9 Extending the Functionality of the Connector

This chapter describes procedures that you can perform to extend the functionality of the connector for addressing your specific business requirements.

Note:

From Oracle Identity Manager Release 11.1.2 onward, lookup queries are not supported. See Managing Lookups of Oracle Fusion Middleware Administering Oracle Identity Manager for information about managing lookups by using the Form Designer in Identity System Administration.

This chapter discusses the following sections:

• Adding Custom Fields for Target Resource Reconciliation

• Adding New Multivalued Fields for Target Resource Reconciliation

• Adding Custom Fields for Provisioning

• Adding New Multivalued Fields for Provisioning

• Adding New Fields for Trusted Source Reconciliation

• Configuring Transformation of Data During Reconciliation

• Configuring Validation of Data During Reconciliation and Provisioning

• Configuring the Connector for User-Defined Object Classes

• Configuring the Connector to Use Custom Object Classes

• Configuring the Connector for Multiple Trusted Source Reconciliation

• Configuring the Connector to Support POSIX Groups and Accounts

• Configuring the Connector to Support Provisioning of Custom Object Classes while Provisioning Organizational Unit

9.1 Adding Custom Fields for Target Resource Reconciliation

Note:

This section describes an optional procedure. Perform this procedure only if you want to add custom fields for target resource reconciliation.

By default, the fields listed in Table 1-5 are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can map additional fields for user reconciliation.

To add a custom field for target resource reconciliation, perform the following procedures:

• Adding the Custom Field to Resource Object Reconciliation Fields

• Creating an Entry for the Custom Field in the Lookup Definition for Reconciliation

• Adding the Custom Field on the Process Form

• Associating a New Form With the Application Instance

• Creating a Reconciliation Field Mapping for the Custom Field in the Provisioning Process

• Creating the Reconciliation Profile

9.1.1 Adding the Custom Field to Resource Object Reconciliation Fields

To add the custom field to the list of reconciliation fields in the resource object:

1. Log in to Oracle Identity Manager Design Console.
2. Expand Resource Management and then double-click Resource Objects.
3. Search for and open the LDAP User, OID User, or eDirectory User resource object.
4. On the Object Reconciliation tab, click Add Field. For example:
   
   Description of the illustration roreconattrs91.gif
5. In the Add Reconciliation Field dialog box, enter the details of the field.

   For example, enter Description in the Field Name field and select String from the Field Type list.

6. Click Save and close the dialog box.
7. Click Create Reconciliation Profile. This copies changes made to the resource object into Oracle Identity Manager Meta Data Store (MDS). For example:
   
   Description of the illustration createreconprofile91.gif
8. Click Save.

9.1.2 Creating an Entry for the Custom Field in the Lookup Definition for Reconciliation

To create an entry for the field in the lookup definition for reconciliation:

1. Expand Administration and then double-click Lookup Definition.
2. Search for and open the Lookup.LDAP.UM.ReconAttrMap, Lookup.OID.UM.ReconAttrMap, or Lookup.EDIR.UM.ReconAttrMap lookup definition.
3. Click Add and enter the Code Key and Decode values for the field. The Code Key value is the name of the field that you provide for the reconciliation field. The Decode value is the name of the target system field.

   For example, enter Description in the Code Key field and then enter description in the Decode field.

   
   Description of the illustration reconattrmaplookup91.gif
4. Click Save.

9.1.3 Adding the Custom Field on the Process Form

To add the custom field on the process form:

1. Expand Development Tools and then double-click Form Designer.
2. Search for and open the UD_LDAP_USR, UD_OID_USR, or UD_EDIR_USR process form.
3. Click Create New Version and then click Add Field.
4. Enter the details of the field.

   For example, if you are adding the Description field, enter UD_LDAP_USR_DESCRIPTION or UD_OID_USR_DESCRIPTION in the Name field, and then enter the rest of the details of this field.

   
   Description of the illustration processform91.gif
5. Click Save and then click Make Version Active.

9.1.4 Associating a New Form With the Application Instance

If you are using Oracle Identity Manager release 11.1.2.x or later, then all changes made to the Form Designer of the Design Console must be done in a new UI form as follows:

1. Log in to Oracle Identity System Administration.
2. Create and active a sandbox. See Creating and Activating a Sandbox for more information.
3. Create a new UI form to view the newly added field along with the rest of the fields. See Creating a New UI Form for more information about creating a UI form.
4. Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in Step 5.c), and then save the application instance.
5. Publish the sandbox. See Publishing a Sandbox for more information.

9.1.5 Creating a Reconciliation Field Mapping for the Custom Field in the Provisioning Process

Create a reconciliation field mapping for the custom field in the provisioning process as follows:

1. Expand Process Management and then double-click Process Definition.
2. Search for and open the LDAP User, OID User, or eDirectory User provisioning process.
3. On the Reconciliation Field Mappings tab of the provisioning process, click Add Field Map.
4. In the Add Reconciliation Field Mapping dialog box, from the Field Name field, select the value for the field that you want to add.

   For example, from the Field Name field, select Description.

5. Double-click the Process Data field, and then select UD_LDAP_USR_DESCRIPTION or UD_OID_USR_DESCRIPTION. For example:
   
   Description of the illustration processdefnmapping91.gif
6. Click Save and close the dialog box.
7. Click Save.

9.1.6 Creating the Reconciliation Profile

Create the Reconciliation Profile:

1. Expand Resource Management and then double-click Resource Objects.
2. Search for and open the LDAP User, OID User, or eDirectory User resource object.
3. Click Create Reconciliation Profile. This copies changes made to the resource object into Oracle Identity Manager Meta Data Store (MDS).

9.2 Adding New Multivalued Fields for Target Resource Reconciliation

By default, the multivalued fields listed in the respective lookup definitions are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new multivalued fields for target resource reconciliation.

Note:

• This section describes an optional procedure. Perform this procedure only if you want to add multivalued fields for target resource reconciliation.

• You can apply this procedure to add either user, group, organizational unit, or role fields.

