JDBC URL provider:
```
jdbc:mysql://[SERVER_NAME][:PORT_NUMBER]/[DATABASE_NAME] 
```
In this format:
- SERVER_NAME is the IP address (not the host name) of the target system host computer.
- PORT_NUMBER is the port at which the target system database is listening.
- DATABASE_NAME is the name of the database we are connecting.
The following is a sample value for the Database URL parameter:
```
jdbc:mysql://192.168.16.76:3306/information_schema
```
Connection Properties parameter

Enter the following component of the connection URL as the value of the Connection Properties parameter:
```
[,PROPERTY=VALUE[,PROPERTY=VALUE]] . . .
```
In this format:
- PROPERTY is the name of one or more database connection properties, such as applicationName and disableStatementPooling.
- VALUE is the value of each database connection property whose name you specify by using the PROPERTY placeholder.
Note:

Semicolons must be changed to number signs (#) in the value that you specify.

The following is a sample value for the Connection Properties parameter:
```
databaseName=information_schema#port=3306
```
If you enable SSL communication between MySQL and Oracle Identity Manager, then:
- Append the following value to the value in the Connection Properties parameter of the IT resource:
```
useSSL=true#requireSSL=true
```
  For example, suppose the following is the existing value for the Connection Properties parameter:
```
databaseName=information_schema#port=3306
```
  Now, if you enable SSL communication between MySQL and Oracle Identity Manager, then the value of the Connection Properties parameter must be as follows:
```
databaseName=information_schema#port=3306#useSSL=true#requireSSL=true
```

5.3 Lookup Definitions for MySQL

This section contains the following information:

5.3.1 Lookup Definitions Synchronized with MySQL

During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Privileges lookup field to select a privilege to be assigned to a schema from the list of available privileges. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.

The connector provides predefined SQL queries for fetching values from the target system lookup fields into the lookup definitions in Oracle Identity Manager. These predefined SQL queries are stored in the LoVSearch.queries file with in the connector bundle.

After lookup definition synchronization, data is stored in the following format:

Code Key value: IT_RESOURCE_KEY~LOOKUP_FIELD_ID

In this format:
- IT_RESOURCE_KEY is the numeric code assigned to each IT resource in Oracle Identity Manager.
- LOOKUP_FIELD_ID is the target system code assigned to each lookup field entry.
Sample value: 1~SYS_ADM
Decode value: IT_RESOURCE_NAME~LOOKUP_FIELD_ID

In this format:
- IT_RESOURCE_NAME is the name of the IT resource in Oracle Identity Manager.
- LOOKUP_FIELD_ID is the target system code assigned to each lookup field entry.
Sample value: MySQL DB~SYS_ADM

While performing a provisioning operation in Oracle Identity Self Service, you select the IT resource for the target system on which you want to perform the operation. When you perform this action, the lookup definitions on the page are automatically populated with values corresponding to the IT resource (target system installation) that you select. If your environment has multiple installations of the target system, then values corresponding to all IT resources are displayed.

using-and-extending-connector-mysql.htm#GUID-8D2F4DE7-1CBF-4BE3-8F59-8DD1A2F984DF__CHDDDBFE lists column name of the table in MySQL that is synchronized with its corresponding lookup definition in Oracle Identity Manager.

Table 5-2 Lookup Definitions Synchronized with MySQL

Lookup Definition	Target Column Name
Lookup.DBUM.MySQL.SchemaPrivileges	Privilege

5.3.2 Lookup Definitions for Configurations for MySQL

This section describes the configuration lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed.

This section provides information about the following lookup definitions

5.3.2.1 Lookup.DBUM.MySQL.Configuration

The Lookup.DBUM.MySQL.Configuration lookup definition holds connector configuration entries that are used during target resource reconciliation and provisioning operations.

Table 5-3 Entries in Lookup.DBUM.MySQL.Configuration

Code Key	Decode Key	Description
Bundle Name	`org.identityconnectors.dbum`	Name of the connector bundle package Do not modify this entry.
Bundle Version	1.0.1116	Version of the connector bundle class Do not modify this entry.
Connector Name	`org.identityconnectors.dbum.DBUMConnector`	Name of the connector class Do not modify this entry.
User Configuration Lookup	Lookup.DBUM.MySQL.UM.Configuration	Name of the lookup definition that contains user-specific configuration properties Do not modify this entry.

5.3.2.2 Lookup.DBUM.MySQL.UM.Configuration

The Lookup.DBUM.MySQL.UM.Configuration lookup definition holds user-specific connector configuration entries that are used during target resource reconciliation and provisioning operations.

Table 5-4 Entries in Lookup.DBUM.MySQL.UM.Configuration

Code Key	Decode Key
Provisioning Attribute Map	Lookup.DBUM.MySQL.UM.ProvAttrMap
Provisioning Exclusion List	Lookup.DBUM.MySQL.UM.ExclusionList
Provisioning Validation Lookup	Lookup.DBUM.MySQL.UM.ProvValidations
Recon Validation Lookup	Lookup.DBUM.MySQL.UM.ReconValidations
Recon Attribute Map	Lookup.DBUM.MySQL.UM.ReconAttrMap
Recon Exclusion List	Lookup.DBUM.MySQL.UM.ExclusionList
Recon Transformation Lookup	Lookup.DBUM.MySQL.UM.ReconTransformations

5.3.2.3 Lookup.DBUM.MySQL.Configuration.Trusted

The Lookup.DBUM.MySQL.Configuration.Trusted lookup definition holds connector configuration entries that are used during reconciliation and provisioning operations in trusted source mode.

Table 5-5 Entries in Lookup.DBUM.MySQL.Configuration.Trusted

Code Key	Decode Key
Bundle Name	`org.identityconnectors.dbum`
Bundle Version	1.0.1116
Connector Name	`org.identityconnectors.dbum.DBUMConnector`
User Configuration Lookup	Lookup.DBUM.MySQL.UM.Configuration.Trusted

5.3.2.4 Lookup.DBUM.MySQL.UM.Configuration.Trusted

The Lookup.DBUM.MySQL.UM.Configuration.Trusted lookup definition holds user-specific connector configuration entries that are used during reconciliation and provisioning operations in trusted source mode.

Table 5-6 Entries in Lookup.DBUM.MySQL.UM.Configuration.Trusted

Code Key	Decode Key
Recon Attribute Defaults	Lookup.DBUM.MySQL.UM.ReconDefaults.Trusted
Recon Attribute Map	Lookup.DBUM.MySQL.UM.ReconAttrMap.Trusted
Recon Validation Lookup	Lookup.DBUM.MySQL.UM.ReconValidations.Trusted
Recon Exclusion List	Lookup.DBUM.MySQL.UM.ExclusionList.Trusted
Recon Transformation Lookup	Lookup.DBUM.MySQL.UM.ReconTransformations.Trusted

5.3.3 Lookup Definitions for Attribute Mappings for MySQL

This section describes the following lookup definitions:

5.3.3.1 Lookup.DBUM.MySQL.UM.ProvAttrMap

The Lookup.DBUM.MySQL.UM.ProvAttrMap lookup definition holds user-specific mappings between process form fields (Code Key values) and target system attributes (Decode values) used during provisioning operations.

Table 5-7 Entries in Lookup.DBUM.MySQL.UM.ProvAttrMap

Code Key	Decode Key
Return Id	__UID__
UD_DB_MYS_P~Privilege[LOOKUP]	privileges~DBPrivilege~__NAME__
User Name	__NAME__
User Password	__PASSWORD__

5.3.3.2 Lookup.DBUM.MySQL.UM.ReconAttrMap

The Lookup.DBUM.MySQL.UM.ReconAttrMap lookup definition holds user-specific mappings between reconciliation attribute names as specified in the resource object (Code Key values) and target system attributes (Decode values) used during reconciliation operations.

Table 5-8 Entries in Lookup.DBUM.MySQL.UM.ReconAttrMap

Code Key	Decode Key
Privilege List~Privilege Name[LOOKUP]	privileges~DBPrivilege~__NAME__
Return ID	__UID__
User Name	__UID__

5.3.3.3 Lookup.DBUM.MySQL.UM.ReconAttrMap.Trusted

The Lookup.DBUM.MySQL.UM.ReconAttrMap.Trusted lookup definition holds user-specific mappings between reconciliation attribute names as specified in the resource object (Code Key values) and target system attributes (Decode values) used during reconciliation operations in trusted source mode.

Table 5-9 Entries in Lookup.DBUM.MySQL.UM.ReconAttrMap.Trusted

Code Key	Decode Key
First Name	__NAME__
User ID	__UID__

5.3.3.4 Lookup.DBUM.MySQL.UM.ReconDefaults.Trusted

This lookup definition contains the default values for the Oracle Identity Manager user attributes. You can change these values as per your requirements.

