4 Extending the Functionality of the Connector

You can extend the functionality of the connector to address your specific business requirements.

This chapter discusses the following optional procedures:

Note:

From Oracle Identity Manager Release 11.1.2 onward, lookup queries are not supported. See Managing Lookups of Oracle Fusion Middleware Administering Oracle Identity Manager guide for information about managing lookups by using the Form Designer in Oracle Identity Manager System Administration.

4.1 Determining the Names of Target System Attributes

This section describes the procedure to determine the names of standard single-valued target system attributes that you want to add for reconciliation or provisioning. The names that you determine are used to determine values for the Decode column of the lookup definitions such as Lookup.SAPUME.UM.ReconAttrMap and Lookup.SAPUME.UM.ProvAttrMap that hold attribute mappings.

To determine the name of a target system attribute that you want to add for reconciliation or provisioning:

Open the schema.xml file provided with AS Java.
In the section containing the object class definition for sapuser, the memberAttributes element defines the list of attributes available.

4.2 Adding New Attributes for Reconciliation

You can map new attributes between Oracle Identity manager and the target system for reconciliation.

Note:

This section describes an optional procedure. Perform this procedure only if you want to add new attributes for target resource reconciliation.

You must ensure that new attributes you add for reconciliation contain only string-format data. Binary attributes must not be brought into Oracle Identity Manager natively.

By default, the attributes listed in User Attributes for Reconciliation are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new attributes for target resource reconciliation.

To add a new attribute for target resource reconciliation, perform the procedures listed in the following sections:

4.2.1 Creating a New Version of the Process Form

To add a new attribute for target resource reconciliation:

Log in to Oracle Identity Manager Design Console.
Expand Development Tools.
Double-click Form Designer.
Search for and open the SAPUME process process form.
Click Create New Version.
In the Label field, enter the version name. For example, version#1.
Click the Save icon.
Select the current version created in Step e from the Current Version list.
Click Add to create a new attribute, and provide the values for that attribute.

For example, if you are adding the Certificate attribute, then enter the following values in the Additional Columns tab:

Field Value

Name

Certificate

Variant Type

String

Length

100

Field Label

certificate

Order

20

The following screenshot shows this form:

Description of the illustration new_attr_process_form.gif
Click the Save icon.
Click Make Version Active.

Field	Value
Name	`Certificate`
Variant Type	`String`
Length	`100`
Field Label	certificate
Order	`20`

4.2.2 Adding the New Attribute to the List of Reconciliation Field in the Resource Object

Add the new attribute to the list of reconciliation fields in the resource object as follows:

Expand Resource Management.
Double-click Resource Objects.
Search for and open the SAPUME Resource Object resource object.
On the Object Reconciliation tab, click Add Field, and then enter the following values:

Field Name: Certificate

Field Type: String

Description of the illustration new_attr_resource_obj.gif
Click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.
Click the Save icon.

4.2.3 Creating a Reconciliation Field Mapping for the New Attribute

Create a reconciliation field mapping for the new attribute in the process definition form as follows:

Expand Process Management.
Double-click Process Definition.
Search for and open the SAPUME process process definition.
On the Reconciliation Field Mappings tab, click Add Field Map, and then select the following values:

Field Name: Certificate

Field Type: String

Process Data Field:

Description of the illustration new_attr_reco_field_map.gif
Click the Save icon.

4.2.4 Creating an Entry for the Attribute in the Lookup Definition for Reconciliation

If you are using Oracle Identity Manager release prior to 11.1.2, create an entry for the attribute in the lookup definition for reconciliation as follows:

Expand Administration.
Double-click Lookup Definition.
Search for and open the Lookup.SAPUME.UM.ReconAttrMap lookup definition.
Click Add and enter the Code Key and Decode values for the attribute. The Code Key value must be the name of the resource object field. The Decode value is the name of the attribute in the target system.

For example, enter Certificate in the Code Key field and then enter certificate in the Decode field.

Description of the illustration new_attr_lookup_dfn.gif
Click the Save icon.

