About the Connector

This chapter introduces the Oracle E-Business Suite User Management connector.

This chapter discusses the following topics:

Introduction to the Connector

Oracle Identity Manager (OIM) platform automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connects users to resources, and revokes and restricts unauthorized access to protect sensitive corporate information. The Oracle E-Business Suite User Management connector (EBS UM connector) enables you to use Oracle E-Business Suite as a target resource for Oracle Identity Manager.

An FND_USER record represents an Oracle E-Business User Management account. This record is the main component of the account data whose management is enabled by the connector. This connector can be used to manage either the FND_USER records or FND_USER records with TCA records. In other words, this connector is used to manage plain user accounts or user accounts with parties.

You can use the User Management connector to create Oracle E-Business Suite user accounts (FND_USER records) for OIM users and to grant user roles and responsibilities to these accounts. You can also reconcile newly created users and modified user accounts (FND_USER records) from the target system. These reconciled records are used to create and update Oracle E-Business User Management accounts assigned to OIM Users.

In addition to creating Oracle E-Business User Management accounts, you can use this connector to create Party or Vendors (Suppliers) in the target system. Party or vendors represent a Trading Community Architecture (TCA) record in the HZ_PARTIES table. Some applications such as iStore, iProcurement in the Oracle E-Business Suite require users to have a TCA record that is a representative or employee of parties and vendors in your organization.

The following are the types of TCA records that this connector supports:

  • Parties

  • Vendors or Suppliers

The object class used for the User Management connector with TCA party is __ACCOUNT__. Roles and responsibilities are handled as child data. You can use this connector to remove existing roles and responsibilities as well.

During user provisioning, if you enter the party or supplier information along with the EBS user information, the connector creates an E-Business user account first, creates the party or vendor next, and then establishes the link between the user record and TCA record. For target system users that are linked with party or Supplier records, the value in the PERSON_PARTY_ID column in the FND_USER table is the same as the value in the PARTY_ID column of the HZ_PARTIES table.

During a create or update user provisioning operation, you can link the target system user account with an existing HRMS employee record by providing Person ID.

Certified Components

These are the software components and their versions required for installing and using the connector.

Table 1-1 lists the certified components for the connector.

Table 1-1 Certified Components

Component Requirement

Oracle Identity Manager

You can use one of the following releases of Oracle Identity Governance or Oracle Identity Manager:

  • Oracle Identity Governance 12c (12.2.1.4.0)

  • Oracle Identity Governance 12c (12.2.1.3.0)

  • Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0) and any later BP in this release track

  • Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0) and any later BP in this release track

Target system

The target system can be any one of the following:

  • Oracle E-Business Suite 12.1.1 through 12.1.3

  • Oracle E-Business Suite 12.2.1 through 12.2.7 or later

These applications may run on Oracle Database 10g, 11g, 12c, or 19c as either single database or Oracle RAC implementation.

Notes:

  • If you are using 12.2.4 or later versions, then you must download and apply the latest EBS connector 11.1.1.5.0J Patch 27733565. To download the patch, sign in to My Oracle Support and search for the patch number on the Patches and Updates page.

  • If your target system is running on Oracle Database release 19.x, then download and apply the Oracle Database patch 31142749 from My Oracle Support. Applying this patch ensures that provisioning operations work fine.

  • Communication between Oracle Identity Manager and the target system can be in SSL or non-SSL mode.

Connector server

11.1.2.1.0

Note: The JDBC driver ojdbcx.jar is supported with character sets such as US7ASCII, WE8DEC, WE8ISO8859P1, WE8MSWIN1252, and UTF8. To use any other character sets and ensure all connector operations work successfully with the Connector Server, download the orai18n.jar file from the Oracle JDBC drivers OTN page and copy it to the lib directory of Connector Server.

