3 Using the Connector

After you deploy the connector, you must configure it to meet your requirements. This chapter discusses the following connector configuration procedures:

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

3.1 Configuring Reconciliation

Reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system, designated as a target resource.

By default, user accounts are reconciled in batches of 50 records. The maximum batch size permitted by Oracle CRM On Demand is 100. To change the batch size, you can specify a value for the Batch Size attribute of the reconciliation scheduled job. If you provide a batch size greater than 100, then the connector considers the Batch Size as 100. See Section 3.2.3, "Configuring Scheduled Jobs" for instructions to specify a value for this attribute.

During a reconciliation run:

  • For each account created on the target system, a resource is assigned to the corresponding OIM User.

  • Updates made to each account on the target system are propagated to the corresponding resource.

This section discusses the following topics related to configuring reconciliation:

3.1.1 Full Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation.

To perform a full reconciliation run, remove (delete) any values currently assigned to the Filter and the Latest Token attributes of the CRM On Demand User Target Reconciliation scheduled job. See Section 3.2.2, "Scheduled Job for Reconciliation" for information about this scheduled job.

3.1.2 Limited Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled.

The connector provides a Filter attribute that allows you to use any of the Oracle CRM On Demand resource attributes to filter the target system records. You can use any of the values specified in the Decode column of the Lookup.CRMOD.UM.ReconAttrMap lookup definition. See Section 2.3.6.2, "Lookup.CRMOD.UM.ReconAttrMap" for more information.

You can perform limited reconciliation by creating filters for the reconciliation module. This connector provides a Filter attribute (a scheduled task attribute) that allows you to use Oracle CRM On Demand resource attributes to filter the target system records.

For detailed information about ICF Filters, see the "ICF Filter Syntax" section of the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

While deploying the connector, follow the instructions in Section 3.2.3, "Configuring Scheduled Jobs" to specify attribute values.

3.1.3 Reconciliation Rule for Target Resource Reconciliation

The following is the process-matching rule:

Rule name: CRMOD Recon Rule

Rule element: User Login Equals User Login Id

In this rule:

  • User Login is the User Login for Oracle Identity Manager:

  • User Login Id is the User Login for the target system.

After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.
  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Development Tools.

  3. Double-click Reconciliation Rules.

  4. Search for CRMOD Recon Rule. Figure 3-1 shows the reconciliation rule for target resource reconciliation.

    Figure 3-1 Reconciliation Rule for Target Resource Reconciliation

    Description of Figure 3-1 follows
    Description of "Figure 3-1 Reconciliation Rule for Target Resource Reconciliation"

3.1.4 Reconciliation Action Rules for Target Resource Reconciliation

Table 3-1 lists the action rules for target resource reconciliation.

Table 3-1 Action Rules for Target Resource Reconciliation

Rule Condition Action

No Matches Found

None

One Entity Match Found

Establish Link

One Process Match Found

Establish Link


Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about modifying or creating reconciliation action rules.

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Resource Management.

  3. Double-click Resource Objects.

  4. Search for and open the CRM On Demand resource object.

  5. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector.

3.2 Scheduled Jobs

When you run the Connector Installer or import the connector XML file, the following reconciliation scheduled jobs are automatically created in Oracle Identity Manager:

This section discusses the following topics related to scheduled jobs:

3.2.1 Scheduled Job for Lookup Field Synchronization

The following scheduled job is used for lookup field synchronization:

  • CRM On Demand Role Lookup Recon

    This scheduled job is used to synchronize the roles available on the target system into the Lookup.CRMOD.Roles lookup definition.

You must specify values for the attributes described in Table 3-2 for this scheduled jobs. The procedure to configure a scheduled job is described later in the guide.

Table 3-2 Attributes of the Scheduled Job for Lookup Field Synchronization

Attribute Description

Code Key Attribute

Name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute)

Default value: __NAME__

Note: You must not change the value of this attribute.

Decode Attribute

Name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute)

Default value: __NAME__

Filter

Expression for filtering records that must be reconciled by the scheduled job

By default, the value of this attribute is empty.