For example, if you want the users reconciled from a trusted source to be part of the MyORG organization, then map the lookup definition entry as follows:

Code Key = Organization Name

Decode = MyORG (instead of Xellerate Users)

Table 5-10 Entries in Lookup.DBUM.MySQL.UM.ReconDefaults.Trusted

Code Key	Decode Key
Empl Type	Full-Time
Organization Name	Xellerate Users
Status	Active
User Type	End-User

5.3.4 Lookup Definitions for Exclusion Lists for MySQL

This section describes the lookup definitions that hold resources for which you do not want to perform provisioning and reconciliation operations. Exclusions can be applied to any attribute in the process form or reconciliation profile. The Code Key value must be one of the Code Key values in Lookup.DBUM.MySQL.UM.ReconAttrMap or Lookup.DBUM.MySQL.UM.ProvAttrMap lookup definitions.

Depending on how the target system is configured, you can use one of the following lookups:

For target resource mode: Lookup.DBUM.MySQL.UM.ExclusionList

By default, this lookup definition has the following entry:

Code Key Decode

User Name

root
For trusted source mode: Lookup.DBUM.MySQL.UM.ExclusionList.Trusted

By default, this lookup definition has the following entry:

Code Key Decode

User ID

root

Code Key	Decode
User Name	root

Code Key	Decode
User ID	root

The following is the format of the values stored in these lookups:

Code Key Decode Sample Values

Code Key	Decode	Sample Values
User Name	User ID of a user	Code Key: User Name Decode: User001
User Name with the [PATTERN] suffix	A regular expression supported by the representation in the `java.util.regex.Pattern` class	Code Key: User Name[PATTERN] To exclude users matching any of the user ID 's User001, User002, User088, then: Decode: User001\|User002\|User088 To exclude users whose user ID 's start with 00012, then: Decode: 00012* See Also: For information about the supported patterns, visit `http://download.oracle.com/javase/6/docs/api/java/util/regex/Pattern.html`

User Name

User ID of a user

Code Key: User Name

Decode: User001

User Name with the [PATTERN] suffix

A regular expression supported by the representation in the java.util.regex.Pattern class

Code Key: User Name[PATTERN]

To exclude users matching any of the user ID 's User001, User002, User088, then:

Decode: User001|User002|User088

To exclude users whose user ID 's start with 00012, then:

Decode: 00012*

See Also: For information about the supported patterns, visit http://download.oracle.com/javase/6/docs/api/java/util/regex/Pattern.html

Configuring Resource Exclusion Lists for MySQL describes the procedure to add entries in these lookup definitions.

5.3.5 Lookup Definitions for Transformation of Data in MySQL

This section describes the lookup definitions that hold resources for which you want to enable transformation of data during reconciliation operations.

Depending on how the target system is configured, use one of the following lookup definitions:

For target resource mode: Lookup.DBUM.MySQL.UM.ReconTransformations
For trusted source mode: Lookup.DBUM.MySQL.UM.ReconTransformations.Trusted

Configuring Transformation of Data During User Reconciliation for MySQL describes the procedure to add entries in these lookup definitions.

5.3.6 Lookup Definition for Validation of Data in MySQL

You can use the Lookup.DBUM.MySQL.UM.ProvValidations lookup to configure validation of data during provisioning operations.

Configuring Validation of Data During Reconciliation and Provisioning for MySQL describes the procedure to add entries in this lookup definition.

5.4 Scheduled Jobs for MySQL

When you run the Connector Installer or import the connector XML file, the scheduled jobs are automatically created in Oracle Identity Manager.

This section describes the following topics:

5.4.1 Scheduled Job for Lookup Field Synchronization for MySQL

Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.

The DBUM MySQL Privilege Type Lookup Reconciliation scheduled job is used for lookup field synchronization.

You must specify values for the attributes of this scheduled job. using-and-extending-connector-mysql.htm#GUID-334BDE33-5F87-4257-B416-15B6E704DF66__CIHFGJDE describes the attributes of this scheduled job. The procedure to configure scheduled job is described later in the guide.

Table 5-11 Attributes of the Scheduled Job for Lookup Field Synchronization

Attribute	Description
Code Key Attribute	Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Sample value: `__NAME__` Note: Do not change the value of this attribute.
Decode Attribute	Enter the name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Sample value: `__NAME__`
IT Resource Name	Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: `MySQL DB`
Lookup Name	This attribute holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched. Default value: `Lookup.DBUM.MySQL.SchemaPrivileges`
Object Type	Enter the type of object whose values must be synchronized. Default value: __PRIVILEGES__ Note: Do not change the value of this attribute.
Resource Object Name	Enter the name of the resource object that is used for reconciliation. Default value: `MySQL DB User`

5.4.2 Attributes for Scheduled Jobs for MySQL

The following scheduled jobs are used to reconcile user data in the target resource (account management) mode of the connector:

DBUM MySQL User Target Reconciliation
DBUM MySQL Delete User Target Reconciliation

The following scheduled jobs are used to reconcile user data in the trusted source (identity management) mode of the connector:

DBUM MySQL User Trusted Reconciliation
DBUM MySQL Delete User Trusted Reconciliation

using-and-extending-connector-mysql.htm#GUID-2C65E1A3-9537-43D0-8260-2C956D7E06CF__CIHBDGFE describes the attributes of the scheduled jobs for user operations.

Table 5-12 Attributes of the Scheduled Jobs for Reconciliation

Attribute	Description
Batch Size	Value for running the scheduled job in batch mode. By default, this value is empty.
Filter	Expression for filtering records that must be reconciled by the scheduled job By default, the value of this attribute is empty. Sample value: `equalTo('__UID__','SEPT12USER1')` See Performing Limited Reconciliation from MySQL for the syntax of this expression.
IT Resource Name	Name of the IT resource for the target system installation from which you want to reconcile user records For DBUM MySQL User Target Reconciliation: `MySQL DB` For DBUM MySQL User Trusted Reconciliation, enter the name of the IT resource created for trusted source mode.
Object Type	Type of object you want to reconcile Default value: `User`
Resource Object Name	Name of the resource object that is used for reconciliation For DBUM MySQL User Target Reconciliation: `MySQL DB User` For DBUM MySQL User Trusted Reconciliation: `MySQL DB Trusted`
Scheduled Task Name	Name of the scheduled job Note: For the scheduled job included with this connector, you must not change the value of this attribute. However, if you create a copy of the task, then you can enter the unique name for that scheduled job as the value of this attribute.

using-and-extending-connector-mysql.htm#GUID-2C65E1A3-9537-43D0-8260-2C956D7E06CF__CIHFFEDB describes the attributes of the scheduled jobs for delete operations.

Table 5-13 Attributes of the Scheduled Jobs for Delete Operations

Attribute Description

Attribute	Description
IT Resource Name	Name of the IT resource for the target system installation from which you want to reconcile user records For DBUM MySQL Delete User Target Reconciliation: `MySQL DB` For DBUM MySQL Delete User Trusted Reconciliation, enter the name of the IT resource created for trusted source mode.
Object Type	Type of object you want to reconcile Default value: `User`
Resource Object Name	Name of the resource object that is used for reconciliation For DBUM MySQL Delete User Target Reconciliation: `MySQL DB User` For DBUM MySQL Delete User Trusted Reconciliation: `MySQL DB Trusted`

IT Resource Name

Name of the IT resource for the target system installation from which you want to reconcile user records

For DBUM MySQL Delete User Target Reconciliation: MySQL DB

For DBUM MySQL Delete User Trusted Reconciliation, enter the name of the IT resource created for trusted source mode.

Object Type

Type of object you want to reconcile

Default value: User

Resource Object Name

Name of the resource object that is used for reconciliation

For DBUM MySQL Delete User Target Reconciliation: MySQL DB User

For DBUM MySQL Delete User Trusted Reconciliation: MySQL DB Trusted

5.4.3 Configuring Scheduled Jobs for MySQL

You can apply this procedure to configure the scheduled jobs for lookup fields synchronization and reconciliation.

See Scheduled Job for Lookup Field Synchronization for MySQL and Attributes for Scheduled Jobs for MySQL for the scheduled jobs that are part of the connector and for information about their attributes.

To configure a scheduled job:

For Oracle Identity Manager release 11.1.1.x:
1. Log in to the Administrative and User Console.
2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.
If you are using Oracle Identity Manager release 11.1.2.x or later:
1. Log in to Oracle Identity System Administration.
2. In the left pane, under System Management, click Scheduler.
Search for and open the scheduled job as follows:
1. On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
2. In the search results table on the left pane, click the scheduled job in the Job Name column.
On the Job Details tab, you can modify the following parameters:

Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

Note:

See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about schedule types.

