In the account management (target resource) mode of the connector, information about users created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.
This chapter contains the following sections:
Note:
In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.
Table 1-1 lists the certified components for this connector.
Table 1-1 Certified Components
Item | Requirement |
---|---|
Oracle Identity Manager |
You can use one of the following releases of Oracle Identity Manager:
|
Target systems |
Oracle CRM On Demand Release 19 or later |
Connector Server |
11.1.2.1.0 |
Connector Server JDK |
JDK 1.6 Update 24 or later, or JRockit JDK 1.6 Update 24 or later |
The connector supports the following languages:
Arabic
Chinese (Simplified)
Chinese (Traditional)
Czech
Danish
Dutch
English
Finnish
French
German
Greek
Hebrew
Hungarian
Italian
Japanese
Korean
Norwegian
Polish
Portuguese
Portuguese (Brazilian)
Romanian
Russian
Slovak
Spanish
Swedish
Thai
Turkish
This connector enables management of target system accounts through Oracle Identity Manager.
Figure 1-1 shows the architecture of the connector.
The Oracle Identity Manager Connector for Oracle CRM On Demand is an Identity Connector Framework (ICF)-based connector. ICF is a component that provides basic provisioning, reconciliation, and other functions that the connector requires.
The operations on the target system would be performed via web services exposed by Oracle CRM On Demand. The connector consumes the following CRM On Demand web services:
User web service
This web service is used for user-specific provisioning and reconciliation operations.
Role Management web service
This web service is used by the CRM On Demand Role Lookup Recon scheduled job to synchronize the roles available on the target system into the Lookup.CRMOD.Roles lookup definition.
Password web service
This web service is used for setting or changing the password of a user from Oracle Identity Manager.
The Web Service Description Language (WSDL) files and the generated web service stubs (artifacts) are packaged with the connector bundle. The connector communicates with the target system using these prepackaged stubs for all connector operations.
The connector leverages Oracle Web Service Manager (OWSM) for security-related aspects during communication with the target system. Communication between Oracle Identity Manager and Oracle CRM On Demand is encrypted with Secure Sockets Layer (SSL) for security (URL of the target system is always HTTPS). In addition, the connector uses username/token policy for message-level security during communication with the Oracle CRM On Demand web services.
The target system does not allow deletion of created user accounts. Therefore, as part of Revoke Resource operation of Oracle Identity Manager, the following changes will be made:
On the target system, the corresponding user account is set to Inactive.
In Oracle Identity Manager, the tasks for the corresponding user account are cancelled and the account status is set to Disabled.
The following topics describe the connector operations:
See Also:
Managing Reconciliation in Oracle Fusion Middleware Administering Oracle Identity Manager for conceptual information about Reconciliation
This connector can be configured to perform target resource reconciliation. The connector enables you to create and manage target accounts for OIM Users through provisioning. In addition, data related to newly created and modified target system accounts can be reconciled and linked with existing OIM Users and provisioned resources.
The following is an overview of the steps involved in reconciliation:
The scheduled job is run at the time or frequency that you specify. This scheduled task contains details of the reconciliation that you want to perform.
The scheduled job performs the following tasks:
Reads the values that you set for the job attributes.
Fetches user records into Oracle Identity Manager.
Each user record fetched from the target system is compared with existing target system resources assigned to OIM Users. The reconciliation rule is applied during the comparison process. See Reconciliation Rule for Target Resource Reconciliation for information about the reconciliation rule.
The next step of the process depends on the outcome of the matching operation:
If a match is found between the target system record and a resource provisioned to an OIM User, then the user resource is updated with changes made to the target system record.
If no match is found, then the target system user record is compared with existing OIM Users. The next step depends on the outcome of the matching operation:
If a match is found, then the target system record is used to provision a resource for the OIM User.
If no match is found, then the status of the reconciliation event is set to No Match Found.
See Also:
Managing Provisioning Tasks in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for conceptual information about Provisioning
Provisioning involves creating and managing user accounts. When you allocate (or provision) an Oracle CRM On Demand resource to an OIM User, the operation results in the creation of an account on the target system for that user. Similarly, when you update the resource on Oracle Identity Manager, the same update is made to the account on the target system.
Provisioning is a two-step process. In the first step, the create user task is triggered. If the create user task is completed successfully, then the second step is initiated. In the second step, the password update task is triggered.
During provisioning operations, adapters carry provisioning data submitted through the process form to the connector, which in turn submits the provisioning data to the target system. The user account maintenance commands accept provisioning data from the adapters, carry out the required operation on the target system, and return the response from the target system to the adapters. The adapters return the response to Oracle Identity Manager.