4.2.5 Defining the Connector

If you are using Oracle Identity Manager release prior to 11.1.2, define the connector. If you are planning to perform any of the other procedures described in this chapter, perform those procedures and then define the connector. See Defining the Connector for more information.

4.2.6 Creating a New UI Form to make the New Attribute Visible

If you are using Oracle Identity Manager release 11.1.2.x or later, create a new UI form and attach it to the application instance to make this new attribute visible. See Creating a New UI Form and Updating an Existing Application Instance with a New Form for the procedures.

4.3 Adding New Attributes for Provisioning

You can map addition attributes for provisioning between Oracle Identity Manager and the target system.

Note:

This section describes an optional procedure. Perform this procedure only if you want to add new attributes for provisioning.

By default, the attributes listed in User Attributes for Provisioning are mapped for provisioning between Oracle Identity Manager and the target system. If required, you can map additional attributes for provisioning.

To add a new attribute for provisioning, perform the procedures listed in the following sections:

Note:

You need not perform steps that you have already performed as part of the procedure described in Adding New Attributes for Reconciliation.

4.3.1 Creating a New Version of the Process Form

To create a new version of a process form:

If you have added the attribute on the process form by performing Creating a New Version of the Process Form then you need not add the attribute again. If you have not added the attribute, then:

Log in to Oracle IDentity Manager Design Console.
Expand Development Tools.
Double-click Form Designer.
Search for and open the UD_SAPUME process form.
Click Create New Version.
In the Label field, enter the version name. For example, version#1.
Click the Save icon.
Select the current version created in Step e from the Current Version list.
Click Add to create a new attribute, and provide the values for that attribute.

For example, if you are adding the certificate attribute, then enter the following values in the Additional Columns tab:

Field Value

Name

certificate

Variant Type

String

Length

100

Field Label

Certificate

Order

20

The following screenshot shows this form:

Description of the illustration new_attr_process_form.gif
Click the Save icon.
Click Make Vcersion Active.

Field	Value
Name	`certificate`
Variant Type	`String`
Length	`100`
Field Label	`Certificate`
Order	`20`

4.3.2 Creating an Entry for the Attribute in the Lookup Definition for Provisioning

Create an entry for the attribute in the lookup definition for provisioning as follows:

Expand Administration.
Double-click Lookup Definition.
Search for and open the Lookup.SAPUME.UM.ProvAttrMap lookup definition.
Click Add and enter the Code Key and Decode values for the attribute. The Code Key value must be the value specified in the Field Label column in the process form. The Decode value is the name of the attribute in the target system.

For example, enter Certificate in the Code Key field and then enter certificate in the Decode field.

Description of the illustration new_attr_lookup_dfn_prov.gif
Click the Save icon.
Note:

Perform the following procedures only if you want to perform request-based provisioning.

4.3.3 Updating the Request Dataset

When you add an attribute on the process form, you also update the XML file containing the request dataset definitions. To update a request dataset:

In a text editor, open the SAPUME-Datasets.xml file located in the xml directory of the installation media.
Add the AttributeReference element and specify values for the mandatory attributes of this element.
For example, while performing Step 2 of this procedure, if you added certificate as an attribute on the process form, then enter the following line:
```
<AttributeReference
name = "Certificate"
attr-ref = "Certificate"
type = "String"
widget = "text"
length = "50"
available-in-bulk = "false"/>
```
In this AttributeReference element:
- For the name attribute, enter the value in the Name column of the process form without the tablename prefix.
  
  For example, if UD_SAPUME_CERTIFICATE is the value in the Name column of the process form, then you must specify Certificate as the value of the name attribute in the AttributeReference element.
- For the attr-ref attribute, enter the value that you entered in the Field Label column of the process form while performing Step 2.
- For the type attribute, enter the value that you entered in the Variant Type column of the process form while performing Step 2.
- For the widget attribute, enter the value that you entered in the Field Type column of the process form, while performing Step 2.
- For the length attribute, enter the value that you entered in the Length column of the process form while performing Step 2.
- For the available-in-bulk attribute, specify true if the attribute must be available during bulk request creation or modification. Otherwise, specify false.
While performing Step 2, if you added more than one attribute on the process form, then repeat this step for each attribute added.
Save and close the XML file.