In addition to modifying the job details, you can enable or disable a job.
On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled job.
Note:
- Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.
- Attributes of the scheduled job are discussed in Attributes for Scheduled Jobs for MySQL.
After specifying the attributes, click Apply to save the changes.

5.5 Reconciliation from MySQL

As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

5.5.1 Guidelines on Configuring Reconciliation for MySQL

The following are guidelines that you must apply while configuring reconciliation:

Before a target resource reconciliation run is performed, lookup definitions must be synchronized with the lookup fields of the target system. In other words, the scheduled job for lookup field synchronization must be run before user reconciliation runs.
After you configure batched reconciliation, if reconciliation fails during a batched reconciliation run, then rerun the scheduled job without changing the values of the task attributes.

5.5.2 About the Reconciliation Process for MySQL

This connector can be configured to perform either trusted source reconciliation or target resource reconciliation.

When you configure the target system as a target resource, the connector enables you to create and manage database accounts for OIM Users through provisioning. In addition, data related to newly created and modified target system accounts can be reconciled and linked with existing OIM Users and provisioned resources.

When you configure the target system as a trusted source, the connector fetches into Oracle Identity Manager, data about newly created target system accounts. This data is used to create OIM Users. See Configuring the Target System As a Trusted Source for more information.

5.5.3 Target System Columns Used in Reconciliation from MySQL

As mentioned earlier in this guide, this connector can be configured to perform either target resource reconciliation or trusted source reconciliation. This section discusses the following topics:

The Lookup.DBUM.MySQL.UM.ReconAttrMap lookup definition holds attribute mappings for user reconciliation. This lookup definition contains mapping of Oracle Identity Manager attributes and connector attributes.

See Lookup.DBUM.MySQL.UM.ReconAttrMap for more information.
The Lookup.DBUM.MySQL.UM.ReconAttrMap.Trusted lookup definition holds attribute mappings for reconciliation in trusted mode. This lookup definition maps reconciliation profile attributes and connector attributes used in the reconciliation query. In addition, the connector attributes are associated to columns within the bundle.

See Lookup.DBUM.MySQL.UM.ReconAttrMap.Trusted for more information about this lookup definition.

5.5.4 Configuring the Target System As a Trusted Source

Note:

Skip this section if you do not want to designate the target system as a trusted source for reconciliation.

To configure trusted source reconciliation:

If you are using Oracle Identity Manager release 11.1.1.x:
1. Log in to the Administrative and User Console.
2. On the Welcome page, click Advanced in the upper-right corner of the page.
3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Create IT Resource.
If you are using Oracle Identity Manager release 11.1.2.x or later:s
1. Log in to Oracle Identity System Administration.
2. In the left pane, under Configuration, click IT Resource.
3. In the Manage IT Resource page, click Create IT Resource.
On the Step 1: Provide IT Resource Information page, enter the following information:
- IT Resource Name: Enter a name for the IT resource. For example, MySQL DB Trusted.
- IT Resource Type: Select the MySQL DB IT resource type for the IT resource.
Click Continue.
On the Step 2: Specify IT Resource Parameter Values page, specify values for the parameters of the IT resource.

Configuration Lookup: Name of the lookup definition in which you store the connector configuration information for the target system.

Sample Value: Lookup.DBUM.MySQL.Configuration.Trusted

Provide values for the other IT resource parameters.
Click Continue.

In the following steps, provide permissions on the IT resource that you are creating as per your requirements.

You can use this IT resource for trusted source reconciliation operations.

5.5.5 Reconciliation Rules for MySQL

5.5.6 Viewing Reconciliation Rules for MySQL

After you deploy the connector, you can view the reconciliation rule for reconciliation by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

Log in to the Oracle Identity Manager Design Console.
Expand Development Tools.
Double-click Reconciliation Rules.
Search for the rule name.

5.5.7 Reconciliation Action Rules for MySQL

Reconciliation action rules define that actions the connector must perform based on the reconciliation rules defined for Users.

using-and-extending-connector-mysql.htm#GUID-E378B228-3CD6-4810-B5D8-E945B2B386B7__CHDCEIBF lists the action rules for target resource reconciliation.

Table 5-14 Action Rules for Target Resource Reconciliation

Rule Condition	Action
No Matches Found	Assign to Administrator With Least Load
One Entity Match Found	Establish Link
One Process Match Found	Establish Link

using-and-extending-connector-mysql.htm#GUID-E378B228-3CD6-4810-B5D8-E945B2B386B7__CHDCBFFC lists the action rules for trusted source reconciliation.

Table 5-15 Action Rules for Trusted Source Reconciliation

Rule Condition	Action
No Matches Found	Create User
One Entity Match Found	Establish Link

5.5.8 Viewing Reconciliation Action Rules for MySQL

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

Log in to the Oracle Identity Manager Design Console.
Expand Resource Management.
Double-click Resource Objects.
Search for and open the resource object. The following are the names of the resource objects for each target system database:
- Resource object for MySQL:
  
  MySQL DB User
- Resource object for MySQL as trusted source:
  
  MySQL DB Trusted
Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector.

5.5.9 Performing Full Reconciliation from MySQL

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation.

To perform a full reconciliation run, remove (delete) any value currently assigned to the Filter attribute and run one of the following scheduled jobs:

For MySQL as a target resource: DBUM MySQL User Target Reconciliation
For MySQL as a trusted source: DBUM MySQL User Trusted Reconciliation

See Attributes for Scheduled Jobs for MySQL for information about this scheduled job.

5.5.10 Performing Limited Reconciliation from MySQL

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.

You can perform limited reconciliation by creating filters for the reconciliation module. This connector provides a Filter attribute (a scheduled task attribute) that allows you to use any of the DBUM resource attributes to filter the target system records. You can apply filters to the parent parameters in the reconciliation query file stored in a JAR file in the bundle directory of the connector installation media. For example, to locate the reconciliation query file, you can extract the bundle/org.identityconnectors.dbum-1.0.1116.jar file and open scripts/mysql/Search.queries.

The following table provides the description of the parent parameter that can be used with the Filter attribute of the scheduled jobs:

Parameter	Description
__UID__	Unique identity representing the user This parameter is mapped to USERNAME or __NAME__ connector attribute.

Parameter

Description

__UID__

Unique identity representing the user

This parameter is mapped to USERNAME or __NAME__ connector attribute.

For detailed information about ICF Filters, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.

While deploying the connector, follow the instructions in Configuring Scheduled Jobs for MySQL to specify attribute values.

5.5.11 Performing Batched Reconciliation from MySQL

During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Manager. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.

You can configure batched reconciliation to avoid these problems.

To configure batched reconciliation, you must specify value for the Batch Size reconciliation scheduled job attribute. Use this attribute to specify the number of records that must be included in each batch. By default, this value is empty.

If you specify a value other than All, then some of the newly added or modified user records may not get reconciled during the current reconciliation run. The following example illustrates this:

Suppose you specify the Batch Size value as 200 while configuring the scheduled jobs. Suppose that 314 user records were created or modified after the last reconciliation run. Of these 314 records, only 200 records would be reconciled during the current reconciliation run. The remaining 114 records would be reconciled during the next reconciliation run.

You specify values for the Batch Size attribute by following the instructions described in Configuring Scheduled Jobs for MySQL.

5.6 Provisioning for MySQL

Provisioning involves creating or modifying user account on the target system through Oracle Identity Manager.

This section contains the following topics about provisioning:

5.6.1 Guidelines on Performing Provisioning Operations for MySQL

The following are guidelines that you must apply while performing provisioning operations:

Before you perform provisioning operations, lookup definitions must be synchronized with the lookup fields of the target system. In other words, run the scheduled jobs for lookup field synchronization before provisioning operations.
Passwords for user accounts provisioned from Oracle Identity Manager must adhere to the password policy set in the target system.
The character length of target system fields must be taken into account when specifying values for the corresponding Oracle Identity Manager fields.
During an update password provisioning operation, ensure that you clear the existing text in the Password field, and then enter the new password.

5.6.2 Understanding the Provisioning Process for MySQL

Provisioning involves creating and managing user accounts. When you allocate (or provision) a database resource to an OIM User, the operation results in the creation of an account on the target database for that user. Similarly, when you update the resource on Oracle Identity Manager, the same update is made to the account on the target system.

When you install the connector on Oracle Identity Manager, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.