• You must ensure that new fields you add for reconciliation contain only string-format data. Binary fields must not be brought into Oracle Identity Manager natively.

To add a new multivalued field for target resource reconciliation, perform the following procedures:

• Creating a Form for the Multivalued Field

• Adding the Form as a Child Form of the Process Form

• Associating a New Form With the Application Instance

• Adding the New Multivalued Field to the Resource Object Reconciliation Fields

• Creating an Entry for the Field in the Lookup Definition for Reconciliation

• Creating a Reconciliation Field Mapping for the New Field

9.2.1 Creating a Form for the Multivalued Field

To create a form for the multivalued field:

1. Log in to Oracle Identity Manager Design Console.
2. Expand Development Tools and double-click Form Designer.
3. Create a form by specifying a table name and description, and then click Save.
4. Click Add and enter the details of the field.
5. Click Save and then click Make Version Active. For example:
   
   Description of the illustration createchildformnmvfr.gif

9.2.2 Adding the Form as a Child Form of the Process Form

Add the form created for the multivalued field as a child form of the process form as follows:

1. Search for and open one of the following process forms:

   For users: UD_LDAP_USR, UD_OID_USR, or UD_EDIR_USR

   For groups: UD_LDAP_GR, UD_OID_GR, or UD_EDIR_GR

   For organizational units: UD_LDAP_OU, UD_OID_OU, or UD_EDIR_OU

   For roles: UD_LDAP_RL or UD_EDIR_RL

2. Click Create New Version.
3. Click the Child Table(s) tab.
4. Click Assign.
5. In the Assign Child Tables dialog box, select the newly created child form, click the right arrow, and then click OK.
6. Click Save and then click Make Version Active. For example:
   
   Description of the illustration assignchildformnmvfr.gif

9.2.3 Associating a New Form With the Application Instance

If you are using Oracle Identity Manager release 11.1.2.x or later, then all changes made to the Form Designer of the Design Console must be done in a new UI form as follows:

1. Log in to Oracle Identity System Administration.
2. Create and active a sandbox. See Creating and Activating a Sandbox for more information.
3. Create a new UI form to view the newly added field along with the rest of the fields. See Creating a New UI Form for more information about creating a UI form.
4. Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in Step 4.c), and then save the application instance.
5. Publish the sandbox. See Publishing a Sandbox for more information.

9.2.4 Adding the New Multivalued Field to the Resource Object Reconciliation Fields

Add the new multivalued field to the list of reconciliation fields in the resource object as follows:

1. Expand Resource Management and then double-click Resource Objects.
2. Search for and open one of the following resource objects:

   For users: LDAP User, OID User, or eDirectory User

   For groups: LDAP Group, OID Group, or eDirectory Group

   For organizational units: LDAP Organizational Unit, OID Organizational Unit, or eDir Organisation Unit

   For roles: LDAP Role or eDirectory Role

3. On the Object Reconciliation tab, click Add Field.
4. In the Add Reconciliation Fields dialog box, enter the details of the field.

   For example, enter carlicenses in the Field Name field and select Multi-Valued Attribute from the Field Type list.

   
   Description of the illustration roreconattrnnmvfr.gif
5. Click Save and then close the dialog box.
6. Right-click the newly created field and select Define Property Fields.
7. In the Add Reconciliation Fields dialog box, enter the details of the newly created field.

   For example, enter carlicense in the Field Name field and select String from the Field Type list.

8. Click Save, and then close the dialog box.
9. Click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.

9.2.5 Creating an Entry for the Field in the Lookup Definition for Reconciliation

Create an entry for the field in the lookup definition for reconciliation as follows:

1. Expand Administration and then double-click Lookup Definition.
2. Search for and open one of the following lookup definitions:

   For users: Lookup.LDAP.UM.ReconAttrMap, Lookup.OID.UM.ReconAttrMap, or Lookup.EDIR.UM.ReconAttrMap

   For groups: Lookup.LDAP.Group.ReconAttrMap, Lookup.OID.Group.ReconAttrMap, or Lookup.EDIR.Group.ReconAttrMap

   For organizational units: Lookup.LDAP.OU.ReconAttrMap, Lookup.OID.OU.ReconAttrMap, or Lookup.EDIR.OU.ReconAttrMap

   For roles: Lookup.LDAP.Role.ReconAttrMap or Lookup.EDIR.Role.ReconAttrMap

   Note:

   For the target system fields, you must use the same case (uppercase or lowercase) as given on the target system. This is because the field names are case-sensitive.

3. Click Add and enter the Code Key and Decode values for the field, and then Click Save. The Code Key and Decode values must be in the following format:

   Code Key: MULTIVALUED_FIELD_NAME~CHILD_RESOURCE_OBJECT_FIELD_NAME

   Decode: Corresponding target system attribute.

   For example, enter carlicenses~carlicense in the Code Key field and then enter carlicense in the Decode field.

   
   Description of the illustration reconattrmaplookupnmvfr.gif

9.2.6 Creating a Reconciliation Field Mapping for the New Field

Create a reconciliation field mapping for the new field as follows:

1. Expand Process Management and double-click Process Definition.
2. Search for and open one of the following process definitions:

   For users: LDAP User, OID User, or eDirectory User

   For groups: LDAP Group, OID Group, or eDirectory Group

   For organizational units: LDAP Organizational Unit, OID Organizational Unit, or eDir Organisation Unit

   For roles: LDAP Role or eDirectory Role

3. On the Reconciliation Field Mappings tab of one of the following process definitions, click Add Table Map:

   For users: LDAP User, OID User, or eDirectory User

   For groups: LDAP Group, OID Group, or eDirectory Group

   For organizational units: LDAP Organizational Unit, OID Organizational Unit, or eDir Organisation Unit

   For roles: LDAP Role or eDirectory Role

   For example:

   
   Description of the illustration processreconmapnmvfr.gif
4. In the Add Reconciliation Table Mapping dialog box, select the field name and table name from the list, click Save, and then close the dialog box. For example:
   
   Description of the illustration processreconmap2nmvfr.gif
5. Right-click the newly created field, and select Define Property Field Map.
6. In the Field Name field, select the value for the field that you want to add.
7. Double-click the Process Data Field field, and then select UD_CARLICEN.
8. Select Key Field for Reconciliation Field Matching and click Save.