4.3.4 Running the PurgeCache Utility to Clear Content Related to Request Datasets

Run the PurgeCache utility to clear content related to request datasets from the server cache.

See Purging Cache in Oracle Fusion Middleware Administering Oracle Identity Manager for more information about the PurgeCache utility.

4.3.5 Importing the Modified Request Datasets Using the Deployment Manager

Import this modified request datasets in XML format using the deployment manager.

See Importing Request Datasets Using Deployment Manager for detailed information about the procedure.

4.3.6 Updating the New Attribute for Provisioning a User

To enable the update of a new attribute for provisioning a user:

Expand Process Management.
Double-click Process Definition and open the SAPUME process process definition.
In the process definition, add a new task for updating the field as follows:
- Click Add and enter the task name, for example, CellPhone Updated, and the task description.
- In the Task Properties section, select the following fields:
  
  Conditional
  
  Required for Completion
  
  Allow Cancellation while Pending
  
  Allow Multiple Instances
- Click the Save icon.
On the Integration tab, click Add, and then click Adapter.
Select the sapume update adapter, click Save, and then click OK in the message that is displayed.

To map the adapter variables listed in this table, select the adapter, click Map, and then specify the data given in the following table:

Variable Name	Data Type	Map To	Qualifier	Literal Value
Adapter return value	Object	Response code	NA	NA
objectType	String	Literal	String	User
itResourceFieldName	String	Literal	String	UD_SAPUME_RESOURCETYPE
IProcessInstKey	Long	Process data	Iprocessinstance	NA

On the Responses tab, click Add to add the following response codes:

Code Name	Description	Status
ERROR	Error occurred during Certificate update	R
CONNECTOR_EXCEPTION	Certificate update Failed	R
INVALID_CREDENTIAL	Unauthorized user Login	R
UNKNOWN	UNKNOWN	R
CONNECTION_FAILED	Cannot make connection to the resource	R
UNKNOWN_UID	User does not exist in the target	R
SUCCESS	Certificate update Successful	C

Click the Save icon and then close the dialog box.

4.3.7 Defining the Connector

Define the connector. If you are planning to perform any of the other procedures described in this chapter, perform those procedures and then define the connector. See Defining the Connector for more information.

4.3.8 Creating a New UI Form to the Make the New Attribute Visible

4.4 Adding New Standard SAP BusinessObjects AC Access Request Management Attributes for Provisioning

You can map additional single-valued attributes between Oracle Identity Manager and SAP BusinessObjects AC Access Request Management.

By default, the attributes listed in Table 1-6 and Table 1-10 are mapped for sending requests from Oracle Identity Manager to SAP BusinessObjects AC Access Request Management. If required, you can map additional single-valued attributes.

Note:

Perform the procedure described in this section only if you want to map additional standard Access Request Management attributes for requests sent from Oracle Identity Manager to Access Request Management.

To add a new SAP BusinessObjects AC Access Request Management attribute for provisioning, perform the procedures in the following sections:

4.4.1 Creating a New Version of the Process Form

If the attribute does not already exist on the process form, then add it on the process form as follows:

Log in to Oracle Identity Manager Design Console.
Expand Development Tools, and double-click Form Designer.
Search for and open the UD_SAPACUME process form.
Click Create New Version, and then click Add.
Enter the details of the attribute.

For example, if you are adding the Telephone field, enter UD_SAPACUME_TELEPHONE in the Name field, and then enter the rest of the details of this field.
Click the Save icon, and then click Make Version Active. The following screenshot shows the new field added to the process form:

Description of the illustration prosses_form.gif

4.4.2 Creating an Entry for the Attribute in the Lookup Definition

Create an entry for the attribute in the Lookup.SAPAC10UME.UM.ProvAttrMap lookup definition as follows:

Expand Administration.
Double-click Lookup Definition.
Search for and open the Lookup.SAPAC10UME.UM.ProvAttrMap lookup definition.
Click Add and then enter the Code Key and Decode values for the attribute.
The Code Key value must be the name of the field on the process form. The Decode value is in the following format:
```
FIELD_NAME;CUSTOM
```
In this format:
- FIELD_NAME is the name of the attribute.
- CUSTOM is used to specify that the attribute is a custom attribute on SAP BusinessObjects AC Access Request Management.