The provisioning process can be started through one of the following events:
Direct provisioning
The Oracle Identity Manager administrator uses the Administrative and User Console to create a target system account for a user.
Provisioning triggered by access policy changes
An access policy related to accounts on the target system is modified. When an access policy is modified, it is reevaluated for all users to which it applies.
Request-based provisioning
In request-based provisioning, an individual creates a request for a target system account. The provisioning process is completed when an OIM User with the required privileges approves the request and provisions the target system account to the requester.
Table 1-2 lists the provisioning functions that are supported by the connector. The Adapter column gives the name of the adapter that is used when the function is performed.
Table 1-2 Provisioning Functions
Function | Adapter |
---|---|
Create User |
CRMODCreateUser |
Delete User |
CRMODDisableUser |
Disable User |
CRMODDisableUser |
Enable User |
CRMODEnableUser |
Alias Updated |
CRMODUpdateUser |
Cell Phone Updated |
CRMODUpdateUser |
Department Updated |
CRMODUpdateUser |
Division Updated |
CRMODUpdateUser |
Email Updated |
CRMODUpdateUser |
Employee Number Updated |
CRMODUpdateUser |
External Unique ID Updated |
CRMODUpdateUser |
First Name Updated |
CRMODUpdateUser |
Job Title Updated |
CRMODUpdateUser |
Language Updated |
CRMODUpdateUser |
Last Name Updated |
CRMODUpdateUser |
Middle Name Updated |
CRMODUpdateUser |
Password Updated |
CRMODUpdateUser |
Region Updated |
CRMODUpdateUser |
Reports To Updated |
CRMODUpdateUser |
Role Updated |
CRMODUpdateUser |
Work Phone Updated |
CRMODUpdateUser |
The Identity Connector Framework (ICF) is a component that provides basic provisioning, reconciliation, and other functions that all Oracle Identity Manager connectors require.
The Oracle Identity Manager Connector for Oracle CRM On Demand is an ICF-based connector. The ICF uses classpath isolation, which allows the connector to co-exist with legacy versions of the connector.
For more information about the ICF and its advantages, see Understanding the Identity Connector Framework in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
You can use the connector to configure the target system as a target resource of Oracle Identity Manager.
See Configuring Reconciliation for more information.
After you deploy the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Manager. After the first full reconciliation run, incremental reconciliation is automatically enabled from the next run of the user reconciliation.
You can perform a full reconciliation run at any time. See Performing Full Reconciliation for more information.
You can set a reconciliation filter as the value of the Filter attribute of the scheduled jobs. This filter specifies the subset of newly added and modified target system records that must be reconciled.
See Performing Limited Reconciliation for more information.
If you want to add custom attributes for reconciliation and provisioning, then perform the procedures described in Adding Custom Attributes for Target Resource Reconciliation and Adding Custom Attributes for Provisioning.
You can configure transformation of data that is brought into Oracle Identity Manager during reconciliation.
See Configuring Transformation of Data During User Reconciliation for more information.
You can configure validation of data that is brought into Oracle Identity Manager during provisioning and reconciliation operations.
See Configuring Validation of Data During Reconciliation and Provisioning for more information.
You can specify a list of accounts that must be excluded from reconciliation and provisioning operations. Accounts whose user IDs you specify in the exclusion list are not affected by reconciliation and provisioning operations.
Configuring Resource Exclusion Lists describes the procedure to add entries in these lookup definitions.
Table 1-3 provides information about user attribute mappings for target resource reconciliation and provisioning.
Table 1-3 User Attributes for Target Resource Reconciliation and Provisioning
Process Form Field | Target System Field (User Schema) | Description |
---|---|---|
Alias |
Alias |
Alias of the user |
Cell Phone |
CellPhone |
Cell phone number of the user |
Department |
Department |
Department of the user |
Division |
Division |
Division of the user |
|
EmailAddr |
Email ID of the user |
Employee Number |
EmployeeNumber |
Employee number of the user |
First Name |
FirstName |
First name of the user |
Job Title |
JobTitle |
Job title of the user |
Last Name |
LastName |
Last name of the user |
Middle Name |
MiddleName |
Middle name of the user |
Password |
__PASSWORD__ |
User's password Note: The Password field can only be updated. It cannot be reconciled. |
Region |
Region |
Region of the user |
Return ID |
__UID__ |
UID of the user |
Role[LOOKUP] |
Role |
User's role |
User Login Id |
UserLoginId |
User's login ID |
Work Phone |
PhoneNumber |
Phone number of the user |