9.3 Adding Custom Fields for Provisioning

Note:

This section describes an optional procedure. Perform this procedure only if you want to add custom fields for provisioning.

By default, the attributes listed in User Fields for Provisioning are mapped for provisioning between Oracle Identity Manager and the target system. If required, you can map additional attributes for provisioning.

To add a custom field for provisioning, perform the following procedures:

• Adding the new Field to the Process Form

• Associating a New Form With the Application Instance

• Creating an Entry for the Field in the Lookup Definition for Provisioning

• Enabling Update Provisioning Operations on the Custom Field

• Updating the Request Dataset

• Running the PurgeCache Utility and Importing the Request Dataset Definition to MDS

9.3.1 Adding the new Field to the Process Form

To add the new field to the process form:

1. Log in to Oracle Identity Manager Design Console.

2. Add the new field to the process form.

   If you have added the field on the process form by performing the procedure described in Adding the Custom Field on the Process Form, then you need not add the field again. If you have not added the field, then:

   1. Expand Development Tools and then double-click Form Designer.

   2. Search for and open the UD_LDAP_USR, UD_OID_USR, or UD_EDIR_USR process form.

   3. Click Create New Version and then click Add.

   4. Enter the details of the field.

      For example, if you are adding the Description field, enter UD_LDAP_USR_DESCRIPTION or UD_OID_USR_DESCRIPTION in the Name field, and then enter the rest of the details of this field.

   5. Click Save and then click Make Version Active. For example:

      
      Description of the illustration processformcfprov.gif

9.3.2 Associating a New Form With the Application Instance

If you are using Oracle Identity Manager release 11.1.2.x or later, then all changes made to the Form Designer of the Design Console must be done in a new UI form as follows:

1. Log in to Oracle Identity System Administration.
2. Create and active a sandbox. See Creating and Activating a Sandbox for more information.
3. Create a new UI form to view the newly added field along with the rest of the fields. See Creating a New UI Form for more information about creating a UI form.
4. Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in Step 3.c), and then save the application instance.
5. Publish the sandbox. See Publishing a Sandbox for more information.

9.3.3 Creating an Entry for the Field in the Lookup Definition for Provisioning

Create an entry for the field in the lookup definition for provisioning as follows:

1. Expand Administration and then double-click Lookup Definition.
2. Search for and open the Lookup.LDAP.UM.ProvAttrMap, Lookup.OID.UM.ProvAttrMap, or Lookup.EDIR.UM.ProvAttrMap lookup definition.
3. Click Add and then enter the Code Key and Decode values for the field. The Decode value must be the name of the field on the target system.

   For example, enter Description (name of the field added to the process form in Adding the new Field to the Process Form) in the Code Key field and then enter description in the Decode field. For example:

   
   Description of the illustration provattrmaplookupcfprov.gif
4. Click Save.

9.3.4 Enabling Update Provisioning Operations on the Custom Field

Enable update provisioning operations on the custom field as follows:

1. In the provisioning process, add a new task for updating the field as follows:

   1. Expand Process Management and then double-click Process Definition.

   2. Search for and open the LDAP User, OID User, or eDirectory User provisioning process.

   3. Click Add and enter the task name and task description. The following are sample values:

      Task Name: Description Updated

      Task Description: Process Task for handling update of the description field.

   4. In the Task Properties section, select the following fields:

      - Conditional

      - Allow Cancellation while Pending

      - Allow Multiple Instances

   5. Insert to add the data from the Trigger Type list.

   6. Click Save. For example:

      
      Description of the illustration processtask1cfprov.gif

2. In the provisioning process, select the adapter name in the Handler Type section as follows:

   1. Go to the Integration tab, and click Add.

   2. In the Handler Selection dialog box, select Adapter.

   3. From the Handler Name column, select adpLDAPUPDATE or adpLDAPCHILDUPDATE.

      For an eDirectory target, select adpEDIRUPDATE or adpEDIRCHILDUPDATE.

   4. Click Save and close the dialog box. For example:

      
      Description of the illustration processtask2cfprov.gif

3. In the Adapter Variables region, click the procInstanceKey variable.

4. In the dialog box that is displayed, create the following mapping:

   Variable Name: procInstanceKey

   Map To: Process Data

   Qualifier: Process Instance

5. Click Save and close the dialog box. For example:

   
   Description of the illustration processtask3cfprov.gif

6. Repeat Steps 3 through 5 in Enabling Update Provisioning Operations on the Custom Field for the remaining variables listed in the Adapter Variables region. The following table lists values that you must select from the Map To, Qualifier, and Literal Value lists for each variable:

   Variable	Map To	Qualifier	Literal Value
   Adapter Return Variable	Response Code	NA	NA
   processInstanceKey	Process Data	Process Instance	NA
   itResourceName or itresourceFieldname for an OID target	Literal	String	UD_LDAP_USR_SERVER, UD_OID_USR_SERVER, or UD_EDIR_USR_SERVER
   attrFieldName	Literal	String	Description
   objectType	Literal	String	User

7. On the Responses tab, click Add to add at least the SUCCESS response code, with Status C. This ensures that if the custom task is successfully run, then the status of the task is displayed as Completed. For example:

   
   Description of the illustration processtask4cfprov.gif

8. Click the Save icon and close the dialog box, and then save the process definition.

9.3.5 Updating the Request Dataset

Note:

Perform steps in this section and Running the PurgeCache Utility and Importing the Request Dataset Definition to MDS only if you want to perform request-based provisioning.

When you add an attribute on the process form, you also update the XML file containing the request dataset definitions. To update a request dataset:

1. In a text editor, open the XML file located in the OIM_HOME/dataset/file directory for editing.
2. Add the AttributeReference element and specify values for the mandatory attributes of this element.