4.4.3 Creating a Process Task to Update the Attribtue During Provisioning Operations

Create a process task to enable update of the attribute during provisioning operations if the following conditions are true:

The task does not already exist.
This attribute exists on both SAP BusinessObjects AC Access Request Management and the target system.

Note:

If you do not perform this procedure, then you will not be able to modify the value of the attribute after you set a value for it during the Create User provisioning operation.

To enable the update of the attribute during provisioning operations, add a process task for updating the attribute:

Expand Process Management, and double-click Process Definition.
Search for and open the SAP AC UME process definition.
Click Add.
On the General tab of the Creating New Task dialog box, enter a name and description for the task and then select the following:
- Conditional
- Required for Completion
- Required for Completion
- Allow Cancellation while Pending
- Allow Multiple Instances
Click the Save icon.
On the Integration tab of the Creating New Task dialog box, click Add.
In the Handler Selection dialog box, select Adapter, click adpSAPACUMEUPDATE, and then click the Save icon.

The list of adapter variables is displayed on the Integration tab.
To create the mapping for the first adapter variable:

Double-click the number of the first row.

In the Edit Data Mapping for Variable dialog box, enter the following values:

Variable Name: Adapter return value

Data Type: Object

Map To: Response code

Click the Save icon.

To create mappings for the remaining adapter variables, use the data given in the following table:

Variable Name	Map To	Qualifier
fieldValue	ProcessData	Telephone Number
fieldName	Literal	String For example: UD_SAPACUME_TELEPHONENUMBER
itResourceFieldName	Literal	String For example: UD_SAPACUME_RESOURCETYPE
objectType	Literal	String For example: User
IProcessInstanceKey	Process Data	Process Instance
fieldOldValue	Process Data	Telephone Number Note: Select the Old Value check box.
Adapter Return Variable	Response Code	N/A

Click the Save icon in the Editing Task dialog box, and then close the dialog box.
Click the Save icon to save changes to the process definition.

4.4.4 Creating a New UI Form and attaching it to the Application Instance to make the New Attribute Visible

4.5 Removing SAP BusinessObjects AC Access Request Management Attributes from Process Form

You can remove SAP BusinessObjects AC Access Request Management attributes if the connector is not configured for SAP BusinessObjects AC.

The form attributes used for Access Request Management are prefixed with AC. These attributes are available in the process form. If the connector is not configured for SAP BusinessObjects AC, then the AC-specific attributes can be removed manually. See SAP BusinessObjects AC Access Request Management Attributes for list of attributes.

To remove the AC attributes from the process form:

From Oracle Identity Manager Design Console, expand Development Tools.
Double-click Form Designer.
Search for and open the UD_SAPACUME process form.
Click Create New Version.
In the Label field, enter the version name. For example, version#1.
Click the Save icon.
Select the current version created in Step 5 from the Current Version list.
Select the AC field to be removed.
Click Delete to remove the selected attribute row from the form.
Similarly, repeat Steps 8 and 9 until you remove all the AC attributes.
Click the Save icon. The following screenshot shows to remove the AC attributes from the process form:

Description of the illustration sap_process.gif
Click Make Version Active.
If you are using Oracle Identity Manager release 11.1.1, after you remove an attribute on the process form, you must update the XML file containing the request dataset definitions. To update a request dataset:
1. Locate and open the SAPUME-Datasets.xml file, which is located in the xml directory of the installation media.
2. Search for and find the AC field tags. You can either comment or delete the entire set of AC field tags in the XML file.
3. Save and close the XML file.
4. Run the PurgeCache utility to clear content related to request datasets from the server cache.
5. Import into MDS the request dataset definitions in XML format.
  