This following are types of provisioning operations:

Direct provisioning
Request-based provisioning
Provisioning triggered by policy changes

If you configure the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then see Switching Between Request-Based Provisioning and Direct Provisioning for MySQL.

The following is an overview of the Create User provisioning process in MySQL that is started through direct provisioning:

On the Create User page of the Administrative and User Console, the administrator enters the data required for an OIM User account creation.

Suppose the administrator enters the following values for the fields on the Create User page:
- First Name: John
- Last Name: Doe
- User ID: jdoe
An OIM User account is created for John Doe.
The administrator selects the resource to be provisioned to the OIM User account that has been created. In this example, the administrator selects the MySQL DB User resource.
The administrator enters the data required for provisioning the MySQL DB User resource. Suppose the administrator wants to create a local user that requires a password to log in to the database. Therefore, the administrator enters the following values on the resource provisioning process form:
- IT Resource: MySQL DB
- User Name: JDoe
- User Password: my_pa55word
In addition, the administrator also enters the following values on the process form for granting privileges:
- Privilege: SELECT ON information_schema
From the information available in the IT resource for the target system, the configuration (Lookup.DBUM.MySQL.Configuration) lookup definition is identified. This lookup definition stores configuration information that is used during connector operations.
The connector bundle contains the script (Provisioning.queries) required for provisioning operations.
The identifiers in the SQL statement are replaced with the input parameters fetched from the query. Then, the SQL statement with actual values is formed.
The connector runs the SQL statement on MySQL and creates the jdoe account on the target system. The next step of the process depends on whether the administrator had entered data for granting privileges to the target system account.

If the administrator did not enter any values for granting privileges, then the provisioning process ends here. Otherwise, the process continues to the next step.
While performing Step 3, the administrator had entered the required data for granting privileges to the jdoe account. Therefore, the corresponding query as mentioned in Step 6 is read.
The complete SQL statement that must be run to perform the Add privilege provisioning operation is formed.
The input parameters required to run the SQL statement are fetched from the parameter configuration done using the queries in the query files.
The identifiers in the SQL statement (formed in Step 9) are replaced with the input parameters fetched from the query. Then, the SQL statement with actual values is formed.
The query runs the SQL statement on the target system (MySQL) and grants privileges to the jdoe target system account.

5.6.3 Configuring Direct Provisioning for MySQL

In direct provisioning, the Oracle Identity Manager administrator uses the Administrative and User Console to create a target system account for a user.

To provision a resource by using the direct provisioning approach:

Log in to the Administrative and User Console.
To first create an OIM User before provisioning a database account to the user:
1. On the Welcome to Identity Administration page, in the Users region, click Create User.
2. On the Create User page, enter values for the OIM User fields, and then click the save icon.
To search for an existing OIM User to be provisioned:
1. On the Welcome to Identity Administration page, search for the user by selecting Users from the Search list on the left pane.
  
  Alternatively, in the Users region, click Advanced Search - User, provide a search criterion, and then click Search.
2. From the list of users displayed in the search results, select the OIM User.
  
  The user details page is displayed.
From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.
On the Step 1: Select a Resource page, select the MySQL DB User resource from the list, and then click Continue.
On the Step 2: Verify Resource Selection page, click Continue.
On the Step 5: Provide Process Data page, enter the details of the account that you want to create on the target system and then click Continue.
If you want to provide child data, then on the Step 5: Provide Process Data page for child data, search for and select the child data for the user on the target system and then click Continue. Repeat the same step if you have more than one child data and you want to provision them.
On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.
The "Provisioning has been initiated" message is displayed. Perform the following steps:
1. Close the window displaying the "Provisioning has been initiated" message.
2. On the Resources tab, click Refresh to view the newly provisioned resource.
  
  If the resource status is Provisioned, then provisioning was successful. If the status is Provisioning, then there may be an error. To verify if there was an error, you can check the resource history.

5.6.4 Configuring Request-Based Provisioning for MySQL

The following sections discuss the steps to be performed to enable request-based provisioning:

5.6.4.1 About Request Based Provisioning for MySQL

In request-based provisioning, an end user creates a request for a resource by using the Administrative and User Console. Administrators or other users can also create requests for a particular user. Requests for a particular resource on the resource can be viewed and approved by approvers designated in Oracle Identity Manager.

The following are features of request-based provisioning:

A user can be provisioned only one resource (account) on the target system.

Note:

Direct provisioning allows the provisioning of multiple database accounts on the target system.
Direct provisioning cannot be used if you enable request-based provisioning.

5.6.4.2 Enabling Request-Based Provisioning

The following sections provide information about the procedures you must perform to enable request-based provisioning:

Note:

The procedure described in this section is applicable only if you are using Oracle Identity Manager release 11.1.1.x.

5.6.4.2.1 Approver's Role in Request-Based Provisioning for MySQL

The following are steps performed by the approver in a request-based provisioning operation:

Log in to the Administrative and User Console.
On the Welcome page, click Self-Service in the upper-right corner of the page.
On the Welcome to Identity Manager Self Service page, click the Tasks tab.
On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.
From the search results table, select the row containing the request you want to approve, and then click Approve Task.

A message confirming that the task was approved is displayed.

5.6.4.2.2 Importing MySQL Request Datasets Using Deployment Manager

A request dataset is an XML file that specifies the information to be submitted by the requester during a provisioning operation. These request datasets specify information about the default set of attributes for which the requester must submit information during a request-based provisioning operation.

To import a request dataset XML file by using the Deployment Manager:

Log in to the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management.

A dialog box for opening files is displayed.
Locate and open the request dataset XML file, DBUserManagement-MySQL-Datasets.xml, which is in the xml directory of the installation media.

Details of this XML file are shown on the File Preview page.
Click Add File.

The Substitutions page is displayed.
Click Next.

The Confirmation page is displayed.
Click Import.
Close the Deployment Manager dialog box.

The request dataset is imported into Oracle Identity Manager.

5.6.4.2.3 End User's Role in Request-Based Provisioning for MySQL

The following steps are performed by the end user in a request-based provisioning operation:

Log in to the Administrative and User Console.
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Identity Administration page, click the Administration tab, and then click the Requests tab.
From the Actions menu on the left pane, select Create Request.

The Select Request Template page is displayed.
From the Request Template list, select Provision Resource and click Next.
On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specify is displayed in the Available Users list.
From the Available Users list, select the user to whom you want to provision the account.

If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.
Click Move or Move All to include your selection in the Selected Users list, and then click Next.
On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.
From the Available Resources list, select MySQL DB User, move it to the Selected Resources list, and then click Next.
On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.
On the Justification page, you can specify values for the following fields, and then click Finish.
- Effective Date
- Justification
A message confirming that your request has been sent successfully is displayed along with the Request ID.
If you click the request ID, then the Request Details page is displayed.
To view details of the approval, on the Request Details page, click the Request History tab.

5.6.4.2.4 Enabling the Auto Save Form Feature for MySQL

To enable the Auto Save Form feature:

Log in to the Design Console.
Expand Process Management, and then double-click Process Definition.
Search for and open the MySQL DB process definition.
Select the Auto Save Form check box.
Click the save icon.

5.6.4.2.5 Running the PurgeCache Utility for MySQL

Run the PurgeCache utility to clear content belonging to the Metadata category from the server cache.

See Clearing Content Related to the Connector Resource Bundles from the Server Cache for instructions.

The procedure to enable enabling request-based provisioning ends with this step.

5.6.5 Switching Between Request-Based Provisioning and Direct Provisioning for MySQL

If you have configured the connector for request-based provisioning, you can always switch to direct provisioning. Similarly, you can always switch back to request-based provisioning any time. This section discusses the following topics:

5.6.5.1 Switching From Request-Based Provisioning to Direct Provisioning

Note:

It is assumed that you have performed the procedure described in Configuring Request-Based Provisioning for MySQL.

If you want to switch from request-based provisioning to direct provisioning, then:

Log in to the Design Console.
Disable the Auto Save Form feature as follows:
1. Expand Process Management, and then double-click Process Definition.
2. Search for and open the MySQL DB process definition.
3. Deselect the Auto Save Form check box.
4. Click the save icon.
If the Self Request Allowed feature is enabled, then:
1. Expand Resource Management, and then double-click Resource Objects.
2. Search for and open the MySQL DB User resource object.
3. Deselect the Self Request Allowed check box.
4. Click the save icon.