   For example, while performing the procedure in Adding the new Field to the Process Form, if you added Employee ID as an attribute on the process form, then enter the following line:

   <AttributeReference
   name = "Employee ID"
   attr-ref = "Employee ID"
   type = "String"
   widget = "text"
   length = "50"
   available-in-bulk = "false"/>
   

   In this AttributeReference element:

   • For the name attribute, enter the value in the Name column of the process form without the tablename prefix.

     For example, if the employee ID is the value in the Name column of the process form, then you must specify Employee ID as the value of the name attribute in the AttributeReference element.

   • For the attr-ref attribute, enter the value that you entered in the Field Label column of the process form while performing Adding the new Field to the Process Form.

   • For the type attribute, enter the value that you entered in the Variant Type column of the process form while performing Adding the new Field to the Process Form.

   • For the widget attribute, enter the value that you entered in the Field Type column of the process form, while performing Adding the new Field to the Process Form.

   • For the length attribute, enter the value that you entered in the Length column of the process form while performing Adding the new Field to the Process Form.

   • For the available-in-bulk attribute, specify true if the attribute must be available during bulk request creation or modification. Otherwise, specify false.

   While performing the steps in Adding the new Field to the Process Form, if you added more than one attribute on the process form, then repeat this step for each attribute added.

3. Save and close the XML file.

9.3.6 Running the PurgeCache Utility and Importing the Request Dataset Definition to MDS

Run the PurgeCache utility to clear content related to request datasets from the server cache.

See Purging Cache in Oracle Fusion Middleware Administering Oracle Identity Manager for more information about the PurgeCache utility.

Import into MDS, the request dataset definitions in XML format.

See Importing Request Datasets for detailed information about the procedure.

9.4 Adding New Multivalued Fields for Provisioning

Note:

This section describes an optional procedure. Perform this procedure only if you want to add multivalued fields for provisioning.

To add new multivalued fields for provisioning, perform the following procedures:

• Creating an Entry for the Field in the Lookup Definition for Provisioning

• Adding the Task for Provisioning Multivalued Attributes in the Process Definition

• Updating the Request Dataset

• Running the PurgeCache Utility and Importing the Request Dataset Definition to MDS

Note:

Before starting the following procedure, perform the procedures described in Creating a Form for the Multivalued Field through Adding the New Multivalued Field to the Resource Object Reconciliation Fields. If these steps have been performed while adding new multivalued fields for target resource reconciliation, then you need not repeat the steps.

9.4.1 Creating an Entry for the Field in the Lookup Definition for Provisioning

Create an entry for the field in the lookup definition for provisioning as follows:

1. Log in to Oracle Identity Manager Design Console.
2. Expand Administration and double-click Lookup Definition.
3. Search for and open one of the lookup definitions, depending on your target system:

   • For a group field, open Lookup.LDAP.Group.ProvAttrMap or Lookup.OID.Group.ProvAttrMap

   • For a organizational unit field, open Lookup.LDAP.OU.ProvAttrMap or Lookup.OID.OU.ProvAttrMap

   • For a role field, open Lookup.LDAP.Role.ProvAttrMap

4. Click Add and then enter the Code Key and Decode values for the field. The Code Key and Decode values must be in the following format:

   Code Key: CHILD_FORM_NAME~CHILD_FIELD_LABEL

   In this format, CHILD_FORM_NAME specifies the name of the child form. CHILD_FIELD_NAME specifies the name of the field on the OIM User child form in the Administrative and User Console.

   Decode: Corresponding target system attribute

   Note:

   For the target system fields, you must use the same case (uppercase or lowercase) as given on the target system. This is because the field names are case-sensitive.

   For example, enter UD_CARLICEN~Car License in the Code Key field and then enter carLicense in the Decode field.

   
   Description of the illustration grp_prov_attr_map1.png

9.4.2 Adding the Task for Provisioning Multivalued Attributes in the Process Definition

To add the task for provisioning multivalued attributes in the process definition, perform the following procedures:

• Updating the Process Definition

• Selecting the Adapter

• Creating the Adapter Variables Mapping

• Updating the Process Tasks

9.4.2.1 Updating the Process Definition

In the process definition, add the task for provisioning multivalued attributes as follows:

1. Expand Process Management.
2. Double-click Process Definition.
3. Search for and open one of the following process definitions:

   For groups: LDAP Group or OID Group

   For organizational units: LDAP Organizational Unit or OID Organizational Unit

   For roles: LDAP Role

4. Click Add and enter the task name and description. For example, enter Car License Added as the task name and task description.
5. In the Task Properties section, select the following:

   • Conditional

   • Allow cancellation while Pending

   • Allow Multiple Instances

   • UD_CARLICEN, to add the child table from the Child Table list

   • Insert, to add the data from the Trigger Type list

     For example:

     
     Description of the illustration add_task_mulvald_field1.png
6. Click Save.

9.4.2.2 Selecting the Adapter

Select the adapter as follows:

1. On the Integration tab in the LDAP User, OID User, or eDirectory User provisioning process, click Add and then select Adapter.

   From the list of adapters, select adpLDAPADDCHILDTABLEVALUE or adpOIDADDCHILDTABLEVALUE.

   
   Description of the illustration step5.gif
2. Click Save and then close the dialog box.