  See Importing Request Datasets Using Deployment Manager for detailed information about the procedure.

4.5.1 SAP BusinessObjects AC Access Request Management Attributes

The form attributes used for Access Request Management are prefixed with AC. These attributes are available in the process form.

The following is the list of AC attributes:

AC Manager
AC Manager email
AC Priority
AC System
AC Requestor ID
AC Requestor email
AC Request Reason
AC Manager First Name
AC Manager Last Name
AC Manager Telephone
AC Request Due Date
AC Functional Area
AC Business Process
AC Requestor First Name
AC Requestor Last Name
AC Requestor Telephone
AC Company

4.6 Configuring Validation of Data During Reconciliation and Provisioning

You can configure validation of reconciled and provisioned single-valued data according to your requirements. For example, you can validate data fetched from the First Name attribute to ensure that it does not contain the number sign (#). In addition, you can validate data entered in the First Name field on the process form so that the number sign (#) is not sent to the target system during provisioning operations.

Note:

This feature cannot be applied to the Locked/Unlocked status attribute of the target system.

To configure validation of data:

Write code that implements the required validation logic in a Java class.

This validation class must implement the validate method.

The following sample validation class checks if the value in the First Name attribute contains the number sign (#):

package com.validationexample;

import java.util.HashMap;
 
public class MyValidator {
    public boolean validate(HashMap hmUserDetails, HashMap hmEntitlementDetails, String sField) throws ConnectorException {
 
        /* You must write code to validate attributes. Parent
                 * data values can be fetched by using hmUserDetails.get(field)
                 * For child data values, loop through the
                 * ArrayList/Vector fetched by hmEntitlementDetails.get("Child Table")
                 * Depending on the outcome of the validation operation,
                 * the code must return true or false.
                 */
        /*
        * In this sample code, the value "false" is returned if the field
        * contains the number sign (#). Otherwise, the value "true" is
        * returned.
        */
        boolean valid = true;
        String sFirstName = (String) hmUserDetails.get(sField);
        for (int i = 0; i < sFirstName.length(); i++) {
            if (sFirstName.charAt(i) == '#') {
                valid = false;
                break;
            }
        }
        return valid;
 
    }
}

If you created the Java class for validating a process form field for reconciliation, then:
1. Log in to the Design Console.
2. Search for and open the Lookup.SAPUME.UM.ReconValidation or create another custom name) lookup definition.
  
  Note:
  
  If you cannot find the Lookup.SAPUME.UM.ReconValidation lookup definition, create a new lookup definition.
3. In the Code Key column, enter the resource object field name that you want to validate.
4. In the Decode column, enter the class name. For example, com.VALIDATIONEXAMPLE.MYVALIDATOR.
5. Save the changes to the lookup definition.
6. Search for and open the Lookup.SAPUME.Configuration lookup definition.
7. In the Code Key column, enter Recon Validation Lookup.
8. In the Decode column, enter the name of the lookup you created in step 2.b.
9. Save the changes to the lookup definition.
If you created the Java class for validating a process form field for provisioning, then:
1. Log in to the Design Console.
2. Search for and open the Lookup.SAPUME.UM.ProvValidation or create another custom name) lookup definition.
  
  Note:
  
  If you cannot find the Lookup.SAPUME.UM.ProvValidation lookup definition, create a new lookup definition.
3. In the Code Key column, enter the process form field name that you want to validate.
4. In the Decode column, enter the class name. For example, com.VALIDATIONEXAMPLE.MYVALIDATOR.
5. Save the changes to the lookup definition.
6. Search for and open the Lookup.SAPUME.Configuration lookup definition.
7. In the Code Key column, enter Provisioning Validation Lookup.
8. In the Decode column, enter Lookup.SAPUME.UM.ProvValidation or enter the name of the lookup you created in step 3.b.
9. Save the changes to the lookup definition.

4.7 Configuring Transformation of Data During User Reconciliation

You can configure transformation of reconciled single-valued user data according to your requirements. For example, you can use First Name and Last Name values to create a value for the Full Name field in Oracle Identity Manager.