Sample value: equalTo('__NAME__','Administrator')

See Section 3.1.2, "Limited Reconciliation" for the syntax of this expression.

IT Resource Name

Name of the IT resource for the target system installation from which you want to reconcile user records

Default value: CRM On Demand

Lookup Name

Name of the lookup definition that maps each lookup definition with the data source from which values must be fetched

Default value: Lookup.CRMOD.Roles

Object Type

Type of object whose values must be synchronized

Default value: __ROLES__

Note: You must not change the value of this attribute.


3.2.2 Scheduled Job for Reconciliation

The CRM On Demand User Target Reconciliation scheduled task is used to reconcile user data in the target resource (account management) mode of the connector.

Note:

The scheduled job does not support reconciliation of deleted records.

Table 3-3 describes the attributes of the scheduled job.

Table 3-3 Attributes of the Scheduled Job for Reconciliation

Attribute Description

Batch Size

Number of records that must be included in each batch

Default value: 50

Filter

Expression for filtering records that must be reconciled by the scheduled job

By default, the value of this attribute is empty.

Sample value: equalTo('Alias','SEPT12USER1')

See Section 3.1.2, "Limited Reconciliation" for the syntax of this expression.

IT Resource Name

Name of the IT resource for the target system installation from which you want to reconcile user records

Default value: CRM On Demand

Latest Token

Time stamp in the long format of the maximum value for the ModifiedDate attribute of the user records on the target system

Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value for this attribute.

If you set this attribute to an empty value, then incremental reconciliation operations fetch all the records (perform full reconciliation).

Object Type

Type of object you want to reconcile

Default value: User

Note: Do not modify the value of this attribute.

Resource Object Name

Name of the resource object that is used for reconciliation

Default value: CRM On Demand

Scheduled Job Name

Name of the scheduled job

Default value: CRM On Demand User Target Reconciliation

Note: For the scheduled job shipped with this connector, you must not change the value of this attribute. However, if you create a copy of the job, then you can enter the unique name for that scheduled job as the value of this attribute.


3.2.3 Configuring Scheduled Jobs

To configure a scheduled job:

  1. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

    • For Oracle Identity Manager release 11.1.1:

      1. Log in to the Administrative and User Console.

      2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.

    • For Oracle Identity Manager release 11.1.2.x:

      1. Log in to Oracle Identity System Administration.

      2. Create and activate a sandbox. For detailed instructions on creating and activating a sandbox, see the "Managing Sandboxes" section of Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

      3. In the left pane, under System Management, click Scheduler.

  2. Search for and open the scheduled job as follows:

    1. If you are using Oracle Identity Manager release 11.1.1, then on the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.

    2. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.

    3. In the search results table on the left pane, click the scheduled job in the Job Name column.

  3. On the Job Details tab, you can modify the following parameters:

    Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

    Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

    Note:

    See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about schedule types.

    In addition to modifying the job details, you can enable or disable a job.

  4. On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled job.

    Note:

  5. After specifying the attributes, click Apply to save the changes.

    Note:

    The Stop Execution option is available in the Administrative and User Console. You can use the Scheduler Status page to either start, stop, or reinitialize the scheduler.

3.3 Configuring Provisioning in Oracle Identity Manager Release 11.1.1

Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a target system account for the user.

If you have configured the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then perform the steps described in Section 3.3.4, "Switching Between Request-Based Provisioning and Direct Provisioning."

The following are types of provisioning operations:

  • Direct provisioning

  • Request-based provisioning

  • Provisioning triggered by policy changes

See Also:

Oracle Fusion Middleware Users's Guide for Oracle Identity Manager for information about the types of provisioning

This section discusses the following topics:

3.3.1 Guidelines on Performing Provisioning Operations

The following are guidelines that you must apply while performing provisioning operations:

  • Before you perform provisioning operations, lookup definitions must be synchronized with the lookup fields of the target system. In other words, run the scheduled jobs for lookup field synchronization before provisioning operations.