9.4.2.3 Creating the Adapter Variables Mapping

Create the adapter variables mapping as follows:

1. In the Adapter Variables region, click the procInstanceKey variable.
2. In the dialog box that is displayed, create the following mapping:

   Variable Name: procInstanceKey

   Map To: Process Data

   Qualifier: Process Instance

   For example:

   
   Description of the illustration add_map_adapter1.png
3. Click Save and close the dialog box.
4. Perform one of the following steps:

   For users:

   Repeat Steps 1 through 3 for the remaining variables listed in the Adapter Variables region. The following table lists values that you must select from the Map To, Qualifier, and Literal Value lists for each variable:

   Variable	Map To	Qualifier	Literal Value
   processInstanceKey	Process Data	Process Instance	NA
   Adapter Return Variable	Response Code	NA	NA
   itResourceName	Literal	String	UD_LDAP_USR_SERVER, UD_OID_USR_SERVER, or UD_EDIR_USR_SERVER
   childTableName	Literal	String	UD_CARLICEN
   objectType	Literal	String	User
   childPrimarykey	Process Data (Child Table description)	Child Primary Key	NA

   For groups:

   Repeat Steps 1 through 3 for all the variables listed in the following table. This table lists values that you must select from the Map To, Qualifier, and Literal Value lists for each variable:

   Variable	Map To	Qualifier	Literal Value
   procInstanceKey	Process Data	Process Instance	NA
   Adapter Return Variable	Response Code	NA	NA
   itResourceName	Literal	String	UD_LDAP_USR_SERVER, UD_OID_USR_SERVER, or UD_EDIR_USR_SERVER
   childTableName	Literal	String	UD_CHILD_PROCESS_FORM_NAME
   objectType	Literal	String	Group
   childPrimarykey	Process Data (Child Table description)	Child Primary Key	NA

   For organizational units:

   Repeat Steps 1 through 3 for all the variables listed in the following table. This table lists values that you must select from the Map To, Qualifier, and Literal Value lists for each variable:

   Variable	Map To	Qualifier	Literal Value
   procInstanceKey	Process Data	Process Instance	NA
   Adapter Return Variable	Response Code	NA	NA
   itResourceName	Literal	String	UD_LDAP_USR_SERVER, UD_OID_USR_SERVER, or UD_EDIR_USR_SERVER
   childTableName	Literal	String	UD_CHILD_PROCESS_FORM_NAME
   objectType	Literal	String	OU
   childPrimarykey	Process Data (Child Table description)	Child Primary Key	NA

5. On the Responses tab, click Add to add at least the SUCCESS response code, with Status C. This ensures that if the custom task is successfully run, then the status of the task is displayed as Completed. For example:
   
   Description of the illustration processtask4nmvfprov.gif
6. Click the Save icon, close the dialog box, and then save the process definition.

9.4.2.4 Updating the Process Tasks

Update the process tasks as follows:

1. Add the Car License Update process task by performing the procedures described in Updating the Process Definition through Creating the Adapter Variables Mapping with the following difference:

   • While performing Step 5 of Updating the Process Definition, instead of selecting UD_CARLICEN from the Child Table list, select UD_CARLICN. Similarly, instead of selecting Insert from the Trigger Type list, select Update.

   • While performing Step 4 of Creating the Adapter Variables Mapping, the childPrimarykey variable will not appear. Instead, map the following variable with its respective values in addition to the other variables:

     Variable	Map To	Qualifier	Literal Value
     taskInstanceKey	Task Information	Task Instance Key	NA

2. Add the Car License Delete process task by performing the procedures described in Updating the Process Definition through Creating the Adapter Variables Mapping with the following difference:

   • While performing Step 5 of Updating the Process Definition, instead of selecting UD_CARLICEN from the Child Table list, select UD_CARLICN. Similarly, instead of selecting Insert from the Trigger Type list, select Delete.

   • While performing Step 4 of Creating the Adapter Variables Mapping, the childPrimarykey variable will not appear. Instead, map the following variable with its respective values in addition to the other variables:

     Variable	Map To	Qualifier	Literal Value
     taskInstanceKey	Task Information	Task Instance Key	NA

3. Click Save on Process Task.

   Note:

   During a provisioning operation, you can either add or remove values of multivalued fields. You cannot update these values.

9.4.3 Updating the Request Dataset

Update the request dataset.

Note:

Perform the steps in this section and Running the PurgeCache Utility and Importing the Request Dataset Definition to MDS only if you enabled request-based provisioning.

When you add an attribute on the process form, you also update the XML file containing the request dataset definitions. To update a request dataset:

1. In a text editor, open the XML file located in the OIM_HOME/DataSet/file directory for editing.
2. Add the AttributeReference element and specify values for the mandatory attributes of this element.

   For example, if you added Car License as an attribute on the process form, then enter the following line:

   <AttributeReference
   name = "Car License"
   attr-ref = "Car License"
   type = "String"
   widget = "text"
   length = "50"
   available-in-bulk = "false"/>
   

   In this AttributeReference element:

   • For the name attribute, enter the value in the Name column of the process form without the tablename prefix.

     For example, if UD_CAR_LICENSE is the value in the Name column of the process form, then you must specify Car License as the value of the name attribute in the AttributeReference element.

   • For the attr-ref attribute, enter the value that you entered in the Field Label column of the process form.

   • For the type attribute, enter the value that you entered in the Variant Type column of the process form.

   • For the widget attribute, enter the value that you entered in the Field Type column of the process form.

   • For the length attribute, enter the value that you entered in the Length column of the process form.

   • For the available-in-bulk attribute, specify true if the attribute must be available during bulk request creation or modification. Otherwise, specify false.

   If you add more than one attribute on the process form, then repeat this step for each attribute added.

3. Save and close the XML file.

9.4.4 Running the PurgeCache Utility and Importing the Request Dataset Definition to MDS

Run the PurgeCache utility to clear content related to request datasets from the server cache.

See Purging Cache in Oracle Fusion Middleware Administering Oracle Identity Governance for more information about the PurgeCache utility.

Import into MDS the request dataset definitions in XML format.

9.5 Adding New Fields for Trusted Source Reconciliation

Note:

This section describes an optional procedure. Perform this procedure only if you want to add new fields for trusted source reconciliation.

