3 Using the Connector

You can use the BMC Remedy User Management connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.

This chapter is divided into the following sections:

• Performing First-Time Reconciliation

• Scheduled Job for Lookup Field Synchronization

• Configuring Reconciliation

• Configuring Scheduled Jobs

• Performing Provisioning Operations in Oracle Identity Manager Release 11.1.1.x

• Performing Provisioning Operations in Oracle Identity Manager Release 11.1.2 or Later

• Uninstalling the Connector

3.1 Performing First-Time Reconciliation

First-time reconciliation involves synchronizing lookup definitions in Oracle Identity Manager with the lookup fields of the target system, and performing full reconciliation. In full reconciliation, all existing user records from the target system are brought into Oracle Identity Manager.

The following is the sequence of steps involved in reconciling all existing user records:

1. Perform lookup field synchronization by running the scheduled tasks provided for this operation.

   See Scheduled Job for Lookup Field Synchronization for information about the attributes of the scheduled tasks for lookup field synchronization.

   See Configuring Scheduled Jobs for information about running scheduled tasks.

2. Perform user reconciliation by running the scheduled task for user reconciliation.

   See Reconciliation Scheduled Jobs for information about the attributes of this scheduled task.

   See Configuring Scheduled Jobs for information about running scheduled tasks.

After first-time reconciliation, depending on the mode in which you configure the connector, the Latest Token attribute is automatically set to the time stamp at which the reconciliation run completed.

See Also:

Configuring Scheduled Jobs for information about attributes of the scheduled job

From the next reconciliation run onward, only target system user records that are added or modified after the time stamp stored in the Latest Token attribute is considered for incremental reconciliation. These records are brought to Oracle Identity Manager when you configure and run the user reconciliation scheduled job.

3.2 Scheduled Job for Lookup Field Synchronization

The following scheduled jobs are used for lookup fields synchronization:

• BMC Company Lookup Reconciliation

• BMC Department Lookup Reconciliation

• BMC Organization Lookup Reconciliation

• BMC Primary Center Code Lookup Reconciliation

• BMC Region Lookup Reconciliation

• BMC Site Group Lookup Reconciliation

• BMC Site ID Lookup Reconciliation

• BMC Site Lookup Reconciliation

• BMC Support Group ID Lookup Reconciliation

You must specify values for the attributes of these scheduled jobs. Table 3-1 describes the attributes of these scheduled jobs. Configuring Scheduled Jobs describes the procedure to configure scheduled jobs.

Table 3-1 Attributes of the Scheduled Jobs for Lookup Field Synchronization

Attribute	Description
Code Key Attribute	Name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: __UID__ Note: Do not change the value of this attribute.
Decode Attribute	Name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: __NAME__ Note: Do not change the value of this attribute.
IT Resource Name	Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: BMCRemedy Server
Lookup Name	Enter the name of the lookup definition in Oracle Identity Manager that must be populated with values fetched from the target system. Depending on the scheduled job that you are using, the default values are as follows: For BMC Company Lookup Reconciliation: Lookup.BMC.Company For BMC Department Lookup Reconciliation: Lookup.BMC.Department For BMC Organization Lookup Reconciliation: Lookup.BMC.Organization For BMC Primary Center Code Lookup Reconciliation: Lookup.BMC.PrimaryCenterCode For BMC Region Lookup Reconciliation: Lookup.BMC.Region For BMC Site Group Lookup Reconciliation: Lookup.BMC.SiteGroup For BMC Site ID Lookup Reconciliation: Lookup.BMC.SiteID For BMC Site Lookup Reconciliation: Lookup.BMC.Site For BMC Support Group ID Lookup Reconciliation: Lookup.BMC.SupportGroupID
Object Type	Enter the type of object you want to reconcile. Depending on the scheduled job that you are running, the default value is one of the following: For BMC Company Lookup Reconciliation: COMPANY For BMC Department Lookup Reconciliation: DEPARTMENT For BMC Organization Lookup Reconciliation: ORGANIZATION For BMC Primary Center Code Lookup Reconciliation: PRIMARY_CENTER_CODE For BMC Region Lookup Reconciliation: REGION For BMC Site Group Lookup Reconciliation: SITE_GROUP For BMC Site ID Lookup Reconciliation: SITE_ID For BMC Site Lookup Reconciliation: SITE For BMC Support Group ID Lookup Reconciliation: SUPPORT_GROUP_ID
Resource Object Name	Name of the resource object that is used for reconciliation. Default value: BMCRO

3.3 Configuring Reconciliation

You can configure the connector to specify the type of reconciliation and its schedule.

