3 Using the Fusion Apps Connector

You can use the connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.

This chapter contains the following topics:

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

• Scheduled Job for Lookup Field Synchronization for Fusion Apps Connector

• Configuring Reconciliation for Fusion Apps Connector

• Configuring Scheduled Jobs

• Performing Provisioning Operations

• Uninstalling the Fusion Apps Connector

3.1 Scheduled Job for Lookup Field Synchronization for Fusion Apps Connector

Scheduled jobs for lookup field synchronization fetch the most recent values from specific fields in the target system to lookup definitions in Oracle Identity Manager. These lookup definitions are used as an input source for lookup fields in Oracle Identity Manager.

The FA Identity Service Application Roles Lookup Reconciliation scheduled job is used for lookup fields synchronization. The values that are fetched by this scheduled job are populated in the Lookup.FAIdentityService.ApplicationRoles lookup definition.

Table 3-1 describes attributes of the FA Identity Service Application Roles Lookup Reconciliation scheduled job. The procedure to configure scheduled jobs is described later in this guide.

Table 3-1 Attributes of the FA Identity Service Application Roles Lookup Reconciliation Scheduled Job

Attribute	Description
Code Key Attribute	Name of the connector attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Default value:__UID__
Decode Attribute	Name of the connector attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Default value:_NAME_
IT Resource Name	Name of the IT resource for the target system installation from which you want reconcile user records. Default value: FA Identity Service
Lookup Name	Enter the name of the lookup definition in Oracle Identity Manager that must be populated with values fetched from the target system. Default value: Lookup.FAIdentityService.ApplicationRoles
Object Type	This attribute is used to perform reconciliation of specified object type. As per the scheduled job, select the applicable object type. Default value: ApplicationRole

3.2 Configuring Reconciliation for Fusion Apps Connector

You can configure the connector to specify the type of reconciliation and its schedule.

This section provides details on the following topics related to configuring reconciliation:

• Full Reconciliation for Fusion Apps Connector

• Limited Reconciliation for Fusion Apps Connector

• Batched Reconciliation for Fusion Apps Connector

• Reconciliation Scheduled Jobs for Fusion Apps Connector

3.2.1 Full Reconciliation for Fusion Apps Connector

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager.

After you deploy the connector, you must first perform full reconciliation. Since, initial bootstrap loading of all existing Fusion Apps users might be a time and resource intensive process, we recommend exporting all the users from Fusion Apps system into a Flat File in the .csv format, and then using the Flat File connector to load these users into Oracle Identity Manager offline. To do so, perform the procedures mentioned below:

• Export Users from the Fusion Apps Target System

• Use Flat File Connector to Load Exported Users

3.2.1.1 Export Users from the Fusion Apps Target System

To export users from the Fusion Apps target system:

1. Login to Oracle BI Publisher.
2. Click on Catalog and navigate to the following path:

   /Shared Folders/Human Capital Management/Workforce Management/Human Resources Dashboard/Data Models/User Information

3. From the left pane, select FusionUserInformation and click the Edit icon.
4. Take a backup of the original query.
5. Use the following 2 queries consecutively to export Person & Party Users and Standalone Users respectively:

   • For Person and Party Users:

     • HCM

       SELECT

       u.user_guid as id,

       u.username as username,

       n.last_name as first_name,

       n.first_name as last_name,

       e.email_address as email

       FROM

       fusion.per_person_names_f n,

       fusion.per_email_addresses e,

       fusion.per_all_people_f f,

       fusion.per_users u

       WHERE TRUNC(sysdate) BETWEEN n.effective_start_date AND n.effective_end_date

       AND n.name_type = 'GLOBAL'

       AND TRUNC(sysdate) BETWEEN f.effective_start_date AND f.effective_end_date

       AND f.person_id = n.person_id

       AND e.person_id(+) = f.person_id

       AND e.email_type(+) = 'W1'

       AND e.email_address_id(+) = f.primary_email_id

       AND u.person_id = f.person_id

       AND u.active_flag = 'Y'

     • TCA

       UNION

       SELECT

       u.user_guid as id,

       u.username as username,

       p.PERSON_LAST_NAME as first_name,

       p.PERSON_FIRST_NAME as last_name,

       c.email_address as email

       FROM

       fusion.hz_person_profiles p,

       fusion.hz_contact_points c,

       fusion.per_users u

       WHERE

       u.party_id = p.party_id

       AND p.party_id = c.OWNER_TABLE_ID(+)