Connector Server JDK

JDK 1.6 or later

SSO system

The target system can use one of the following single sign-on (SSO) solutions:

  • Oracle Single Sign on with Oracle Internet Directory (release 11.1.1.7.0) as LDAP based repository

  • Oracle Access Manager with Microsoft Active Directory (2008, 2012 R2), Oracle Directory Server Enterprise Edition (11.1.1.7.0) or Novel eDirectory (8.8) as the LDAP-based repository

SoD engine

If you want to enable and use the Segregation of Duties (SoD) feature of Oracle Identity Manager with this target system, then install Oracle Applications Access Controls Governor release 8.6.4.

Usage Recommendation

Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:

  • If you are using an Oracle Identity Manager release that is earlier than Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0) and you want to configure the connector to use the target system as a target resource, then use the 9.1.x version of the Oracle E-Business User Management connector.

  • If you are using any of the Oracle Identity Manager releases listed in Table 1-1, then you must use the latest 11.1.1.x version of this connector.

Certified Languages

The connector supports the following languages:

  • Arabic

  • Chinese (Simplified)

  • Chinese (Traditional)

  • Czech

  • Danish

  • Dutch

  • English (US)

  • Finnish

  • French

  • French (Canadian)

  • German

  • Greek

  • Hebrew

  • Hungarian

  • Italian

  • Japanese

  • Korean

  • Norwegian

  • Polish

  • Portuguese

  • Portuguese (Brazilian)

  • Romanian

  • Russian

  • Slovak

  • Spanish

  • Swedish

  • Thai

  • Turkish

Connector Architecture

The Oracle E-Business User Management connector is implemented by using the Identity Connector Framework (ICF).

The ICF is a component that provides basic reconciliation and provisioning operations that are common to all Oracle Identity Manager connectors. In addition, ICF provides common features that developers would otherwise need to implement on their own, such as connection pooling, buffering, time outs, and filtering. The ICF is shipped along with Oracle Identity Manager. Therefore, you need not configure or modify the ICF.

Figure 1-1 shows the architecture of the Oracle E-Business Suite connectors.

Figure 1-1 Connector Architecture

Description of Figure 1-1 follows
Description of "Figure 1-1 Connector Architecture"

During connector operations, Oracle Identity Manager interacts with a layer called ICF integration. ICF integration is specific to each application with which OIM interacts and uses the ICF API to invoke operations on the Identity Connector (IC). The connector then calls the target system APIs to perform operations on the resource.

The connector communicates with the target system by making calls to the stored procedures in OIM Wrapper packages, which in turn call the target system stored procedures internally. The OIM Wrapper packages are created in the target system when you run a script that is present in the connector installation package. The procedure to run this script is discussed later in this guide.

The basic function of this connector is to enable management of user data on Oracle E-Business Suite through Oracle Identity Manager. In other words, the Oracle E-Business Suite User Management connector enables you to use Oracle E-Business Suite (the target system) as a managed or target resource of Oracle Identity Manager. You can create and manage target system accounts (resources) for OIM Users through provisioning. In addition, data related to newly created and modified target system accounts can be reconciled (using scheduled tasks) and linked with existing OIM Users and provisioned resources.

Features of the Connector

The features of the connector include support for connector server, target resource reconciliation, Segregation of Duties (SoD) validation of role and responsibility entitlement requests, reconciliation of all existing or modified account data, limited and batched reconciliation, transformation and validation of account data during reconciliation and provisioning, and so on.

The following are the features of the connector:

Support for Target Resource Reconciliation

You can use the EBS UM connector to configure the target system as a target resource of Oracle Identity Manager.

In this mode, you can use this connector to provision and reconcile the following entities from Oracle E-Business Suite:

  • EBS accounts/FND_USR records

  • TCA Party records/Vendor records

SoD Validation of Entitlement Provisioning

This connector supports the SoD feature. These are the focal points of this feature.

  • The SoD Invocation Library (SIL) is bundled with Oracle Identity Governance release. The SIL acts as a pluggable integration interface with any SoD engine.

  • The EBS UM connector is preconfigured to work with Oracle Applications Access Controls Governor as the SoD engine. To enable this, changes have been made in the approval and provisioning workflows of the connector.

  • The SoD engine processes role and responsibility entitlement requests that are sent through the connector. Potential conflicts in role and responsibility assignments can be automatically detected.

