You can use the connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.
This chapter contains the following topics:
Note:
These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.Scheduled jobs for lookup field synchronization fetch the most recent values from specific fields in the target system to lookup definitions in Oracle Identity Manager. These lookup definitions are used as an input source for lookup fields in Oracle Identity Manager.
The FA Identity Service Application Roles Lookup Reconciliation scheduled job is used for lookup fields synchronization. The values that are fetched by this scheduled job are populated in the Lookup.FAIdentityService.ApplicationRoles lookup definition.
Table 3-1 describes attributes of the FA Identity Service Application Roles Lookup Reconciliation scheduled job. The procedure to configure scheduled jobs is described later in this guide.
Table 3-1 Attributes of the FA Identity Service Application Roles Lookup Reconciliation Scheduled Job
Attribute | Description |
---|---|
Code Key Attribute |
Name of the connector attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: |
Decode Attribute |
Name of the connector attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: |
IT Resource Name |
Name of the IT resource for the target system installation from which you want reconcile user records. Default value: |
Lookup Name |
Enter the name of the lookup definition in Oracle Identity Manager that must be populated with values fetched from the target system. Default value: |
Object Type |
This attribute is used to perform reconciliation of specified object type. As per the scheduled job, select the applicable object type. Default value: |
You can configure the connector to specify the type of reconciliation and its schedule.
This section provides details on the following topics related to configuring reconciliation:
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager.
After you deploy the connector, you must first perform full reconciliation. Since, initial bootstrap loading of all existing Fusion Apps users might be a time and resource intensive process, we recommend exporting all the users from Fusion Apps system into a Flat File in the .csv format, and then using the Flat File connector to load these users into Oracle Identity Manager offline. To do so, perform the procedures mentioned below:
To use the Flat File connector to load exported users, perform the procedures mentioned below:
You must modify the exported CSV files as required by the Flat File connector. The Flat file connector expects the CSV file headers to have the same column names as the target field names i.e. names as they appear in the Fusion Apps ATOM feed. Since all flat files exported in previous step have different column names, you must change the header of both the files, by replacing the existing names with the correct names as mentioned in Table 3-2.
Table 3-2 Header Names
Existing Name in Exported File | Correct Name/ Target Name |
---|---|
id |
user.id |
username |
user.userName |
first_name |
user.name.givenName |
last_name |
user.name.familyName |
|
user.emails.value |
For example, if the header name is username,id,first_name,last_name,email,
it should be changed to user.userName,user.id,user.name.givenName,user.name.familyName,user.emails.value.
To configure and use the Flat File connector:
Note:
You must perform the following configurations at the minimum to use the connector.After all the users are created in Oracle Identity Manager and their successful FA Indentity Service accounts are provisioned, hit the ATOM end point of Fusion Apps target system using any REST client. Look at the first ATOM pub entry and fetch the updated datetime value.
For example, <updated>2016-05-10T08:36:30.000Z</updated> for the first record means that the record was updated last at 2016-05-10T08:36:30.000Z. This also means that this is the time when the latest update was done on the Fusion Apps target system.
Copy this value to the FA User Request Service Trusted User Reconciliation scheduled job in the Sync Token parameter along with pre-fixing and post-fixing <String> and </String> respectively.
For example, <updated>2016-05-10T08:36:30.000Z</updated> should be changed to <String>2016-05-10T08:36:30.000Z</String> while copying to the Sync Token parameter.
This will ensure that when you run the FA User Request Service Trusted User Reconciliation scheduled job, only records created or modified after this time stamp are considered for reconciliation. This is incremental reconciliation.
Limited or filtered reconciliation is the process of limiting the number of records being reconciled based on a set filter criteria.
By default, all target system records are reconciled during the current reconciliation run. You can customize this process by specifying the subset of target system records that must be reconciled. You do this by creating filters for the reconciliation module.
You can perform limited reconciliation by creating filters for the reconciliation module. This connector provides a filter attribute that supports ICF filters (a scheduled task attribute) allowing you to use any of the Fusion Apps resource attributes to filter the target system records.
See ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
Note:
The __UID__ attribute name can only be used with the equalTo filter.FA User Request service does not support limited reconciliation as the searchOp feature is not supported. However, this operation is performed by FA Identity service using filters.
FA User Request service and FA Identity service supports batching. By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run.
Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete. You can configure batched reconciliation to avoid such problems.
FA Identity service exposes only the Batch Size attribute to the users in the scheduled job. To configure batched reconciliation, specify values for the Batch Size attribute while performing the procedure described in the Scheduled Jobs for Reconciliation of User Records.
Batch Size is an attribute used to specify the number of records that must be included in each batch. If you set the value of this attribute to 0
, then the defaultbatchsize entry of the main configuration lookup is considered as the batch size for batched reconciliation. Any numeric value other than 0 takes precedence over the defaultbatchsize entry.