       AND TRUNC(sysdate) between p.EFFECTIVE_START_DATE and p.EFFECTIVE_END_DATE

       AND p.status = 'A'

       AND c.OWNER_TABLE_NAME(+) = 'HZ_PARTIES'

       AND TRUNC(sysdate) between c.START_DATE(+) AND c.END_DATE(+)

       AND c.OVERALL_PRIMARY_FLAG(+) = 'Y'

       AND c.CONTACT_POINT_TYPE(+) = 'EMAIL'

       AND c.status(+) = 'A'

       AND u.active_flag = 'Y'

       ORDER BY "USERNAME"

   • For Standalone Users:

     StandAlone

     SELECT

     u.user_guid as id,

     username as username

     from

     per_users u

     where

     person_id is null

     and party_id is null

     AND u.active_flag = 'Y'

     ORDER BY "USERNAME"

6. Click Save and run the report.
7. Export each of these to 2 different csv Flat Files. To do so, click Settings, Export and select Use flat file connector to load the exported users to csv.

3.2.1.2 Use Flat File Connector to Load Exported Users

To use the Flat File connector to load exported users, perform the procedures mentioned below:

• Modifying Exported CSV Files

• Configuring and Using the Flat File Connector

• Updating the SyncToken for Incremental Recon

3.2.1.2.1 Modifying Exported CSV Files

You must modify the exported CSV files as required by the Flat File connector. The Flat file connector expects the CSV file headers to have the same column names as the target field names i.e. names as they appear in the Fusion Apps ATOM feed. Since all flat files exported in previous step have different column names, you must change the header of both the files, by replacing the existing names with the correct names as mentioned in Table 3-2.

Table 3-2 Header Names

Existing Name in Exported File	Correct Name/ Target Name
id	user.id
username	user.userName
first_name	user.name.givenName
last_name	user.name.familyName
email	user.emails.value

For example, if the header name is username,id,first_name,last_name,email, it should be changed to user.userName,user.id,user.name.givenName,user.name.familyName,user.emails.value.

3.2.1.2.2 Configuring and Using the Flat File Connector

To configure and use the Flat File connector:

Note:

You must perform the following configurations at the minimum to use the connector.

1. Modify the Flat File Users IT Resource to point to the correct trusted main configuration lookup (Lookup.FlatFile.Configuration.Trusted) and schema file location. See Creating a Schema File in Oracle Identity Manager Connector Guide for Flat File.
2. Modify the Flat File User configuration lookup Lookup.FlatFile.UM.Configuration.Trusted to point to the reconciliation attribute map of UserRequestService which is Lookup.FAUserRequestService.UM.ReconAttrMap.Trusted and reconciliation attribute defaults which is Lookup.FAUserRequestService.UM.ReconAttrMap.TrustedDefaults. Additionally, edit the reconciliation attribute defaults lookup to add a default value for Surname since Standalone Users in Flat File does not contain a surname field.
3. Run the Flat File Users Loader scheduled job. To run the Flat File Users Loader scheduled job, perform the procedure mentioned below:

   Note:

   The Flat File Users Loader scheduled job is used for reconciling Users from a Flat File to create corresponding users in Oracle Identity Manager.

   1. Open the Job Details page of the Flat File Users Loader scheduled job.

   2. Update values for the following fields present in the Parameters region:

      • Flat File directory - Location of the csv files exported in Export Users from the Fusion Apps Target System.

        For example: /scratch/fa/flatfile/data

      • Target IT Resource Name: FA User Request Service

      • Target Resource Object Name: FA User Trusted

   3. Click Apply and run the scheduled job to load all the users into Oracle Identity Manager.

3.2.1.2.3 Updating the SyncToken for Incremental Recon

After all the users are created in Oracle Identity Manager and their successful FA Indentity Service accounts are provisioned, hit the ATOM end point of Fusion Apps target system using any REST client. Look at the first ATOM pub entry and fetch the updated datetime value.

For example, <updated>2016-05-10T08:36:30.000Z</updated> for the first record means that the record was updated last at 2016-05-10T08:36:30.000Z. This also means that this is the time when the latest update was done on the Fusion Apps target system.