5.6.5.2 Switching From Direct Provisioning to Request-Based Provisioning

If you want to switch from direct provisioning back to request-based provisioning, then:

Log in to the Design Console.
Enable the Auto Save Form feature as follows:
1. Expand Process Management, and then double-click Process Definition.
2. Search for and open the MySQL DB process definition.
3. Select the Auto Save Form check box.
4. Click the save icon.
If you want to enable end users to raise requests for themselves, then:
1. Expand Resource Management, and then double-click Resource Objects.
2. Search for and open the MySQL DB User resource object.
3. Select the Self Request Allowed check box.
4. Click the save icon.

5.6.6 Performing Provisioning Operations in Oracle Identity Manager Release 11.1.2.x

To perform provisioning operations in Oracle Identity Manager release 11.1.2.x:

Log in to Identity Self Service.
If you want to first create an OIM User and then provision a target system account, then:

Note:

See Creating Users in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for more information about creating a user.
1. In the left pane, under Administration, click Users.
  
  The Search Users page is displayed.
2. From the Actions menu, select Create. Alternatively, you can click Create on the toolbar.
3. On the Create User page, enter values for the OIM User fields, and then click Submit. A message is displayed stating that the user is created successfully.
If you want to provision a target system account to an existing OIM User, then:

Note:

See Searching Users in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for more information about searching a user.
1. In the left pane, under Administration, click Users.
  
  The Search Users page is displayed.
2. Specify a search criteria to search for the OIM User, and then click Search.
3. From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.
On the Account tab, click Request Accounts.
In the Catalog page, search for and add to cart the application instance (in other words, the account to be provisioned), and then click Checkout.
Specify value for fields in the application form and then click Ready to Submit.
Click Submit.
If you want to provision entitlements, then:
1. On the Entitlements tab, click Request Entitlements.
2. In the Catalog page, search for and add to cart the entitlement, and then click Checkout.
3. Click Submit.

5.7 Extending the Connector for MySQL

The following sections describe procedures that you can perform to extend the functionality of the connector for addressing your specific business requirements:

Note:

From Oracle Identity Manager Release 11.1.2 onward, lookup queries are not supported. See Managing Lookups in Oracle Fusion Middleware Administering Oracle Identity Manager for information about managing lookups by using the Form Designer in Identity System Administration.

5.7.1 Modifying Predefined Queries or Creating New Queries for MySQL

The following sections discuss the syntax and guidelines that you must apply while modifying the predefined queries or creating new queries:

5.7.1.1 About the Queries for MySQL Database

Predefined queries are provided to reconcile target system user records, synchronize lookup field values with Oracle Identity Manager, and for provisioning operations. You can modify the predefined queries or add your own queries.

The query files are included in a JAR file in the bundle directory of the connector installation media. For example, bundle/org.identityconnectors.dbum-1.0.1116.jar.

The connector includes the following types of queries:

Provisioning Queries

They are used for create, update, and delete operations. The query file is scripts/mysql/Provisioning.queries.
List of Values Search Queries

They are used for reconciliation of lookup definitions. A list of value query operates on a set of values for fields such as profiles, privileges, roles, and tablespaces. The query file is scripts/mysql/LoVSearch.queries.
Account Search Queries

They are used for full and delete reconciliation operations. An account search query operates on account and group searches with various conditions. The query file is scripts/mysql/Search.queries.

Note:

The stored procedure OUT parameters cannot be configured for write-back on the process form. The returned values cannot be used for any connector operations.

5.7.1.2 Syntax of Provisioning Queries for MySQL Database

The following is the syntax of the queries used for provisioning operations:

QUERYID {

Query="QUERY"

QueryType="QUERYTYPE"

Parameters=["PARAM1":"PARAMDEFN1", "PARAM2":"PARAMDEFN2"...]

ExtensionJoin="EXTENSIONJOIN"

ExtensionSeparator="EXTENSIONSEPARATOR"

QueryExtensions=["EXTENSION1","EXTENSION2"...]

}

For example:

CREATE_USER {
    Query="CREATE USER {__NAME__} IDENTIFIED BY {__PASSWORD__}"
    QueryType="SQL"
    Parameters=["__NAME__":"Type:String","__PASSWORD__":"Type:GuardedString,TAGS:QUOTES"]
    QueryExtensions=[]
}

In this syntax:

QUERYID refers to the unique name of the query.

For example: CREATE_USER
QUERY refers to the main query.

For example: Query="CREATE USER {__NAME__} IDENTIFIED BY {__PASSWORD__}"
QueryType refers to the type of the main query, either an SQL query or a stored procedure. The value of QUERYTYPE can be SQL or StoredProc.

For example: QueryType="SQL"
Parameters refers to the list of comma separated parameters and parameter definitions used with the main query, represented by "PARAM1":"PARAMDEFN1", "PARAM2":"PARAMDEFN2", and so on.

For example: Parameters=["__NAME__":"Type:String","__PASSWORD__":"Type:GuardedString,TAGS:QUOTES"]

A parameter can have the following attributes:
- Type is the type of the parameter.
- Direction is the flow of data from the query to or from the parameter. It can have a value of IN, OUT, or INOUT.
- TAGS is the enclosure characters that are applied to each parameter before the query is processed. It can have a value of DOUBLEQUOTES, QUOTES, UPPERCASE, or LOWERCASE.
  
  If you want to use multiple tags, you must encapsulate the tags in escaped quotes and separate them by commas. However, you must not use DOUBLEQUOTES with QUOTES or UPPERCASE with LOWERCASE in the same query.
  
  For example: "Type:String,TAGS:\"DOUBLEQUOTES,UPPERCASE\"
ExtensionJoin (optional) refers to the operator, represented by EXTENSIONJOIN, used to join the main query with query extensions.

For example: ExtensionJoin=","
ExtensionSeparator (optional) refers to the delimiter between query extensions, represented by EXTENSIONSEPARATOR.

For example: ExtensionSeparator=", "
QueryExtensions (optional) refers to the extensions that must be appended to the main query, represented by EXTENSION1, EXTENSION2, and so on.

During a provisioning operation, the connector combines all these components to the following query:

QUERY PARAM1, PARAM2... [EXTENSIONJOIN [EXTENSION1 EXTENSIONSEPARATOR EXTENSION2 EXTENSIONSEPARATOR...]]

For example:

CREATE USER {__NAME__} IDENTIFIED BY {__PASSWORD__}

using-and-extending-connector-mysql.htm#GUID-51430BEC-D598-4112-B44D-C22F85D35802__CHDDJGIC lists the script selection logic of the provisioning queries:

Table 5-16 Script Section Logic for MySQL Provisioning Queries

Operation	Selection Logic	Query IDs
CREATE	CREATE_OBJECTYPE	CREATE_USER
DELETE	DELETE_OBJECTTTYPE	DELETE_USER
RESET PASSWORD	SET_PASSWORD	SET_PASSWORD
ADD CHILD VALUES	UPDATE_ADD_ATTRIBUTE	UPDATE_ADD_PRIVILEGES
REMOVE CHILD VALUES	UPDATE_REVOKE_ATTRIBUTE	UPDATE_REVOKE_PRIVILEGES

5.7.1.3 Syntax of Reconciliation Queries for MySQL Database

The following is the syntax of the search queries used during reconciliation operations:

QUERYID {

Query="QUERY"

QueryType="QUERYTYPE"

Parameters=["PARAM1":"PARAMDEFN1", "PARAM2":"PARAMDEFN2"...]

ExtensionJoin="EXTENSIONJOIN"

ExtensionSeparator="EXTENSIONSEPARATOR"

QueryExtensions=["EXTENSION1","EXTENSION2"...]

}

For example:

SEARCH_USER {
    Query="SELECT {__UID__} FROM MYSQL.USER {filter}"
    QueryType="SQL"
    Parameters=["__UID__":"Type:String,Direction:OUT,ColName:USER"]
    QueryExtensions=["SEARCH_USER_PRIVILEGE"]
}

In this syntax:

QUERYID refers to the unique name of the query.

For example: SEARCH_USER

QUERYID can be one of the following values:
- SEARCH_USER
- BATCHED_SEARCH_USER
- SEARCH_USER_PRIVILEGE
QUERY refers to the main query.

For example: Query="SELECT {__UID__} FROM MYSQL.USER {filter}"
QueryType refers to the type of the main query, either an SQL query, a stored procedure, or a query extension. The value of QUERYTYPE can be SQL, StoredProc, or QUERYEXTENSION.

For example: QueryType="SQL"
Parameters refers to the list of comma separated parameters and parameter definitions used with the main query, represented by "PARAM1":"PARAMDEFN1", "PARAM2":"PARAMDEFN2", and so on.