This section discusses the following topics related to configuring reconciliation:

• Performing Full Reconciliation

• Performing Limited Reconciliation

• Performing Batched Reconciliation

• Reconciliation Scheduled Jobs

3.3.1 Performing Full Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation. In addition, you can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Manager.

To perform a full reconciliation run:

• Ensure that no values are specified for the Latest Token and Filter attributes of the scheduled jobs for reconciling user records.

• Set the value of the Batch Start and Number of Batches attributes of the scheduled jobs for reconciling user records to 0.

Note that the batch size can be set to any number of records to be fetched in a single batch. If the Batch Size attribute is set to the default value 0, then the value of the defaultBatchSize entry in the main configuration lookup definition (Lookup.BMC.Configuration or Lookup.BMC.Configuration.Trusted) is considered for batching.

At the end of the reconciliation run, the Latest Token attribute of the scheduled job for user record reconciliation is automatically set to the time stamp at which the run ended. From the next reconciliation run onward, only records created or modified after this time stamp are considered for reconciliation. This is incremental reconciliation.

3.3.2 Performing Limited Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.

You can perform limited reconciliation by creating filters for the reconciliation module. This connector provides a Filter attribute (a scheduled task attribute) that allows you to use any of the BMC Remedy User Management resource attributes to filter the target system records.

For detailed information about ICF Filters, see ICF Filter Syntax of Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.

Note:

The __UID__ attribute name can only be used with the equalTo filter.

The following is also an example of a filter for an advanced search where you want to filter only those accounts whose last name is "Admin":

equals('1000000018','Admin')

In the preceding example, 1000000018 is the database ID of the LastName attribute in the target system.

While deploying the connector, follow the instructions in Configuring Scheduled Jobs to specify attribute values.

3.3.3 Performing Batched Reconciliation

This section discusses the Batch Size, Batch Start, and Number of Batches attributes of the scheduled jobs for target resource reconciliation (BMC User Target Reconciliation) and trusted source reconciliation (BMC User Trusted Reconciliation).

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.

You can configure batched reconciliation to avoid such problems.

To configure batched reconciliation, specify values for the following attributes while performing the procedure described in the Scheduled Jobs for Reconciliation of User Records:

• Batch Size: Use this attribute to specify the number of records that must be included in each batch.

  If you set the value of this attribute to 0, then the defaultbatchsize entry of the main configuration lookup (Lookup.BMC.Configuration or Lookup.BMC.Configuration.Trusted) is considered as the batch size for batched reconciliation. Any numeric value other than 0 takes precedence over the defaultbatchsize entry.

• Batch Start: Use this attribute to specify the record number from which batched reconciliation must begin.

  Set the value of this attribute to 0 to begin reconciliation from the first record in the target system. Similarly, set the value of this attribute to 1 to begin reconciliation from the second record in the target system and so on.

• Number of Batches: Use this attribute to specify the total number of batches that must be reconciled. The default value of this attribute is 0. This implies that the connector fetches records in the maximum possible number of batches from the target system. In other words, all records starting from the record specified in the Batch Start attribute to the last record available in the target system is fetched. Any other valid number limits the number of batches to that specified value.

3.3.4 Reconciliation Scheduled Jobs

When you run the Connector Installer, the scheduled tasks corresponding to the following scheduled jobs are automatically created in Oracle Identity Manager:

• Scheduled Jobs for Reconciliation of User Records

• Scheduled Job for Reconciliation of Deleted Users Records

3.3.4.1 Scheduled Jobs for Reconciliation of User Records

Depending on whether you want to implement trusted source or target resource reconciliation, you must specify values for the attributes of one of the following user reconciliation scheduled jobs:

• BMC User Target Reconciliation

  This scheduled job is used to reconcile user data in the target resource (account management) mode of the connector.

