This chapter discusses the following optional procedures:
Note:
From Oracle Identity Manager Release 11.1.2 onward, lookup queries are not supported. See Managing Lookups of Oracle Fusion Middleware Administering Oracle Identity Manager guide for information about managing lookups by using the Form Designer in Oracle Identity Manager System Administration.
Adding New Standard SAP BusinessObjects AC Access Request Management Attributes for Provisioning
Removing SAP BusinessObjects AC Access Request Management Attributes from Process Form
Configuring Validation of Data During Reconciliation and Provisioning
Configuring Transformation of Data During User Reconciliation
Configuring the Connector for Multiple Installations of the Target System
This section describes the procedure to determine the names of standard single-valued target system attributes that you want to add for reconciliation or provisioning. The names that you determine are used to determine values for the Decode column of the lookup definitions such as Lookup.SAPUME.UM.ReconAttrMap and Lookup.SAPUME.UM.ProvAttrMap that hold attribute mappings.
To determine the name of a target system attribute that you want to add for reconciliation or provisioning:
You can map new attributes between Oracle Identity manager and the target system for reconciliation.
Note:
This section describes an optional procedure. Perform this procedure only if you want to add new attributes for target resource reconciliation.
You must ensure that new attributes you add for reconciliation contain only string-format data. Binary attributes must not be brought into Oracle Identity Manager natively.
By default, the attributes listed in User Attributes for Reconciliation are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new attributes for target resource reconciliation.
To add a new attribute for target resource reconciliation, perform the procedures listed in the following sections:
Adding the New Attribute to the List of Reconciliation Field in the Resource Object
Creating a Reconciliation Field Mapping for the New AttributeCreating an Entry for the Attribute in the Lookup Definition for Reconciliation
Creating an Entry for the Attribute in the Lookup Definition for Reconciliation
To add a new attribute for target resource reconciliation:
Add the new attribute to the list of reconciliation fields in the resource object as follows:
Create a reconciliation field mapping for the new attribute in the process definition form as follows:
If you are using Oracle Identity Manager release prior to 11.1.2, create an entry for the attribute in the lookup definition for reconciliation as follows:
If you are using Oracle Identity Manager release prior to 11.1.2, define the connector. If you are planning to perform any of the other procedures described in this chapter, perform those procedures and then define the connector. See Defining the Connector for more information.
If you are using Oracle Identity Manager release 11.1.2.x or later, create a new UI form and attach it to the application instance to make this new attribute visible. See Creating a New UI Form and Updating an Existing Application Instance with a New Form for the procedures.
You can map addition attributes for provisioning between Oracle Identity Manager and the target system.
Note:
This section describes an optional procedure. Perform this procedure only if you want to add new attributes for provisioning.
By default, the attributes listed in User Attributes for Provisioning are mapped for provisioning between Oracle Identity Manager and the target system. If required, you can map additional attributes for provisioning.
To add a new attribute for provisioning, perform the procedures listed in the following sections:
Note:
You need not perform steps that you have already performed as part of the procedure described in Adding New Attributes for Reconciliation.
To create a new version of a process form:
If you have added the attribute on the process form by performing Creating a New Version of the Process Form then you need not add the attribute again. If you have not added the attribute, then:
Create an entry for the attribute in the lookup definition for provisioning as follows:
When you add an attribute on the process form, you also update the XML file containing the request dataset definitions. To update a request dataset:
Run the PurgeCache utility to clear content related to request datasets from the server cache.
See Purging Cache in Oracle Fusion Middleware Administering Oracle Identity Manager for more information about the PurgeCache utility.
Import this modified request datasets in XML format using the deployment manager.
See Importing Request Datasets Using Deployment Manager for detailed information about the procedure.
To enable the update of a new attribute for provisioning a user:
Define the connector. If you are planning to perform any of the other procedures described in this chapter, perform those procedures and then define the connector. See Defining the Connector for more information.
If you are using Oracle Identity Manager release 11.1.2.x or later, create a new UI form and attach it to the application instance to make this new attribute visible. See Creating a New UI Form and Updating an Existing Application Instance with a New Form for the procedures.