For example:

Parameters=["__UID__":"Type:String,Direction:OUT,ColName:USER"]

A parameter can have the following attributes:
- Type is the type of the parameter.
- Direction is the flow of data from the query to or from the parameter. It can have a value of IN, OUT, or INOUT.
- ColName is the column name in the target system corresponding to the parameter in the query.
- ColQuery is the query used to fetch values for the corresponding query parameter.
ExtensionJoin (optional) refers to the operator, represented by EXTENSIONJOIN, used to join the main query with query extensions.

For example: ExtensionJoin=","
ExtensionSeparator (optional) refers to the delimiter between query extensions, represented by EXTENSIONSEPARATOR.

For example: ExtensionSeparator=", "
QueryExtensions (optional) refers to the extensions that must be appended to the main query, represented by EXTENSION1, EXTENSION2, and so on.

For example: QueryExtensions=["SEARCH_USER_PRIVILEGE"]

During a reconciliation operation, the connector combines all these components to the following query:

QUERY PARAM1, PARAM2... [EXTENSIONJOIN [EXTENSION1 EXTENSIONSEPARATOR EXTENSION2 EXTENSIONSEPARATOR...]]

For example:

SELECT {__UID__} FROM MYSQL.USER {filter} SEARCH_USER_PRIVILEGE

5.7.1.4 Syntax of List of Values Queries for MySQL Database

If a search query is performed on account types, such as User Name, then the query is considered as a reconciliation query. If a search query is performed on any other object, then the query is considered as a list of values query.

The following is the syntax of the list of values queries used for lookup field synchronization:

OBJECTTYPE = "QUERY"

For example:

__PRIVILEGES__="SELECT CONCAT(p.PRIVILEGE_TYPE, ' ON ',s.SCHEMA_NAME) SchemaPrivilege FROM INFORMATION_SCHEMA.SCHEMATA s,INFORMATION_SCHEMA.SCHEMA_PRIVILEGES p"

In this syntax:

OBJECTTYPE refers to the lookup field attribute.

For example: __PRIVILEGES__
QUERY refers to the query used for fetching a lookup field attribute.

For example: SELECT CONCAT(p.PRIVILEGE_TYPE, ' ON ',s.SCHEMA_NAME) SchemaPrivilege FROM INFORMATION_SCHEMA.SCHEMATA s,INFORMATION_SCHEMA.SCHEMA_PRIVILEGES p

The list of values queries return values that are used as lookup field entries. By default, the connector includes dedicated scheduled job for each lookup definition. To use a custom lookup definition, you must add custom fields in the query file.

5.7.2 Configuring Queries to Add Support for Custom Parameters and Lookup Fields for MySQL

The connector uses preconfigured queries for connector operations such as create, delete, and search. You can add custom parameters and lookup definition fields as per your requirements.

The procedure to add a parameter or a lookup definition field to a query file is discussed in the following sections:

5.7.2.1 Updating the Query Files for MySQL Database

To update the query files:

If the connector is already installed, run the Oracle Identity Manager Download JARs utility to download the connector bundle JAR file from the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:

Note:

Before you use this utility, verify that the WL_HOME environment variable is set to the directory in which Oracle WebLogic Server is installed.

For Microsoft Windows:

OIM_HOME/server/bin/DownloadJars.bat

For UNIX:

OIM_HOME/server/bin/DownloadJars.sh

When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being downloaded, and the location from which the JAR file is to be downloaded. Select ICFBundle as the JAR type.
Copy the bundle JAR file in a temporary directory.

Sample JAR file: bundle/org.identityconnectors.dbum-1.0.1116.jar

Sample temporary directory: c:\temp
Run the following command to extract the connector bundle JAR file:
```
jar -xvf org.identityconnectors.dbum-1.0.1116.jar
```
Note:

You can also run the WinZip or WinRAR utility to extract the contents from the JAR file.
Delete the bundle JAR file in the temporary directory.
Update the value of ConnectorBundle-Version in the manifest file, META-INF/MANIFEST.MF, to a new value.

For example:

ConnectorBundle-Version: 1.0.1117
Depending on your requirement, update the query files with new parameters as per the query syntax described in Modifying Predefined Queries or Creating New Queries for MySQL.

For example, if you want to add a new parameter, CUSTOM_ATTRIBUTE, to the CREATE_USER provisioning query:
1. Open the provisioning query file in a text editor.
  
  Sample query file: c:\temp\bundle\org.identityconnectors.dbum-1.0.1116\scripts\mysql\Provisioning.queries
2. Add the parameter, CUSTOM_ATTRIBUTE, to the CREATE_USER query.
  
  The following is a sample updated query:
```
CREATE_USER {
    Query="CREATE USER {__NAME__} IDENTIFIED BY {__PASSWORD__}, {CUSTOM_ATTRIBUTE}"
    QueryType="SQL"
    Parameters=["__NAME__":"Type:String", "__PASSWORD__":"Type:GuardedString,TAGS:QUOTES", "CUSTOM_ATTRIBUTE":"Type:String,Direction:IN"]
    QueryExtensions=[]
}
```
3. Save and close the query file.
Create a new bundle JAR file that contains the updated manifest file and the provisioning query file as follows:
1. Open the command prompt and navigate to the temporary directory:
  
  c:\temp
2. Run the following command:
```
jar -cvfm org.identityconnectors.dbum-1.0.1117.jar *
```
The new connector bundle JAR name contains the new bundle version.
In the case of a remote connector server, copy the new bundle JAR file in the bundles directory of the remote connector server, instead of posting the JAR file to the Oracle Identity Manager database. Skip to Step 10.
Run the Oracle Identity Manager Update JARs utility to update the JAR file created in Step 7 to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:

Note:

Before you use this utility, verify that the WL_HOME environment variable is set to the directory in which Oracle WebLogic Server is installed.

If you have installed both the Oracle and MySQL connectors on the same Oracle Identity Manager, then ensure that all third-party JAR files are part of the /lib directory in the connector bundle JAR file.

For Microsoft Windows:

OIM_HOME/server/bin/UpdateJars.bat

For UNIX:

OIM_HOME/server/bin/UpdateJars.sh

When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being updated, and the location from which the JAR file is to be updated. Select ICFBundle as the JAR type.
Update the configuration lookup with the new bundle version.

For example, you can update the Lookup.DBUM.MySQL.Configuration lookup definition.

5.7.2.2 Configuring Oracle Identity Manager

You can skip this procedure if the parameter you added already exists as a default form field in Oracle Identity Manager.

To configure Oracle Identity Manager for adding a parameter:

Log into Oracle Identity Manager Design Console.
Create a new version of the process form:
1. Expand Development Tools.
2. Double-click Form Designer.
3. Search for and open the UD_DB_MYS_U process form.
4. Click Create New Version.
  
  On the Create a new version dialog box, enter a new version in the Label field, and then click the save icon.
Add the new field on the process form.
1. Click Add.
  
  A field is added to the list. Enter the details of the field.
  
  For example, if you are adding the CustomAttribute1 field, enter UD_DB_MYS_U_CUSTOM1 in the Name field and then enter the rest of the details of this field.
2. Click the save icon and then click Make Version Active.
If you are using Oracle Identity Manager release 11.1.2.x or later, then all changes made to the Form Designer of the Design Console must be done in a new UI form as follows:
1. Log in to Oracle Identity System Administration.
2. Create and active a sandbox.
3. Create a new UI form to view the newly added field along with the rest of the fields. See Creating Forms By Using the Form Designer in Oracle Fusion Middleware Administering Oracle Identity Manager.
4. Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in Step 4.c), and then save the application instance.
5. Publish the sandbox as described in Publishing a Sandbox of Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
Create an entry for the field in the lookup definition for provisioning as follows:
1. Expand Administration.
2. Double-click Lookup Definition.
3. Search for and open the Lookup.DBUM.MySQL.UM.ProvAttrMap lookup definition.
4. Click Add and enter the Code Key and Decode values for the field.
  
  The Code Key value must be the form field name. The Decode value must be the attribute name on the target system.
  
  For example, enter Custom Attribute 1 in the Code Key field and then enter CustomAttribute1 in the Decode field.
5. Click the save icon.

Create a process task to update the new field Custom Attribute 1 as follows:

Expand Process Management.
Double-click Process Definition and open the MySQL DB User process definition.
Click Add and enter the task name, for example, Custom Attribute 1 Updated, and the task description.
In the process definition, select Conditional and Allow Multiple Instances fields and click the save icon.
On the Integration tab, click Add, and then click Adapter.
Select the adpMYSQLDBUMUPDATEUSER adapter, click the save icon, and then click OK in the message that is displayed.