Copy this value to the FA User Request Service Trusted User Reconciliation scheduled job in the Sync Token parameter along with pre-fixing and post-fixing <String> and </String> respectively.

For example, <updated>2016-05-10T08:36:30.000Z</updated> should be changed to <String>2016-05-10T08:36:30.000Z</String> while copying to the Sync Token parameter.

This will ensure that when you run the FA User Request Service Trusted User Reconciliation scheduled job, only records created or modified after this time stamp are considered for reconciliation. This is incremental reconciliation.

3.2.2 Limited Reconciliation for Fusion Apps Connector

Limited or filtered reconciliation is the process of limiting the number of records being reconciled based on a set filter criteria.

By default, all target system records are reconciled during the current reconciliation run. You can customize this process by specifying the subset of target system records that must be reconciled. You do this by creating filters for the reconciliation module.

You can perform limited reconciliation by creating filters for the reconciliation module. This connector provides a filter attribute that supports ICF filters (a scheduled task attribute) allowing you to use any of the Fusion Apps resource attributes to filter the target system records.

See ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.

Note:

The __UID__ attribute name can only be used with the equalTo filter.

FA User Request service does not support limited reconciliation as the searchOp feature is not supported. However, this operation is performed by FA Identity service using filters.

3.2.3 Batched Reconciliation for Fusion Apps Connector

FA User Request service and FA Identity service supports batching. By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run.

Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete. You can configure batched reconciliation to avoid such problems.

FA Identity service exposes only the Batch Size attribute to the users in the scheduled job. To configure batched reconciliation, specify values for the Batch Size attribute while performing the procedure described in the Scheduled Jobs for Reconciliation of User Records.

Batch Size is an attribute used to specify the number of records that must be included in each batch. If you set the value of this attribute to 0, then the defaultbatchsize entry of the main configuration lookup is considered as the batch size for batched reconciliation. Any numeric value other than 0 takes precedence over the defaultbatchsize entry.

3.2.4 Reconciliation Scheduled Jobs for Fusion Apps Connector

When you run the Connector Installer, reconciliation scheduled jobs are automatically created in Oracle Identity Manager. You must configure these scheduled jobs to suit your requirements by specifying values for its attributes.

This section discusses the following scheduled jobs that you can configure for reconciliation:

• Scheduled Jobs for Reconciliation of User Records

• Scheduled Job for Reconciliation of Deleted Users Records

3.2.4.1 Scheduled Jobs for Reconciliation of User Records

Depending on whether you want to implement trusted source or target resource reconciliation, you must specify values for the attributes of one of the following user reconciliation scheduled jobs:

• Fusion Apps User Target Reconciliation (FA Identity Service User Reconciliation)

  This scheduled job is used to reconcile user data in the target resource (account management) mode of the connector.

• Fusion Apps User Trusted Reconciliation (FA User Request Service Trusted User Reconciliation)

  This scheduled job is used to reconcile user data in the trusted source (identity management) mode of the connector.

Table 3-3 and Table 3-4 describes the attributes of both the scheduled jobs.

Table 3-3 Attributes of the Scheduled Jobs for Reconciliation of User Records for FA User Request Service

Attribute	Description
Batch Size	Enter the number of records that must be included in each batch fetched from the target system. Default value: 0
IT Resource Name	Enter the name of the IT resource for the target system installation from where the connector must reconcile data. If you are running the FA User Request Service Trusted User Reconciliation scheduled job, then enter the name of the IT resource instance that you create for trusted source reconciliation in Configuring the IT Resource for the Target System. Default value: FA User Request Service
Object Type	This attribute holds the name of the object type for the reconciliation run. Default value: User Do not change the default value.
Resource Object Name	This attribute holds the name of the resource object used for reconciliation. Default value: FA User Trusted Do not change the default value.
Scheduled Task Name	Name of the scheduled task used for reconciliation. Default value: FA User Request Service Trusted User Reconciliation
Sync Token	This attribute holds the value of the updated timestamp of the ATOM entry. Sample value: <String>2015-02-10T10:39:22.000Z</String>

Table 3-4 Attributes of the Scheduled Jobs for Reconciliation of User Records for FA Identity Service