By default, the attributes listed in Table 1-33 are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new fields for trusted source reconciliation. To do so, perform the following procedures:

• Adding the New Field on the OIM User Process Form

• Adding the New Field to the Resource Object Reconciliation Fields

• Creating a Reconciliation Field Mapping

• Creating an Entry for the Field in the Lookup Definition for Reconciliation

9.5.1 Adding the New Field on the OIM User Process Form

To add the new field to the OIM User process form:

1. Log in to Oracle Identity Manager Design Console.

2. If you are using a release prior to Oracle Identity Manager release 11.1.1.5.3, then add the new field on the OIM User process form as follows:

   1. Expand Administration.

   2. Double-click User Defined Field Definition.

   3. Search for and open the Users form.

   4. Click Add and enter the details of the field.

      For example, if you are adding the Employee ID field, then enter Employee ID in the Name field, set the data type to String, enter USR_UDF_EMPLOYEE_ID as the column name, and enter a field size value.

   5. Click Save.

3. If you are using Oracle Identity Manager release 11.1.1.5.3, then add the new field on the OIM User process form by using the Oracle Identity Advanced Administration interface.

4. If you are using Oracle Identity Manager release 11.1.2 or later, then add the new field on the OIM User process form by performing the procedure described in Configuring Custom Attributes of Oracle Fusion Middleware Administering Oracle Identity Manager.

9.5.2 Adding the New Field to the Resource Object Reconciliation Fields

Add the new field to the list of reconciliation fields in the resource object as follows:

1. Expand the Resource Management folder.
2. Double-click Resource Objects.
3. Search for and open the LDAP Trusted User or OID Trusted User resource object.
4. On the Object Reconciliation tab, click Add Field.
5. Enter the details of the field and click Save.

   For example, enter Employee ID in the Field Name field and select String from the Field Type list.

   Later in this procedure, you will enter the field name as the Decode value of the entry that you create in the lookup definition for reconciliation.

6. Click Create Reconciliation Profile. This copies changes made to the resource object into the MDS. For example:
   
   Description of the illustration roreconattrsnftr.gif

9.5.3 Creating a Reconciliation Field Mapping

Create a reconciliation field mapping for the new field as follows:

1. Expand Process Management.
2. Double-click Process Definition.
3. Search for and open the LDAP Trusted User or OID Trusted User process definition.
4. On the Reconciliation Field Mappings tab, click Add Field Map.
5. In the Field Name field, select the value for the field that you want to add.

   For example, select Employee ID = Employee ID. For example:

   
   Description of the illustration processtasknftr.gif
6. Click Save.

9.5.4 Creating an Entry for the Field in the Lookup Definition for Reconciliation

Create an entry for the field in the lookup definition for reconciliation as follows:

1. Expand Administration and then double-click Lookup Definition.
2. Search for and open the Lookup.LDAP.UM.ReconAttrMap.Trusted, Lookup.OID.UM.ReconAttrMap.Trusted, or LookupEDIR.UM.ReconAttrMap.Trusted lookup definition.
3. Click Add and then enter the Code Key and Decode values for the field. The Code Key value must be the name of the field created in the LDAP Trusted User, OID Trusted User, or eDirectory User Trusted resource object. The Decode value is the name of the corresponding field on the target system.

   Note:

   For the target system fields, you must use the same case (uppercase or lowercase) as given on the target system. This is because the field names are case-sensitive.

   For example, enter employee ID in the Code Key field and then enter EmployeeID in the Decode field.

   
   Description of the illustration reconattrmapnftr.gif
4. Click Save.
5. Select Field Type and click Save.

9.6 Configuring Transformation of Data During Reconciliation

Note:

This section describes an optional procedure. Perform this procedure only if you want to configure transformation of data during reconciliation.

You can configure transformation of reconciled single-valued user data according to your requirements. For example, you can use First Name and Last Name values to create a value for the Full Name field in Oracle Identity Manager.

To configure transformation of single-valued user data fetched during reconciliation:

1. Write code that implements the required transformation logic in a Java class with a fully qualified domain name (FQDN), such as com.transformationexample.MyTransformer.

   This transformation class must implement the transform method. The following sample transformation class creates a value for the Full Name attribute by using values fetched from the First Name and Last Name attributes of the target system:

   package com.transformationexample;
   
   import java.util.HashMap;
    
    
   public class MyTransformer {
       public Object transform(HashMap hmUserDetails, HashMap hmEntitlementDetails, String sField) {
           /*
           * You must write code to transform the attributes.
           * Parent data attribute values can be fetched by
           * using hmUserDetails.get("Field Name").
           * To fetch child data values, loop through the
           * ArrayList/Vector fetched by hmEntitlementDetails.get("Child Table")
           * Return the transformed attribute.
           */
           String sFirstName = (String) hmUserDetails.get("First Name");
           String sLastName = (String) hmUserDetails.get("Last Name");
           return sFirstName + "." + sLastName;
    
       }
   }
   

2. Log in to the Design Console.
3. Create a new lookup definition named Lookup.LDAP.UM.ReconTransformation, Lookup.OID.UM.ReconTransformation, or Lookup.EDIR.UM.ReconTransformation.
4. In the Code Key column, enter the resource object field name you want to transform. For example, givenName.
5. In the Decode column, enter the class name. For example, com.transformationexample.MyTransformer.
6. Save the changes to the lookup definition.
7. Search for and open the Lookup.LDAP.UM.Configuration or Lookup.OID.UM.Configuration lookup definition.
8. In the Code Key column, enter Recon Transformation Lookup.
9. In the Decode column, enter Lookup.LDAP.UM.ReconTransformation or Lookup.OID.UM.ReconTransformation.
10. Save the changes to the lookup definition.
11. Create a JAR with the class and upload it to the Oracle Identity Manager database as follows:

    Run the Oracle Identity Manager Upload JARs utility to post the JAR file to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:

    Note:

    Before you use this utility, verify that the WL_HOME environment variable is set to the directory in which Oracle WebLogic Server is installed.

    • For Microsoft Windows:

      OIM_HOME/server/bin/UploadJars.bat

    • For UNIX:

      OIM_HOME/server/bin/UploadJars.sh

    When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Specify 1 as the value of the JAR type.

12. Run the PurgeCache utility to clear content related to request datasets from the server cache.
13. Perform reconciliation to verify transformation of the field, for example, SimpleDisplayName.