• BMC User Trusted Reconciliation

  This scheduled job is used to reconcile user data in the trusted source (identity management) mode of the connector.

Table 3-2 describes the attributes of both scheduled jobs.

Table 3-2 Attributes of the Scheduled Jobs for Reconciliation of User Records

Attribute	Description
Batch Size	Enter the number of records that must be included in each batch fetched from the target system. Default value: 0 This attribute is used in conjunction with the Batch Start and Number of Batches attributes. All these attributes are discussed in Performing Batched Reconciliation.
Batch Start	Enter the number of the target system record from which a batched reconciliation run must begin. Default value: 0 This attribute is used in conjunction with the Batch Size and Number of Batches attributes. All these attributes are discussed in Performing Batched Reconciliation.
Filter	Expression for filtering records. Use the following syntax: syntax = expression ( operator expression )* operator = 'and' | 'or' expression = ( 'not' )? filter filter = ('equalTo' | 'contains' | 'containsAllValues' | 'startsWith' | 'endsWith' | 'greaterThan' | 'greaterThanOrEqualTo' | 'lessThan' | 'lessThanOrEqualTo' ) '(' 'attributeName' ',' attributeValue')' attributeValue = singleValue | multipleValues singleValue = 'value' multipleValues = '[' 'value_1' (',' 'value_n')* ']' Default value: None
Incremental Recon Attribute	Database ID of the target system attribute that holds the date on which the user record was modified. Default value: 6 Note: Do not change the value of this attribute.
IT Resource Name	Name of the IT resource instance that the connector must use to reconcile data. If you are running the BMC User Trusted Reconciliation scheduled job, then enter the name of the IT resource instance that you create for trusted source reconciliation in Configuring the IT Resource for the Target System. Sample value: BMCRemedy Server
Latest Token	This attribute holds the value of the target system attribute (6) that is specified as the value of the Incremental Recon Attribute attribute. The Latest Token attribute is used for internal purposes. By default, this value is empty. Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute. Sample value: 1354753427000
Number of Batches	Enter the number of batches that must be reconciled. Default value: 0 Sample value: 20 This attribute is used in conjunction with the Batch Start and Batch Size attributes. All these attributes are discussed in Performing Batched Reconciliation.
Object Type	This attribute holds the type of object you want to reconcile. Default value: User
Resource Object Name	Enter the name of the resource object against which reconciliation runs must be performed. The default value of this attribute in the BMC User Target Reconciliation scheduled job is BMCRO. The default value of this attribute in the BMC User Trusted Reconciliation scheduled job is BMCRO Trusted.
Scheduled Task Name	Name of the scheduled task used for reconciliation. The default value of this attribute in the BMC User Target Reconciliation scheduled job is BMC User Target Reconciliation. The default value of this attribute in the BMC User Trusted Reconciliation scheduled job is BMC User Trusted Reconciliation.

3.3.4.2 Scheduled Job for Reconciliation of Deleted Users Records

Depending on whether you want to implement trusted source or target resource delete reconciliation, you must specify values for the attributes of one of the following scheduled jobs:

• BMC User Target Delete Reconciliation

  This scheduled job is used to reconcile data about deleted users in the target resource (account management) mode of the connector. During a reconciliation run, for each deleted user account on the target system, the BMC resource is revoked for the corresponding OIM User.

• BMC User Trusted Delete Reconciliation

  This scheduled job is used to reconcile data about deleted users in the trusted source (identity management) mode of the connector. During a reconciliation run, for each deleted target system user account, the corresponding OIM User is deleted.

Table 3-3 describes attributes of both scheduled jobs.