Note:

This feature cannot be applied to the Locked/Unlocked status attribute of the target system.

To configure transformation of single-valued user data fetched during reconciliation:

Write code that implements the required transformation logic in a Java class.

This transformation class must implement the transform method.

The following sample transformation class creates a value for the Full Name attribute by using values fetched from the First Name and Last Name attributes of the target system:

package com.transformationexample;

import java.util.HashMap;
 
 
public class MyTransformer {
    public Object transform(HashMap hmUserDetails, HashMap hmEntitlementDetails, String sField) throws ConnectorException {
        /*
        * You must write code to transform the attributes.
        * Parent data attribute values can be fetched by
        * using hmUserDetails.get("Field Name").
        * To fetch child data values, loop through the
        * ArrayList/Vector fetched by hmEntitlementDetails.get("Child          Table")
        * Return the transformed attribute.
        */
        String sFirstName = (String) hmUserDetails.get("First Name");
        String sLastName = (String) hmUserDetails.get("Last Name");
        return sFirstName + "." + sLastName;
 
    }
}

Log in to the Design Console.
Search for and open the Lookup.SAPUME.UM.ReconTransformation (or create another custom name) lookup definition.

Note:

If you cannot find the Lookup.SAPUME.UM.ReconTransformation lookup definition, create a new lookup definition.
In the Code Key column, enter the resource object field name you want to transform.
In the Decode column, enter the class name. For example, com.TRANSFORMATIONEXAMPLE.MYTRANSFORMER.
Save the changes to the lookup definition.
Search for and open the Lookup.SAPUME.Configuration lookup definition.
In the Code Key column, enter Recon Transformation Lookup.
In the Decode column, enter Lookup.SAPUME.UM.ReconTransformation or enter the name of the lookup you created in step 3.
Save the changes to the lookup definition.

4.8 Modifying Field Lengths on the Process Form

You might want to modify the lengths of fields (attributes) on the process form. For example, if you use the Japanese locale, then you might want to increase the lengths of process form fields to accommodate multibyte data from the target system.

If you want to modify the length of a field on the process form, then:

Log in to the Design Console.
Expand Development Tools, and double-click Form Designer.
Search for and open the UD_UME process form.

Note:

If you are using SAP BusinessObjects AC system, then search for and open the UD_SAPACUME process form.
Click Create New Version.
Enter a label for the new version, click the Save icon, and then close the dialog box.
From the Current Version list, select the version that you create.
Modify the length of the required field.
Click the Save icon.
Click Make Version Active.

4.9 Configuring the Connector for Multiple Installations of the Target System

You might want to configure the connector for multiple installations of the target system.

The following example illustrates this requirement:

The London and New York offices of Example Multinational Inc. have their own installations of the target system. The company has recently installed Oracle Identity Manager, and they want to configure Oracle Identity Manager to link all the installations of the target system.

To meet the requirement posed by such a scenario, you can create copies of connector objects, such as the IT resource and resource object.

The decision to create a copy of a connector object might be based on a requirement. For example, an IT resource can hold connection information for one target system installation. Therefore, it is mandatory to create a copy of the IT resource for each target system installation.

With some other connector objects, you do not need to create copies at all. For example, a single attribute-mapping lookup definition can be used for all installations of the target system.

If you want to create copies of all the objects that constitute the connector, then see Cloning Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.

4.10 Defining the Connector

By using the Identity System Administration, you can define a customized or reconfigured connector. Defining a connector is equivalent to registering the connector with Oracle Identity Manager.

A connector is automatically defined when you install it using the Install Connectors feature or when you upgrade it using the Upgrade Connectors feature. You must manually define a connector if:

You import the connector by using the Deployment Manager.
You customize or reconfigure the connector.
You upgrade Oracle Identity Manager.

The following events take place when you define a connector:

A record representing the connector is created in the Oracle Identity Manager database. If this record already exists, then it is updated:
The status of the newly defined connector is set to Active. In addition, the status of a previously installed release of the same connector automatically is set to Inactive.

See Defining Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about the procedure to define connectors.