  • The Reports To field on the process form expects values in the FirstName LastName format.

  • Passwords for user accounts provisioned from Oracle Identity Manager must adhere to the password policy set in the target system.

  • The character length of target system fields must be taken into account when specifying values for the corresponding Oracle Identity Manager fields.

  • The connector uses the SetPasswordAPI method for provisioning user passwords. On Oracle CRM On Demand target system, suppose users A and B have the ability to set passwords. Then, user A does not have the ability to update the password of user B.

3.3.2 Configuring Direct Provisioning

When you install the connector on Oracle Identity Manager, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.

In direct provisioning, the Oracle Identity Manager administrator uses the Administrative and User Console to create a target system account for a user.

To provision a resource by using the direct provisioning approach:

  1. Log in to the Administrative and User Console.

  2. On the Welcome to Identity Administration page, in the Users region, click Create User.

  3. On the Create User page, enter values for the OIM User fields, and then click the save icon.

  4. If you want to provision a target system account to an existing OIM User, then:

    • On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the list on the left pane.

    • From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.

  5. On the user details page, click the Resources tab.

  6. From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.

  7. On the Step 1: Select a Resource page, select CRM On Demand from the list and then click Continue.

  8. On the Step 2: Verify Resource Selection page, click Continue.

  9. On the Step 5: Provide Process Data for User Details page, enter the details of the account that you want to create on the target system and then click Continue.

  10. On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.

  11. Close the window displaying the "Provisioning has been initiated" message.

  12. On the Resources tab, click Refresh to view the newly provisioned resource.

3.3.3 Configuring Request-Based Provisioning

In request-based provisioning, an end user creates a request for a resource by using the Administrative and User Console. Administrators or other users can also create requests for a particular user. Requests for a particular resource on the resource can be viewed and approved by approvers designated in Oracle Identity Manager.

The following are features of request-based provisioning:

  • A user can be provisioned only one resource (account) on the target system.

    Note:

    Direct provisioning allows the provisioning of multiple target system accounts on the target system.
  • Direct provisioning cannot be used if you enable request-based provisioning.

The following sections discuss the steps to be performed to enable request-based provisioning:

Note:

The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.

3.3.3.1 End User's Role in Request-Based Provisioning

The following steps are performed by the end user in a request-based provisioning operation:

See Also:

Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about these steps
  1. Log in to the Administrative and User Console.

  2. On the Welcome page, click Advanced in the upper-right corner of the page.

  3. On the Welcome to Identity Administration page, click the Administration tab, and then click the Requests tab.

  4. From the Actions menu on the left pane, select Create Request.

    The Select Request Template page is displayed.

  5. From the Request Template list, select Provision Resource and click Next.

  6. On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specify is displayed in the Available Users list.

  7. From the Available Users list, select the user to whom you want to provision the account.

    If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.

  8. Click Move or Move All to include your selection in the Selected Users list, and then click Next.

  9. On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.

  10. From the Available Resources list, select CRM On Demand, move it to the Selected Resources list, and then click Next.

  11. On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.

  12. On the Justification page, you can specify values for the following fields, and then click Finish.

    • Effective Date

    • Justification

    On the resulting page, a message confirming that your request has been sent successfully is displayed along with the Request ID.

  13. If you click the request ID, then the Request Details page is displayed.

  14. To view details of the approval, on the Request Details page, click the Request History tab.

3.3.3.2 Approver's Role in Request-Based Provisioning

The following are steps performed by the approver in a request-based provisioning operation:

The following are steps that the approver can perform:

  1. Log in to the Administrative and User Console.

  2. On the Welcome page, click Self-Service in the upper-right corner of the page.

  3. On the Welcome to Identity Manager Self Service page, click the Tasks tab.

  4. On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.

  5. From the search results table, select the row containing the request you want to approve, and then click Approve Task.

    A message confirming that the task was approved is displayed.