To map the adapter variables listed in this table, select the adapter, click Map, and then specify the data given in the following table:

Variable Name	Data Type	Map To	Qualifier	Literal Value
Adapter return value	Object	Response code	NA	NA
attributeName	String	Literal	String	Custom Attribute 1
itRes	String	Literal	String	UD_DB_MYS_U_ITRES
objectType	String	Literal	String	User
processInstanceKey	Long	Process Data	Process Instance	NA

On the Responses tab, click Add to add the following response codes:

Code Name Description Status

ERROR

Error occurred

R

UNKNOWN

An unknown response was received

R

SUCCESS

Operation completed

C
Click the save icon and then close the dialog box.

Code Name	Description	Status
ERROR	Error occurred	R
UNKNOWN	An unknown response was received	R
SUCCESS	Operation completed	C

5.7.3 About Configuring the Connector for Multiple Installations of MySQL

You might want to configure the connector for multiple installations of the target system. The following example illustrates this requirement:

The London and New York offices of Example Multinational Inc. have their own installations of the target system. The company has recently installed Oracle Identity Manager, and they want to configure Oracle Identity Manager to link all the installations of the target system.

To meet the requirement posed by such a scenario, you can create copies of connector objects, such as the IT resource and resource object.

The decision to create a copy of a connector object might be based on a requirement. For example, an IT resource can hold connection information for one target system installation. Therefore, it is mandatory to create a copy of the IT resource for each target system installation.

With some other connector objects, you do not need to create copies at all. For example, a single attribute-mapping lookup definition can be used for all installations of the target system.

All connector objects are linked. For example, a scheduled job holds the name of the IT resource. Similarly, the IT resource for a target system such as MySQL holds the name of the configuration lookup definition, Lookup.DBUM.MySQL.Configuration. If you create a copy of an object, then you must specify the name of the copy in associated connector objects.

Note:

To reconcile data from a particular target system installation, specify the name of the IT resource for that target system installation as the value of the scheduled job attribute that holds the IT resource name. For example, you enter the name of the IT resource as the value of the IT resource attribute of the scheduled job that you run.
When you use Identity Self Service to perform provisioning, you can specify the IT resource corresponding to the target system installation to which you want to provision the user.

using-and-extending-connector-mysql.htm#GUID-6EB127B6-2620-4EDE-A5DF-3AB68E14B031__CHDCDIJA lists associations between connector objects whose copies can be created and the other objects that reference these objects. When you create a copy of a connector object, use this information to change the associations of that object with other objects.

Note:

On a particular Oracle Identity Manager installation, if you create a copy of a connector object, then you must set a unique name for it.
If you are using Oracle Identity Manager release 11.1.2.x or later, then in addition to the procedure described in this section, you must create an application instance for each IT resource. See Configuring Oracle Identity Manager Release 11.1.2 or Later for information on creating an application instance.

Table 5-17 Connector Objects and Their Associations

Connector Object	Name	Referenced By	Comments on Creating a Copy
IT resource	MySQL DB	UD_DB_MYS_U (process form) Scheduled tasks	Create a copy of the IT resource with a different name.
Resource object	MySQL DB User MySQL DB Trusted	All connector operations	It is optional to create a copy of the resource object. If you are reconciling the same set of attributes from all installations of the target system, then you need not create a copy of the resource object. Note: Create copies of the resource object only if there are differences in attributes between the various installations of the target system.
Scheduled Jobs	There are many scheduled jobs for different purposes.	NA	You can use the scheduled jobs with the same names. However, you must update the values of the parameters depending on the target system you want to use.
Process definition	MySQL DB User	NA	It is optional to create a copy of the process definition. If you are reconciling or provisioning the same set of attributes from all installations of the target system, then you need not create a copy of the process definition. Note: Create copies of the process form only if there are differences in attributes between the various installations of the target system.
Process form	UD_DB_MYS_U	MySQL DB User (Process definition)	It is optional to create a copy of the process form. If you are provisioning the same set of attributes from all installations of the target system, then you need not create a copy of the process definition. Note: Create copies of the process form only if there are differences in attributes between the various installations of the target system.
Child process form	UD_DB_MYS_P	MySQL DB User (Process definition) UD_DB_MYS_U (Process form)	It is optional to create a copy of the child process form. If you are provisioning a new set of child data, then you need to create a copy of the child and parent process forms. Then, assign the newly created child process form to the newly created parent process form.
Configuration lookup definition for a target system configured as a target resource	Lookup.DBUM.MySQL.Configuration	MySQL DB (IT resource)	It is optional to create a copy of the configuration lookup definition. If you are provisioning and reconciling the same set of attributes in all installations of the target system (configured as a target resource), then you need not create a copy of the configuration lookup definition. Note: Create copies of the configuration lookup definition only if there are differences in attributes between the various installations of the target system and you have created a new process form.
Configuration lookup definition for a target system configured as a trusted source	Lookup.DBUM.MySQL.Configuration.Trusted	MySQL DB (IT resource)	It is optional to create a copy of the configuration lookup definition. If you are reconciling the same set of attributes in all installations of the target system (configured as a trusted source), then you need not create a copy of the configuration lookup definition. Note: Create copies of the configuration lookup definition for trusted source only if there are differences in attributes between the various installations of the target system and you have created a new process form.
Resource object attributes mapping lookup definition (for target resource)	Lookup.DBUM.MySQL.UM.ReconAttrMap	NA	It is optional to create a copy of resource object attribute mapping lookup definition. If you are reconciling the same set of attributes in all installations of the target system, then you need not to create a copy of resource object attribute mapping lookup. Note: Create copies of this lookup definition only if there are differences in attributes between the two installations of the target system.
Configuration lookup definition for a target system configured as a trusted source	Lookup.DBUM.MySQL.UM.ReconAttrMap.Trusted	MySQL DB (IT resource)	It is optional to create a copy of the configuration lookup definition. If you are reconciling the same set of attributes in all installations of the target system (configured as a trusted source), then you need not create a copy of the configuration lookup definition. Note: Create copies of the configuration lookup definition for trusted source only if there are differences in attributes between the various installations of the target system and you have created a new process form.

5.7.4 About Configuring the Connector for Multiple Trusted Source Reconciliation from MySQL

Note:

This connector supports multiple trusted source reconciliation.

This section describes an optional procedure. Perform this procedure only if you want to configure the connector for multiple trusted source reconciliation.

The following are examples of scenarios in which there is more than one trusted source for user data in an organization:

One of the target systems is a trusted source for data about users. The second target system is a trusted source for data about contractors. The third target system is a trusted source for data about interns.
One target system holds the data of some of the identity fields that constitute an OIM User. Two other systems hold data for the remaining identity fields. In other words, to create an OIM User, data from all three systems would need to be reconciled.

If the operating environment of your organization is similar to that described in either one of these scenarios, then this connector enables you to use the target system as one of the trusted sources of person data in your organization.

See Managing Reconciliation in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about multiple trusted source reconciliation.

5.7.5 Configuring Validation of Data During Reconciliation and Provisioning for MySQL

You can configure validation of reconciled and provisioned single-valued data according to your requirements. For example, you can validate data fetched from the First Name attribute to ensure that it does not contain the number sign (#). In addition, you can validate data entered in the First Name field on the process form so that the number sign (#) is not sent to the target system during provisioning operations.

To configure validation of data:

Write code that implements the required validation logic in a Java class with a fully qualified domain name (FQDN), such as org.identityconnectors.dbum.extension.DBUMValidator.

This validation class must implement the validate method. The following sample validation class checks if the value in the First Name attribute contains the number sign (#):

package com.validationexample;

import java.util.HashMap;
 
public class MyValidator {
    public boolean validate(HashMap hmUserDetails, HashMap hmEntitlementDetails, String sField) throws ConnectorException {
 
        /* You must write code to validate attributes. Parent
                 * data values can be fetched by using hmUserDetails.get(field)
                 * For child data values, loop through the
                 * ArrayList/Vector fetched by hmEntitlementDetails.get("Child Table")
                 * Depending on the outcome of the validation operation,
                 * the code must return true or false.
                 */
        /*
        * In this sample code, the value "false" is returned if the field
        * contains the number sign (#). Otherwise, the value "true" is
        * returned.
        */
        boolean valid = true;
        String sFirstName = (String) hmUserDetails.get(sField);
        for (int i = 0; i < sFirstName.length(); i++) {
            if (sFirstName.charAt(i) == '#') {
                valid = false;
                break;
            }
        }
        return valid;
 
    }
}

Log in to the Design Console.
Search for and open one of the lookup definitions (or create a new lookup) listed in Lookup Definition for Validation of Data in MySQL.

For example, Lookup.DBUM.MySQL.UM.ProvValidations.