When you run the Connector Installer, reconciliation scheduled jobs are automatically created in Oracle Identity Manager. You must configure these scheduled jobs to suit your requirements by specifying values for its attributes.
This section discusses the following scheduled jobs that you can configure for reconciliation:
Depending on whether you want to implement trusted source or target resource reconciliation, you must specify values for the attributes of one of the following user reconciliation scheduled jobs:
Fusion Apps User Target Reconciliation (FA Identity Service User Reconciliation)
This scheduled job is used to reconcile user data in the target resource (account management) mode of the connector.
Fusion Apps User Trusted Reconciliation (FA User Request Service Trusted User Reconciliation)
This scheduled job is used to reconcile user data in the trusted source (identity management) mode of the connector.
Table 3-3 and Table 3-4 describes the attributes of both the scheduled jobs.
Table 3-3 Attributes of the Scheduled Jobs for Reconciliation of User Records for FA User Request Service
Attribute | Description |
---|---|
Batch Size |
Enter the number of records that must be included in each batch fetched from the target system. Default value: |
IT Resource Name |
Enter the name of the IT resource for the target system installation from where the connector must reconcile data. If you are running the FA User Request Service Trusted User Reconciliation scheduled job, then enter the name of the IT resource instance that you create for trusted source reconciliation in Configuring the IT Resource for the Target System. Default value: |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Do not change the default value. |
Resource Object Name |
This attribute holds the name of the resource object used for reconciliation. Default value: Do not change the default value. |
Scheduled Task Name |
Name of the scheduled task used for reconciliation. Default value: |
Sync Token |
This attribute holds the value of the updated timestamp of the ATOM entry. Sample value: <String>2015-02-10T10:39:22.000Z</String> |
Table 3-4 Attributes of the Scheduled Jobs for Reconciliation of User Records for FA Identity Service
Attribute | Description |
---|---|
Batch Size |
Enter the number of records that must be included in each batch fetched from the target system. Default value: |
Filter |
Enter the expression for filtering records. Use the following syntax: syntax = expression ( operator expression )* perator = 'and' | 'or' expression = ( 'not' )? filter filter = ('equalTo' | 'contains' | 'containsAllValues' | 'startsWith' | 'endsWith' | 'greaterThan' | 'greaterThanOrEqualTo' | 'lessThan' | 'lessThanOrEqualTo' ) '(' 'attributeName' ',' attributeValue')' attributeValue = singleValue | multipleValues singleValue = 'value' multipleValues = '[' 'value_1' (',' 'value_n')* ']' Default value: |
Incremental Recon Attribute |
Attribute that holds the date on which the token record was modified. |
IT Resource Name |
Enter the name of the IT resource for the target system installation from where the connector must reconcile data. If you are running the FA User Request Service Trusted User Reconciliation scheduled job, then enter the name of the IT resource instance that you create for trusted source reconciliation in Configuring the IT Resource for the Target System. Default value: |
Latest Token |
This attribute holds the value of the attribute that is specified as the value of the Incremental Recon Attribute. The Latest Token attribute is used for internal purposes. By default, this value is empty. Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute. Sample value: |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Do not change the default value. |
Resource Object Name |
This attribute holds the name of the resource object used for reconciliation. Default value: Do not change the default value. |
Scheduled Task Name |
Name of the scheduled task used for reconciliation. Default value: |
To perform FA Identity Service user delete reconciliation, you must specify values for Fusion Apps User Delete Reconciliation scheduled job. This scheduled job is used to reconcile data about deleted users in the trusted source (identity management) mode of the connector. During a reconciliation run, for each deleted target system user account, the corresponding OIM User is deleted.
Table 3-5 describes attributes of both scheduled jobs.
Table 3-5 Attributes of the Scheduled Job for Delete User Reconciliation
Attributes | Description |
---|---|
IT Resource Name |
Enter the name of the IT resource instance that the connector must use to reconcile user data. Default value: |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Do not change the default value. |
Resource Object Name |
This attribute holds the name of the resource object used for reconciliation. Default value: Do not change the default value. |
Configure scheduled jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Manager.
You can apply this procedure to configure the scheduled jobs for lookup field synchronization and reconciliation.
To configure a scheduled job:
Provisioning operation for Fusion Apps connector is performed through access policies.
Oracle Identity Manager Users created in case of FA as the source of truth, have an Access Policy named FA Access Policy for FA User associated to them. When the policy is evaluated, SSO account creation for the user is triggered. The Oracle Identity Manager User is then linked with the existing FA User and the SSO email is propagated to the target system correspondingly.
Oracle Identity Manager Users created in case of an external HRMS as the source of truth, have an Access Policy named FA Access Policy for External User associated to them. When the policy is evaluated, SSO account creation for the user is triggered. This triggers creation of a FA account and the SSO email is propagated to FA correspondingly.
To perform provisioning operations in Oracle Identity Manager, see detailed information in Updating Access Policies.
Uninstalling the connector deletes all the account related data associated with resource objects of the connector.
If you want to uninstall the connector for any reason, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.