3.3.3.3 Importing Request Datasets Using Deployment Manager

See Also:

Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about importing objects from an XML file using the Deployment Manager

A request dataset is an XML file that specifies the information to be submitted by the requester during a provisioning operation. These request datasets specify information about the default set of attributes for which the requester must submit information during a request-based provisioning operation.

To import a request dataset XML file by using the Deployment Manager:

  1. Log in to the Oracle Identity Manager Administrative and User Console.

  2. Click the Deployment Management link on the left navigation bar.

  3. Click the Import link under Deployment Management.

    A dialog box for opening files is displayed.

  4. Locate and open the request dataset XML file, CRMOD-Datasets.xml, which is in the xml directory of the installation media.

    Details of this XML file are shown on the File Preview page.

  5. Click Add File.

    The Substitutions page is displayed.

  6. Click Next.

    The Confirmation page is displayed.

  7. Click Import.

  8. Close the Deployment Manager dialog box.

    The request dataset is imported into Oracle Identity Manager.

3.3.3.4 Enabling the Auto Save Form Feature

To enable the Auto Save Form feature:

  1. Log in to the Design Console.

  2. Expand Process Management, and then double-click Process Definition.

  3. Search for and open the CRM On Demand process definition.

  4. Select the Auto Save Form check box.

  5. Click the save icon.

3.3.3.5 Running the PurgeCache Utility

Run the PurgeCache utility to clear content belonging to the Metadata category from the server cache. See Section 2.3.9, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for instructions.

The procedure to configure request-based provisioning ends with this step.

3.3.4 Switching Between Request-Based Provisioning and Direct Provisioning

Note:

It is assumed that you have performed the procedure described in Section 3.3.3, "Configuring Request-Based Provisioning."

To switch from request-based provisioning to direct provisioning:

  1. Log in to the Design Console.

  2. Disable the Auto Save Form feature as follows:

    1. Expand Process Management, and then double-click Process Definition.

    2. Search for and open the CRM On Demand process definition.

    3. Deselect the Auto Save Form check box.

    4. Click the save icon.

  3. If the Self Request Allowed feature is enabled, then:

    1. Expand Resource Management, and then double-click Resource Objects.

    2. Search for and open the CRM On Demand resource object.

    3. Deselect the Self Request Allowed check box.

    4. Click the save icon.

To switch from direct provisioning back to request-based provisioning:

  1. Log in to the Design Console.

  2. Enable the Auto Save Form feature as follows:

    1. Expand Process Management, and then double-click Process Definition.

    2. Search for and open the CRM On Demand process definition.

    3. Select the Auto Save Form check box.

    4. Click the save icon.

  3. If you want to enable end users to raise requests for themselves, then:

    1. Expand Resource Management, and then double-click Resource Objects.

    2. Search for and open the CRM On Demand resource object.

    3. Select the Self Request Allowed check box.

    4. Click the save icon.

3.4 Configuring Provisioning in Oracle Identity Manager Release 11.1.2

To configure provisioning operations in Oracle Identity Manager release 11.1.2.x:

Note:

The time required to complete a provisioning operation that you perform the first time by using this connector takes longer than usual.
  1. Log in to Oracle Identity Administrative and User console.

  2. Create a user. See the "Managing Users" chapter in Oracle Fusion Middleware User's Guide for Oracle Identity Manager for more information about creating a user.

  3. On the Account tab, click Request Accounts.

  4. In the Catalog page, search for and add to cart the application instance, and then click Checkout.

    See Section 2.3.1, "Configuring Oracle Identity Manager 11.1.2 or Later" for related procedures.

  5. Specify values for fields in the application form and then click Ready to Submit.

  6. Click Submit.

  7. If you want to provision a CRM On Demand User, then:

    1. On the Users page, search for the required user.

    2. On the user details page, click Accounts.

    3. Click the Request Accounts button.

    4. Search for the CRM On Demand application instance in the catalog search box and select it.

    5. Click Add to Cart.

    6. Click Checkout.

    7. Specify values for fields in the application form and then click Ready to Submit.

    8. Click Submit.