Note:

If you cannot find these lookup definitions, create new lookup definitions.
In the Code Key column, enter the resource object field name that you want to validate. For example, Username.
In the Decode column, enter the class name. For example, org.identityconnectors.dbum.extension.DBUMValidator.
Save the changes to the lookup definition.
Search for and open the configuration lookup definition for the target system you use.

For example, Lookup.DBUM.MySQL.UM.Configuration.
In the Code Key column, enter one of the following entries:
- To configure validation of data for reconciliation:
  
  Recon Validation Lookup
- To configure validation of data for provisioning:
  
  Provisioning Validation Lookup
In the Decode column, enter the name of the lookup you updated or created in step 3.

For example, Lookup.DBUM.MySQL.UM.ProvValidations.
Save the changes to the lookup definition.
Create a JAR with the class and upload it to the Oracle Identity Manager database as follows:

Run the Oracle Identity Manager Upload JARs utility to post the JAR file created in Step 7 to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:

Note:

Before you use this utility, verify that the WL_HOME environment variable is set to the directory in which Oracle WebLogic Server is installed.

For Microsoft Windows:

OIM_HOME/server/bin/UploadJars.bat

For UNIX:

OIM_HOME/server/bin/UploadJars.sh

When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Select 1 as the value of the JAR type.
Run the PurgeCache utility to clear content related to request datasets from the server cache.
Perform reconciliation or provisioning to verify validation for the field, for example, Username.

5.7.6 Configuring Transformation of Data During User Reconciliation for MySQL

You can configure transformation of reconciled single-valued user data according to your requirements. For example, you can use First Name and Last Name values to create a value for the Full Name field in Oracle Identity Manager.

To configure transformation of single-valued user data fetched during reconciliation:

Write code that implements the required transformation logic in a Java class with a fully qualified domain name (FQDN), such as org.identityconnectors.dbum.extension.DBUMTransfomation.

This transformation class must implement the transform method. The following sample transformation class modifies the Username attribute by using values fetched from the __NAME__ attribute of the target system:

package com.transformationexample;

import java.util.HashMap;
 
 
public class MyTransformer {
    public Object transform(HashMap hmUserDetails, HashMap hmEntitlementDetails, String sField) throws ConnectorException {
        /*
        * You must write code to transform the attributes.
        * Parent data attribute values can be fetched by
        * using hmUserDetails.get("Field Name").
        * To fetch child data values, loop through the
        * ArrayList/Vector fetched by hmEntitlementDetails.get("Child          Table")
        * Return the transformed attribute.
        */
        String sUserName = (String) hmUserDetails.get("__NAME__");
        return sUserName + "@example.com";
 
    }
}

Log in to the Design Console.
Search for and open one of the lookup definitions (or create a new lookup) listed in Lookup Definitions for Transformation of Data in MySQL.

For example, Lookup.DBUM.MySQL.UM.ReconTransformations.

Note:

If you cannot find these lookup definitions, create new lookup definitions.
In the Code Key column, enter the resource object field name you want to transform. For example, Username.
In the Decode column, enter the class name. For example, org.identityconnectors.dbum.extension.DBUMTransfomation.
Save the changes to the lookup definition.
Search for and open the Lookup.DBUM.MySQL.UM.Configuration lookup definition.
In the Code Key column, enter Recon Transformation Lookup.
In the Decode column, enter the name of the lookup you updated or created in step 3.

For example, Lookup.DBUM.MySQL.UM.ReconTransformations.

For trusted mode, use Lookup.DBUM.MySQL.UM.ReconTransformations.Trusted.
Save the changes to the lookup definition.
Create a JAR with the class and upload it to the Oracle Identity Manager database as follows:

Run the Oracle Identity Manager Upload JARs utility to post the JAR file created in Step 7 to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:

Note:

Before you use this utility, verify that the WL_HOME environment variable is set to the directory in which Oracle WebLogic Server is installed.

For Microsoft Windows:

OIM_HOME/server/bin/UploadJars.bat

For UNIX:

OIM_HOME/server/bin/UploadJars.sh

When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Select 1 as the value of the JAR type.
Run the PurgeCache utility to clear content related to request datasets from the server cache.
Perform reconciliation to verify transformation of the field, for example, SimpleDisplayName.

5.7.7 Configuring Resource Exclusion Lists for MySQL

You can specify a list of accounts that must be excluded from reconciliation and provisioning operations. Accounts whose user IDs you specify in the exclusion list are not affected by reconciliation and provisioning operations.

In one of the lookup definitions for exclusion lists, enter the user IDs of target system accounts for which you do not want to perform provisioning and reconciliation operations. See Lookup Definitions for Exclusion Lists for MySQL for information about the lookup definitions and the format of the entries in these lookups.

To add entries in the lookup for exclusions during provisioning and reconciliation operations for MySQL:

On the Design Console, expand Administration and then double-click Lookup Definition.
Search for and open the Lookup.DBUM.MySQL.UM.ExclusionList lookup definition.
Click Add.
In the Code Key column, enter the resource object field name on which the exclusion list is applied. In the Decode column, enter the corresponding ID of the record to exclude.

For example, if you do not want to provision users with the user ID User001, then you must populate the lookup definition with the following values:

Code Key Decode

User Name

User001

Note:

If you want to specify a list of accounts that must be excluded during reconciliation or provisioning, the code key value being specified here must be exactly as the corresponding code key value in the Lookup.DBUM.MySQL.UM.ReconAttrMap lookup definition, or in the Lookup.DBUM.MySQL.UM.ProvAttrMap lookup definition, respectively.
If there is more than one user ID to exclude, then in the decode column, enter a list of all user IDs to exclude. Note that each User ID must be separated by a vertical bar (|).

For example, if you do not want to provision users with user IDs User001, User002, and User088 then you must populate the lookup definition with the following values:

Code Key Decode

User Name

User001|User002|User088

You can also perform pattern matching to exclude user accounts. You can specify regular expressions supported by the representation in the java.util.regex.Pattern class.

See Also:

For information about the supported patterns, visit http://download.oracle.com/javase/6/docs/api/java/util/regex/Pattern.html

For example, if you do not want to provision users matching any of the user IDs User001, User002, and User088, then you must populate the lookup definition with the following values:

Code Key Decode

User Name[PATTERN]

User001|User002|User088

If you do not want to provision users whose user IDs start with 00012, then you must populate the lookup definition with the following values:

Code Key Decode

User Name[PATTERN]

00012*
Click the save icon.

Code Key	Decode
User Name	User001

Code Key	Decode
User Name	User001\|User002\|User088

Code Key	Decode
User Name[PATTERN]	User001\|User002\|User088

Code Key	Decode
User Name[PATTERN]	00012*

5.7.8 Setting Up Action Scripts for MySQL

Learn about action scripts and how to configure them to run before or after the create, update, or delete an account provisioning operations.

This section provides information about the following topics:

5.7.8.1 About Action Scripts for MySQL

Action scripts are scripts that you can configure to run before or after the create, update, or delete an account provisioning operations. For example, you could configure a script to run before every user creation. In another scenario, suppose you have a table called AUDIT_USERLOG where you want to log user creation activities performed only by the connector. Then, you could create and use after create script for adding data to this table after create operation.

Note:

To configure a before or after action, your connector must support running scripts. An exception is Groovy (with target set to Connector), which the Identity Connector Framework (ICF) supports by default for all converged connectors.

Every connector should specify which scripting language and which target it supports. This connector supports the following script:

shell: shell script
target: Connector

The target refers to the location where the script is executed. In this case, the script is executed on the same computer (JVM or .NET Runtime) where the connector is deployed. For example, if you deploy the connector on the connector server, the script will be executed on that computer.

That is, if you are using a local framework, the script runs in your JVM. If you are connected to a remote framework, the script runs in the remote JVM or .NET Runtime.

5.7.8.2 Configuring Action Scripts for MySQL

To configure the action:

Log in to the Design Console.
Search for and open the Lookup.DBUM.MySQL.UM.Configuration lookup definition.
Add the following new values:
- Code Key: Before Create Action Language
- Decode: Enter the scripting language of the script you want to execute
- Sample values: SQL or STOREDPROC
Add these new values:
- Code Key: Before Create Action File
- Decode: Enter the full path to the file containing the script to be executed (Oracle Identity Manager must be able to access this file.)
- Example: /home/scripts/testscript.sql
  
  This script may have a query as follows:
```
INSERT INTO AUDIT_USERLOG VALUES ({__NAME__}, CURRENT_TIMESTAMP))
```
Add these new values:
- Code Key: Before Create Action Target
- Decode: Connector
Save the lookup definition.

Now, this action will be executed every time you create a user. You must configure these three values for each action you want to execute.