Attribute	Description
Batch Size	Enter the number of records that must be included in each batch fetched from the target system. Default value: 0
Filter	Enter the expression for filtering records. Use the following syntax: syntax = expression ( operator expression )* perator = 'and' | 'or' expression = ( 'not' )? filter filter = ('equalTo' | 'contains' | 'containsAllValues' | 'startsWith' | 'endsWith' | 'greaterThan' | 'greaterThanOrEqualTo' | 'lessThan' | 'lessThanOrEqualTo' ) '(' 'attributeName' ',' attributeValue')' attributeValue = singleValue | multipleValues singleValue = 'value' multipleValues = '[' 'value_1' (',' 'value_n')* ']' Default value: None
Incremental Recon Attribute	Attribute that holds the date on which the token record was modified.
IT Resource Name	Enter the name of the IT resource for the target system installation from where the connector must reconcile data. If you are running the FA User Request Service Trusted User Reconciliation scheduled job, then enter the name of the IT resource instance that you create for trusted source reconciliation in Configuring the IT Resource for the Target System. Default value: FA Identity Service
Latest Token	This attribute holds the value of the attribute that is specified as the value of the Incremental Recon Attribute. The Latest Token attribute is used for internal purposes. By default, this value is empty. Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute. Sample value: 1354753427000
Object Type	This attribute holds the name of the object type for the reconciliation run. Default value: User Do not change the default value.
Resource Object Name	This attribute holds the name of the resource object used for reconciliation. Default value: FA Identity Do not change the default value.
Scheduled Task Name	Name of the scheduled task used for reconciliation. Default value: FA Identity Service User Reconciliation

3.2.4.2 Scheduled Job for Reconciliation of Deleted Users Records

To perform FA Identity Service user delete reconciliation, you must specify values for Fusion Apps User Delete Reconciliation scheduled job. This scheduled job is used to reconcile data about deleted users in the trusted source (identity management) mode of the connector. During a reconciliation run, for each deleted target system user account, the corresponding OIM User is deleted.

Table 3-5 describes attributes of both scheduled jobs.

Table 3-5 Attributes of the Scheduled Job for Delete User Reconciliation

Attributes	Description
IT Resource Name	Enter the name of the IT resource instance that the connector must use to reconcile user data. Default value: FA Identity Service
Object Type	This attribute holds the name of the object type for the reconciliation run. Default value: User Do not change the default value.
Resource Object Name	This attribute holds the name of the resource object used for reconciliation. Default value: FA User Do not change the default value.

3.3 Configuring Scheduled Jobs

Configure scheduled jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Manager.

You can apply this procedure to configure the scheduled jobs for lookup field synchronization and reconciliation.

To configure a scheduled job:

1. Log in to Oracle Identity System Administration.
2. In the left pane, under System Management, click Scheduler.
3. Search for and open the scheduled job as follows:
   1. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
   2. In the search results table on the left pane, click the scheduled job in the Job Name column.
4. On the Job Details tab, you can modify the parameters of the scheduled task:
   • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
   • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

     Note:

     See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Manager  for detailed information about schedule types.

   In addition to modifying the job details, you can enable or disable a job.

5. On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.

   Note:

   • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

   • See Reconciliation Scheduled Jobs for Fusion Apps Connector for the list of scheduled tasks and their attributes.

6. Click Apply to save the changes.

   Note:

   The Stop Execution option is available in the Administrative and User Console. You can use the Scheduler Status page to either start, stop, or reinitialize the scheduler.

3.4 Performing Provisioning Operations

Provisioning operation for Fusion Apps connector is performed through access policies.

Oracle Identity Manager Users created in case of FA as the source of truth, have an Access Policy named FA Access Policy for FA User associated to them. When the policy is evaluated, SSO account creation for the user is triggered. The Oracle Identity Manager User is then linked with the existing FA User and the SSO email is propagated to the target system correspondingly.

Oracle Identity Manager Users created in case of an external HRMS as the source of truth, have an Access Policy named FA Access Policy for External User associated to them. When the policy is evaluated, SSO account creation for the user is triggered. This triggers creation of a FA account and the SSO email is propagated to FA correspondingly.

To perform provisioning operations in Oracle Identity Manager, see detailed information in Updating Access Policies.

3.5 Uninstalling the Fusion Apps Connector

Uninstalling the connector deletes all the account related data associated with resource objects of the connector.

If you want to uninstall the connector for any reason, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.