9.7 Configuring Validation of Data During Reconciliation and Provisioning

Note:

This section describes an optional procedure. Perform this procedure only if you want to configure validation of data during reconciliation and provisioning.

You can configure validation of reconciled and provisioned single-valued data according to your requirements. For example, you can validate data fetched from the First Name attribute to ensure that it does not contain the number sign (#). In addition, you can validate data entered in the First Name field on the process form so that the number sign (#) is not sent to the target system during provisioning operations.

To configure validation of data:

1. Write code that implements the required validation logic in a Java class with a fully qualified domain name (FQDN), such as com.validationexample.MyValidator.

   This validation class must implement the validate method. The following sample validation class checks if the value in the First Name attribute contains the number sign (#):

   package com.validationexample;
   
   import java.util.HashMap;
    
   public class MyValidator {
       public boolean validate(HashMap hmUserDetails, HashMap hmEntitlementDetails, String sField) throws ConnectorException {
    
           /* You must write code to validate attributes. Parent
                    * data values can be fetched by using hmUserDetails.get(field)
                    * For child data values, loop through the
                    * ArrayList/Vector fetched by hmEntitlementDetails.get("Child Table")
                    * Depending on the outcome of the validation operation,
                    * the code must return true or false.
                    */
                    * The transform method can throw
                    *oracle.iam.connectors.icfcommon.extension.ValidationException
                    * in case the validation fails.
                    */
           /*
           * In this sample code, the value "false" is returned if the field
           * contains the number sign (#). Otherwise, the value "true" is
           * returned.
           */
           boolean valid = true;
           String sFirstName = (String) hmUserDetails.get(sField);
           for (int i = 0; i < sFirstName.length(); i++) {
               if (sFirstName.charAt(i) == '#') {
                   valid = false;
                   break;
               }
           }
           return valid;
    
       }
   }
   

2. Log in to the Design Console.
3. Create one of the following new lookup definitions:

   • To configure validation of data for reconciliation:

     Lookup.LDAP.UM.ReconValidation or Lookup.OID.UM.ReconValidation

   • To configure validation of data for provisioning:

     Lookup.LDAP.UM.ProvValidation or Lookup.OID.UM.ProvValidation

4. In the Code Key column, enter the resource object field name that you want to validate. For example, givenName.
5. In the Decode column, enter the class name. For example, com.validationexample.MyValidator.
6. Save the changes to the lookup definition.
7. Search for and open the Lookup.LDAP.UM.Configuration or Lookup.OID.UM.Configuration lookup definition.
8. In the Code Key column, enter one of the following entries:

   • To configure validation of data for reconciliation:

     Recon Validation Lookup

   • To configure validation of data for provisioning:

     Provisioning Validation Lookup

9. In the Decode column, enter one of the following entries:

   • To configure validation of data for reconciliation:

     Lookup.LDAP.UM.ReconValidation or Lookup.OID.UM.ReconValidation

   • To configure validation of data for provisioning:

     Lookup.LDAP.UM.ProvValidation or Lookup.OID.UM.ProvValidation

10. Save the changes to the lookup definition.
11. Create a JAR with the class and upload it to the Oracle Identity Manager database as follows:

    Run the Oracle Identity Manager Upload JARs utility to post the JAR file to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:

    Note:

    Before you use this utility, verify that the WL_HOME environment variable is set to the directory in which Oracle WebLogic Server is installed.

    • For Microsoft Windows:

      OIM_HOME/server/bin/UploadJars.bat

    • For UNIX:

      OIM_HOME/server/bin/UploadJars.sh

    When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Specify 1 as the value of the JAR type.

12. Run the PurgeCache utility to clear content related to request datasets from the server cache.
13. Perform reconciliation or provisioning to verify validation for the field, for example, SimpleDisplayName.

9.8 Configuring the Connector for User-Defined Object Classes

Note:

This section describes an optional procedure. Perform this procedure only if you want to configure the connector for user-defined object classes.

To configure the connector for user-defined object classes:

1. Create the object class and assign mandatory and optional attributes to the object class.

   Refer to the target system documentation for information about creating the object class.

   Note:

   Assign the user object class as the parent of the object class that you create.

2. Refresh the schema.
3. To add the mandatory and optional attributes of the object class for provisioning, perform the procedure described in Adding Custom Fields for Provisioning.
4. In the configuration lookup definition for the target system:

   • Change the decode value of the ObjectClass code key value to include the new object class name.

   • Set the readSchema parameter to true.

     The lookup names can be Lookup.LDAP.Configuration, Lookup.LDAP.OUD.Configuration, or Lookup.OID.Configuration.

9.9 Configuring the Connector to Use Custom Object Classes

If you want to use a custom object class, you need to perform the following procedure. Note that the procedure in this section has been described by using User object class as an example.

1. Modify the LDAP User process definition as follows:

   1. Log in to the Design Console.

   2. Expand Process Management and then double-click Process Definition.

   3. Search for and open the LDAP User process definition.

   4. On the Tasks tab, double-click the Create LDAP User process task.

   5. Change the value of the objectType adapter variable, to the name of the custom object class.

   6. Click Save

   7. Repeat steps 'd' through 'g' to edit and update each of the process tasks associated with the User object class. For example, Delete LDAP User and UD_LDAP_USR Updated.

2. Before you run any of the following scheduled jobs, set the value of the Object Type attribute of the scheduled jobs to the custom object class value:

   • LDAP Connector User Search Delete Reconciliation

   • LDAP Connector User Search Reconciliation

   • LDAP Connector User Sync Reconciliation

   • LDAP Connector Trusted User Reconciliation

   • LDAP Connector Trusted User Delete Reconciliation

9.10 Configuring the Connector for Multiple Trusted Source Reconciliation

Note:

This section describes an optional procedure. Perform this procedure only if you want to configure the connector for multiple trusted source reconciliation.

The following are examples of scenarios in which there is more than one trusted source for user data in an organization:

• One of the target systems is a trusted source for data about employees. The second target system is a trusted source for data about contractors. The third target system is a trusted source for data about interns.