Table 3-3 Attributes of the Scheduled Job for Delete User Reconciliation

Attributes	Description
IT Resource Name	Name of the IT resource instance that the connector must use to reconcile user data. The default value of this attribute in the BMC User Target Delete Reconciliation scheduled job is BMCRemedy Server. The default value of this attribute in the BMC User Trusted Delete Reconciliation scheduled job is the name of the IT resource instance that you create for trusted source reconciliation in Configuring the IT Resource for the Target System.
Object Type	This attribute holds the type of object you want to reconcile. Default value: User
Resource Object Name	Enter the name of the resource object against which reconciliation runs must be performed. The default value of this attribute in the BMC User Target Delete Reconciliation scheduled job is BMCRO. The default value of this attribute in the BMC User Trusted Delete Reconciliation scheduled job is BMCRO Trusted.

3.4 Configuring Scheduled Jobs

Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.

You can apply this procedure to configure the scheduled jobs for lookup field synchronization and reconciliation.

See Scheduled Jobs for Lookup Field Synchronization and Reconciliation for the list of scheduled jobs that you can configure.

To configure a scheduled job:

1. If you are using Oracle Identity Manager release 11.1.1.x, then:

   1. Log in to the Administrative and User Console.

   2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.

   3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.

2. If you are using Oracle Identity Manager release 11.1.2.x or later, then:

   1. Log in to Oracle Identity System Administration.

   2. In the left pane, under System Management, click Scheduler.

3. Search for and open the scheduled job as follows:

   1. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.

   2. In the search results table on the left pane, click the scheduled job in the Job Name column.

4. On the Job Details tab, you can modify the following parameters:

   • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

   • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

   See Also:

   Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about schedule types.

   In addition to modifying the job details, you can enable or disable a job.

5. On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.

   Note:

   • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

   • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

6. Click Apply to save the changes.

   Note:

   The Stop Execution option is available in the Administrative and User Console. You can use the Scheduler Status page to either start, stop, or reinitialize the scheduler.

3.5 Performing Provisioning Operations in Oracle Identity Manager Release 11.1.1.x

Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a target system account for the user.

When you install the connector on Oracle Identity Manager, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector.

If you have configured the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then perform the steps described in Switching Between Request-Based Provisioning and Direct Provisioning.

The following are types of provisioning operations:

• Direct provisioning

• Request-based provisioning

See Also:

Manually Completing a Task in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for information about the types of provisioning

This section discusses the following topics:

• Direct Provisioning

• Request-Based Provisioning

• Switching Between Request-Based Provisioning and Direct Provisioning

Note:

The time required to complete a provisioning operation that you perform the first time by using this connector takes longer than usual.

3.5.1 Direct Provisioning

To provision a resource by using the direct provisioning approach:

1. Log in to the Administrative and User Console.

2. If you want to first create an OIM User and then provision a target system account, then:

   1. On the Welcome to Identity Administration page, in the Users region, click Create User.

   2. On the Create User page, enter values for the OIM User fields, and then click Save.

3. If you want to provision a target system account to an existing OIM User, then:

   1. On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the list on the left pane.

   2. From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.

4. On the user details page, click the Resources tab.

5. From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.

6. On the Step 1: Select a Resource page, select BMCRO from the list and then click Continue.

7. On the Step 2: Verify Resource Selection page, click Continue.

8. On the Step 5: Provide Process Data for BMC User Details page, enter the details of the account that you want to create on the target system and then click Continue.

9. On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.

10. Close the window displaying the "Provisioning has been initiated" message.

11. On the Resources tab, click Refresh to view the newly provisioned resource.

3.5.2 Request-Based Provisioning

A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:

Note:

The procedures described in this section are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.

• End User's Role in Request-Based Provisioning

• Approver's Role in Request-Based Provisioning

3.5.2.1 End User's Role in Request-Based Provisioning

The following steps are performed by the end user in a request-based provisioning operation:

1. Log in to the Administrative and User Console.
2. On the Welcome page, click Advanced in the upper-right corner of the page.
3. On the Welcome to Identity Administration page, click the Administration tab, and then click the Requests tab.
4. From the Actions menu on the left pane, select Create Request.

   The Select Request Template page is displayed.