You can map additional single-valued attributes between Oracle Identity Manager and SAP BusinessObjects AC Access Request Management.
By default, the attributes listed in Table 1-6 and Table 1-10 are mapped for sending requests from Oracle Identity Manager to SAP BusinessObjects AC Access Request Management. If required, you can map additional single-valued attributes.
Note:
Perform the procedure described in this section only if you want to map additional standard Access Request Management attributes for requests sent from Oracle Identity Manager to Access Request Management.
To add a new SAP BusinessObjects AC Access Request Management attribute for provisioning, perform the procedures in the following sections:
If the attribute does not already exist on the process form, then add it on the process form as follows:
Create an entry for the attribute in the Lookup.SAPAC10UME.UM.ProvAttrMap lookup definition as follows:
Create a process task to enable update of the attribute during provisioning operations if the following conditions are true:
The task does not already exist.
This attribute exists on both SAP BusinessObjects AC Access Request Management and the target system.
Note:
If you do not perform this procedure, then you will not be able to modify the value of the attribute after you set a value for it during the Create User provisioning operation.
To enable the update of the attribute during provisioning operations, add a process task for updating the attribute:
If you are using Oracle Identity Manager release 11.1.2.x or later, create a new UI form and attach it to the application instance to make this new attribute visible. See Creating a New UI Form and Updating an Existing Application Instance with a New Form for the procedures.
You can remove SAP BusinessObjects AC Access Request Management attributes if the connector is not configured for SAP BusinessObjects AC.
The form attributes used for Access Request Management are prefixed with AC. These attributes are available in the process form. If the connector is not configured for SAP BusinessObjects AC, then the AC-specific attributes can be removed manually. See SAP BusinessObjects AC Access Request Management Attributes for list of attributes.
To remove the AC attributes from the process form:
From Oracle Identity Manager Design Console, expand Development Tools.
Double-click Form Designer.
Search for and open the UD_SAPACUME process form.
Click Create New Version.
In the Label field, enter the version name. For example, version#1.
Click the Save icon.
Select the current version created in Step 5 from the Current Version list.
Select the AC field to be removed.
Click Delete to remove the selected attribute row from the form.
Similarly, repeat Steps 8 and 9 until you remove all the AC attributes.
Click the Save icon. The following screenshot shows to remove the AC attributes from the process form:
Click Make Version Active.
If you are using Oracle Identity Manager release 11.1.1, after you remove an attribute on the process form, you must update the XML file containing the request dataset definitions. To update a request dataset:
Locate and open the SAPUME-Datasets.xml file, which is located in the xml directory of the installation media.
Search for and find the AC field tags. You can either comment or delete the entire set of AC field tags in the XML file.
Save and close the XML file.
Run the PurgeCache utility to clear content related to request datasets from the server cache.
Import into MDS the request dataset definitions in XML format.
See Importing Request Datasets Using Deployment Manager for detailed information about the procedure.
The form attributes used for Access Request Management are prefixed with AC. These attributes are available in the process form.
The following is the list of AC attributes:
AC Manager
AC Manager email
AC Priority
AC System
AC Requestor ID
AC Requestor email
AC Request Reason
AC Manager First Name
AC Manager Last Name
AC Manager Telephone
AC Request Due Date
AC Functional Area
AC Business Process
AC Requestor First Name
AC Requestor Last Name
AC Requestor Telephone
AC Company
You can configure validation of reconciled and provisioned single-valued data according to your requirements. For example, you can validate data fetched from the First Name attribute to ensure that it does not contain the number sign (#). In addition, you can validate data entered in the First Name field on the process form so that the number sign (#) is not sent to the target system during provisioning operations.
Note:
This feature cannot be applied to the Locked/Unlocked status attribute of the target system.
To configure validation of data:
Write code that implements the required validation logic in a Java class.
This validation class must implement the validate method.