• One target system holds the data of some of the identity fields that constitute an OIM User. Two other systems hold data for the remaining identity fields. In other words, to create an OIM User, data from all three systems would need to be reconciled.

If the operating environment of your organization is similar to that described in either one of these scenarios, then this connector enables you to use the target system as one of the trusted sources of user data in your organization.

9.11 Configuring the Connector to Support POSIX Groups and Accounts

This procedure allows the connector to support POSIX groups (posixGroups) and POSIX accounts (posixAccounts).

After you complete this configuration:

• The connector will support POSIX groups.

• The sync reconciliation operation will not return the POSIX group membership changes. You must use the full search reconciliation task to get these changes.

To configure the connector to support POSIX groups and accounts:

1. Log in to Oracle Identity Manager Design Console.

2. Modify the Lookup.LDAP.Configuration, Lookup.LDAP.OUD.Configuration, or Lookup.OID.Configuration lookup definition as follows:

   1. Set maintainPosixGroupMembership to true.

   2. For accountObjectClasses, add "posixGroup","posixAccount".

   3. For objectClassesToSynchronize, add "posixGroup","posixAccount".

   4. Set groupObjectClasses to "top", "posixGroup".

   5. Set readSchema to true.

3. In the Lookup.LDAP.UM.ProvAttrMap and Lookup.LDAP.UM.ReconAttrMap lookup definitions, replace "ldapGroups" with "posixGroups".

   For OID, update the Lookup.OID.UM.ProvAttrMap and Lookup.OID.UM.ReconAttrMap lookup definitions.

   For eDirectory, update the Lookup.EDIR.UM.ProvAttrMap and Lookup.EDIR.UM.ReconAttrMap lookup definitions.

4. In the Lookup.LDAP.Group.ProvAttrMap and Lookup.LDAP.Group.ReconAttrMap lookup definitions, add the following mapping as a String:

   GID NUMBER to gidNumber

   For OID, update the Lookup.OID.Group.ProvAttrMap and Lookup.OID.Group.ReconAttrMap lookup definitions.

   For OID, update the Lookup.EDIR.Group.ProvAttrMap and Lookup.EDIR.Group.ReconAttrMap lookup definitions.

5. In the LDAP Group, OID Group, or eDirectory Group resource object, add the GID NUMBER field as follows:

   Select the group (LDAP Group, OID Group, or eDirectory Group), Object Reconciliation, Add Field, and then add GID NUMBER.

6. In the LDAP Group, OID Group, or eDirectory Group process form, add the GID NUMBER field.

7. In the LDAP Group, OID Group, or eDirectory Group process definition, add the mapping as a String for GID Number.

8. In the Lookup.LDAP.UM.ProvAttrMap and Lookup.LDAP.UM.ReconAttrMap lookup definitions, add the following mappings as Strings:

   • GID NUMBER to gidNumber

   • UID NUMBER to uidNumber

   • HOME DIRECTORY to homedirectory

   For OID, update the Lookup.OID.UM.ProvAttrMap and Lookup.OID.UM.ReconAttrMap lookup definitions.

   For eDirectory, update the Lookup.EDIR.UM.ProvAttrMap and Lookup.EDIR.UM.ReconAttrMap lookup definitions.

9. In the LDAP User, OID User, or eDirectory User resource object, add mappings as Strings for these fields:

   • GID NUMBER

   • UID NUMBER

   • HOME DIRECTORY

10. In the LDAP User, OID User, or eDirectory User process form, add mappings as Strings for these fields:

    • GID NUMBER

    • UID NUMBER

    • HOME DIRECTORY

11. In the LDAP User, OID User, or eDirectory User process definition, add mappings as Strings for these fields:

    • GID NUMBER

    • UID NUMBER

    • HOME DIRECTORY

12. After you are finished, click Create Reconciliation Profile.

9.12 Configuring the Connector to Support Provisioning of Custom Object Classes while Provisioning Organizational Unit

Provisioning of custom object-classes while provisioning Organizational Unit (OU) to target systems is supported. In order to change the object classes used for OU, you need to add the Key OU ObjectClasses in the appropriate lookup definitions.

This section contains the following topics:

• Modifying the Configuration Lookup Definition

• About Adding Custom Object Classes

9.12.1 Modifying the Configuration Lookup Definition

In the Design Console, modify the configuration lookup definition by performing the following procedure:

1. Log in to Oracle Identity Manager Design Console.
2. Expand Administration and double-click Lookup Definition.
3. Depending on the target system you are using, search for and open one of the following lookup definitions:

   • For ODSEE or OUD: Lookup.LDAP.Configuration

   • For OID: Lookup.OID.Configuration

   • For eDirectory: Lookup.EDIR.Configuration

4. Click Add.

   A new row is added.

5. In the Code Key column, enter ouObjectClasses.
6. In the Decode column, enter the name of the custom object class.

   For example, top, organizationalUnit, custom ObjectClass 1, or custom ObjectClass 2.

7. Click Save.

9.12.2 About Adding Custom Object Classes

If you are adding custom object classes, then the scheduled task (LDAP Connector OU Lookup Reconciliation) used to reconcile the OU container lookup populates those OUs that have the objectClasses specified as the decode value of the ouObjectClasses code key in the configuration lookup definition.

However, the scheduled task (LDAP Connector OU Lookup Reconciliation) does not update the lookup if the OU container in LDAP does not have the custom objectclass associated with it. To reconcile the default OU container loopkup, enter organizationalUnit as the value of the Object Type parameter in the LDAP Connector OU Lookup Reconciliation scheduled job. This will populate the lookup with all the OUs. This because, the default ObjectClass for OU is organizationalUnit.

Similar behavior is observed with the scheduled task LDAP/OID/eDirectory OU search reconciliation operation and synchronized reconciliation operation. These operations will fetch those OUs having objectClasses provided in decode key of the ouObjectClasses.

In order to get the default behavior, you must specify the decode key value as top or organizationalUnit for the code key ouObjectClasses.