See Configuring SoD for more information on configuring the connector for the SoD feature.

Support for an SSO-Enabled Target System Installation

Oracle E-Business Suite can be configured to use a single sign-on solution such as Oracle Single Sign-On and Oracle Access Manager, to authenticate users. Oracle Single Sign-On uses Oracle Internet Directory as an LDAP-based repository for storing user records. Oracle Access Manager can use Microsoft Active Directory, Oracle Directory Server Enterprise Edition, or Novell eDirectory as the LDAP-based repository.

You can configure the connector to work with either one of these SSO solutions during reconciliation and provisioning operations.

The connector is shipped with an adapter that is responsible for copying SSO account details such as GUID and so on from an enterprise directory process form to EBS user process form.

See Configuring the Connector for SSO for information about configuring the connector for a single sign-on solution.

Account Status Reconciliation and Provisioning

When you enable an account on the target system, the Effective Date From field is set to the current date and the Effective Date To field is set to NULL on the target system.

When you disable an account on the target system, the Effective Date To field is set to the current date on the target system.

The same effect can be achieved through provisioning operations performed on Oracle Identity Manager. In addition, status changes made directly on the target system can be copied into Oracle Identity Manager during reconciliation.

See Provisioning Operations Performed in an SoD-Enabled Environment for more information about provisioning operations in an SoD-enabled environment.

Account Password Management

The connector supports basic password management features. For a particular user, you can specify when the user's password must expire by using the following process form fields:

  • Password Expiration Type

    You use the Password Expiration Type field to specify the factor (or measure) that you want to use to set a value for password expiration. You can select either Accesses or Days as the password expiration type.

  • Password Expiration Interval

    In the Password Expiration Interval field, you specify the number of access or days for which the user must be able to use the password.

For example, if you specify Accesses in the Password Expiration Type field and enter 20 in the Password Expiration Interval field, then the user is prompted to change the user's password at the twenty-first login. Similarly, if you specify Days in the Password Expiration Type field and enter 100 in the Password Expiration Interval field, then the user is prompted to change the user's password on the hundred and first day after setting a new password.

See Lookup.Oracle EBS UM.PasswordExpTypes for information about the lookup definition corresponding to the Password Expiration Type field.

Full and Incremental Reconciliation

In full reconciliation, all records are fetched from the target system to Oracle Identity Manager. In incremental reconciliation, only records that are added or modified after the last reconciliation run are fetched into Oracle Identity Manager.

You can switch from incremental to full reconciliation at any time after you deploy the connector. See section Performing Full and Incremental Reconciliation for more information on performing full and incremental reconciliation runs.

Batched Reconciliation

You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.

See Performing Batched Reconciliation for more information on performing batched reconciliation.

Limited (Filtered) Reconciliation

To limit or filter the records that are fetched into Oracle Identity Manager during a reconciliation run, you can specify the subset of added or modified target system records that must be reconciled.

See Performing Limited Reconciliation for more information on performing limited reconciliation.

Support for Connector Server

Connector Server is a component provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles. In other words, a connector server enables remote execution of an Oracle Identity Manager connector.

A Java connector server is useful when you do not wish to execute a Java connector bundle in the same VM as your application. It can be beneficial to run a Java connector on a different host for performance improvements.

See Installation for more information about the installation options for this connector.

Connection Pooling

A connection pool is a cache of objects that represent physical connections to the target. Oracle Identity Manager connectors can use these connections to communicate with target systems.

At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads like network latency, memory allocation, and authentication.

One connection pool is created for each IT resource. For example, if you have three IT resources for three installations of the target system, then three connection pools will be created, one for each target system installation.

For more information about the parameters that you can configure for connection pooling, see Setting up the Lookup Definition for Connection Pooling.

Support for SSL Communication Between the Target System and Oracle Identity Manager

You can configure SSL to secure communication between Oracle Identity Manager and the target system.

See Configuring Secure Communication Between the Target System and Oracle Identity Governance for more information about securing communication between the target system and Oracle Identity Manager.