The following sample validation class checks if the value in the First Name attribute contains the number sign (#):
package com.validationexample; import java.util.HashMap; public class MyValidator { public boolean validate(HashMap hmUserDetails, HashMap hmEntitlementDetails, String sField) throws ConnectorException { /* You must write code to validate attributes. Parent * data values can be fetched by using hmUserDetails.get(field) * For child data values, loop through the * ArrayList/Vector fetched by hmEntitlementDetails.get("Child Table") * Depending on the outcome of the validation operation, * the code must return true or false. */ /* * In this sample code, the value "false" is returned if the field * contains the number sign (#). Otherwise, the value "true" is * returned. */ boolean valid = true; String sFirstName = (String) hmUserDetails.get(sField); for (int i = 0; i < sFirstName.length(); i++) { if (sFirstName.charAt(i) == '#') { valid = false; break; } } return valid; } }
If you created the Java class for validating a process form field for reconciliation, then:
Log in to the Design Console.
Search for and open the Lookup.SAPUME.UM.ReconValidation or create another custom name) lookup definition.
Note:
If you cannot find the Lookup.SAPUME.UM.ReconValidation lookup definition, create a new lookup definition.
In the Code Key column, enter the resource object field name that you want to validate.
In the Decode column, enter the class name. For example, com.VALIDATIONEXAMPLE.MYVALIDATOR.
Save the changes to the lookup definition.
Search for and open the Lookup.SAPUME.Configuration lookup definition.
In the Code Key column, enter Recon Validation Lookup.
In the Decode column, enter the name of the lookup you created in step 2.b.
Save the changes to the lookup definition.
If you created the Java class for validating a process form field for provisioning, then:
Log in to the Design Console.
Search for and open the Lookup.SAPUME.UM.ProvValidation or create another custom name) lookup definition.
Note:
If you cannot find the Lookup.SAPUME.UM.ProvValidation lookup definition, create a new lookup definition.
In the Code Key column, enter the process form field name that you want to validate.
In the Decode column, enter the class name. For example, com.VALIDATIONEXAMPLE.MYVALIDATOR.
Save the changes to the lookup definition.
Search for and open the Lookup.SAPUME.Configuration lookup definition.
In the Code Key column, enter Provisioning Validation Lookup.
In the Decode column, enter Lookup.SAPUME.UM.ProvValidation
or enter the name of the lookup you created in step 3.b.
Save the changes to the lookup definition.
You can configure transformation of reconciled single-valued user data according to your requirements. For example, you can use First Name and Last Name values to create a value for the Full Name field in Oracle Identity Manager.
Note:
This feature cannot be applied to the Locked/Unlocked status attribute of the target system.
To configure transformation of single-valued user data fetched during reconciliation:
You might want to modify the lengths of fields (attributes) on the process form. For example, if you use the Japanese locale, then you might want to increase the lengths of process form fields to accommodate multibyte data from the target system.
If you want to modify the length of a field on the process form, then:
You might want to configure the connector for multiple installations of the target system.
The following example illustrates this requirement:
The London and New York offices of Example Multinational Inc. have their own installations of the target system. The company has recently installed Oracle Identity Manager, and they want to configure Oracle Identity Manager to link all the installations of the target system.
To meet the requirement posed by such a scenario, you can create copies of connector objects, such as the IT resource and resource object.
The decision to create a copy of a connector object might be based on a requirement. For example, an IT resource can hold connection information for one target system installation. Therefore, it is mandatory to create a copy of the IT resource for each target system installation.
With some other connector objects, you do not need to create copies at all. For example, a single attribute-mapping lookup definition can be used for all installations of the target system.
If you want to create copies of all the objects that constitute the connector, then see Cloning Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.
By using the Identity System Administration, you can define a customized or reconfigured connector. Defining a connector is equivalent to registering the connector with Oracle Identity Manager.
A connector is automatically defined when you install it using the Install Connectors feature or when you upgrade it using the Upgrade Connectors feature. You must manually define a connector if:
You import the connector by using the Deployment Manager.
You customize or reconfigure the connector.
You upgrade Oracle Identity Manager.
The following events take place when you define a connector:
A record representing the connector is created in the Oracle Identity Manager database. If this record already exists, then it is updated:
The status of the newly defined connector is set to Active. In addition, the status of a previously installed release of the same connector automatically is set to Inactive.
See Defining Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about the procedure to define connectors.