5. From the Request Template list, select Provision Resource and click Next.
6. On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specify is displayed in the Available Users list.
7. From the Available Users list, select the user to whom you want to provision the account..

   If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.

8. Click Move or Move All to include your selection in the Selected Users list, and then click Next.
9. On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.
10. From the Available Resources list, select BMCRO, move it to the Selected Resources list, and then click Next.
11. On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.
12. On the Justification page, you can specify values for the following fields, and then click Finish.

    • Effective Date

    • Justification

    On the resulting page, a message confirming that your request has been sent successfully is displayed along with the Request ID.

13. If you click the request ID, then the Request Details page is displayed.
14. To view details of the approval, on the Request Details page, click the Request History tab.

3.5.2.2 Approver's Role in Request-Based Provisioning

The following are steps performed by the approver in a request-based provisioning operation:

1. Log in to the Administrative and User Console.
2. On the Welcome page, click Self-Service in the upper-right corner of the page.
3. On the Welcome to Identity Manager Self Service page, click the Tasks tab.
4. On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.
5. From the search results table, select the row containing the request you want to approve, and then click Approve Task.

   A message confirming that the task was approved is displayed.

3.5.3 Switching Between Request-Based Provisioning and Direct Provisioning

Note:

It is assumed that you have performed the procedure described in Configuring Oracle Identity Manager for Request-Based Provisioning.

If you have configured the connector for request-based provisioning, you can always switch to direct provisioning. Similarly, you can always switch back to request-based provisioning any time. This section discusses the following topics:

• Switching From Request-Based Provisioning to Direct Provisioning

• Switching From Direct Provisioning to Request-Based Provisioning

3.5.3.1 Switching From Request-Based Provisioning to Direct Provisioning

Note:

It is assumed that you have performed the procedure described in Configuring Oracle Identity Manager for Request-Based Provisioning.

If you want to switch from request-based provisioning to direct provisioning, then:

1. Log in to the Design Console.

2. Disable the Auto Save Form feature as follows:

   1. Expand Process Management, and then double-click Process Definition.

   2. Search for and open the BMCPROCESS process definition.

   3. Deselect the Auto Save Form check box.

   4. Click the Save icon.

3. If the Self Request Allowed feature is enabled, then:

   1. Expand Resource Management, and then double-click Resource Objects.

   2. Search for and open the BMCRO resource object.

   3. Deselect the Self Request Allowed check box.

   4. Click the Save icon.

3.5.3.2 Switching From Direct Provisioning to Request-Based Provisioning

If you want to switch from direct provisioning back to request-based provisioning, then:

1. Log in to the Design Console.

2. Enable the Auto Save Form feature as follows:

   1. Expand Process Management, and then double-click Process Definition.

   2. Search for and open the BMCPROCESS process definition.

   3. Select the Auto Save Form check box.

   4. Click the Save icon.

3. If you want to enable end users to raise requests for themselves, then:

   1. Expand Resource Management, and then double-click Resource Objects.

   2. Search for and open the BMCRO resource object.

   3. Select the Self Request Allowed check box.

   4. Click the Save icon.

3.6 Performing Provisioning Operations in Oracle Identity Manager Release 11.1.2 or Later

To perform provisioning operations in Oracle Identity Manager release 11.1.2 or later:

1. Log in to Oracle Identity Administrative and User console.

2. Create a user. See Creating Users in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for more information about creating a user.

3. On the Account tab, click Request Accounts.

4. In the Catalog page, search for and add to cart the application instance created for the BMC IT resource (in Creating an Application Instance), and then click Checkout.

5. Specify value for fields in the application form.

   Note:

   Ensure to select proper values for lookup type fields as there are a few dependent fields. Selecting a wrong value for such fields may result in provisioning failure.

6. Click Ready to Submit.

7. Click Submit.

8. If you want to provision entitlements, then:

   1. On the Entitlements tab, click Request Entitlements.

   2. In the Catalog page, search for and add to cart the entitlement, and then click Checkout.

   3. Click Submit.

3.7 Uninstalling the Connector

If you want to uninstall the connector for any reason, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.