Go to main content
|
|
This chapter discusses the following topics:
Oracle Identity Manager (OIM) platform automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connects users to resources, and revokes and restricts unauthorized access to protect sensitive corporate information. The Oracle E-Business Suite User Management connector (EBS UM connector) enables you to use Oracle E-Business Suite as a target resource for Oracle Identity Manager.
An FND_USER record represents an Oracle E-Business User Management account. This record is the main component of the account data whose management is enabled by the connector. This connector can be used to manage either the FND_USER records or FND_USER records with TCA records. In other words, this connector is used to manage plain user accounts or user accounts with parties.
You can use the User Management connector to create Oracle E-Business Suite user accounts (FND_USER records) for OIM users and to grant user roles and responsibilities to these accounts. You can also reconcile newly created users and modified user accounts (FND_USER records) from the target system. These reconciled records are used to create and update Oracle E-Business User Management accounts assigned to OIM Users.
In addition to creating Oracle E-Business User Management accounts, you can use this connector to create Party or Vendors (Suppliers) in the target system. Party or vendors represent a Trading Community Architecture (TCA) record in the HZ_PARTIES table. Some applications such as iStore, iProcurement in the Oracle E-Business Suite require users to have a TCA record that is a representative or employee of parties and vendors in your organization.
The following are the types of TCA records that this connector supports:
Parties
Vendors or Suppliers
The object class used for the User Management connector with TCA party is __ACCOUNT__.
Roles and responsibilities are handled as child data. You can use this connector to remove existing roles and responsibilities as well.
During user provisioning, if you enter the party or supplier information along with the EBS user information, the connector creates an E-Business user account first, creates the party or vendor next, and then establishes the link between the user record and TCA record. For target system users that are linked with party or Supplier records, the value in the PERSON_PARTY_ID column in the FND_USER table is the same as the value in the PARTY_ID column of the HZ_PARTIES table.
During a create or update user provisioning operation, you can link the target system user account with an existing HRMS employee record by providing Person ID.
These are the software components and their versions required for installing and using the connector.
Table 1-1 lists the certified components for the connector.
Table 1-1 Certified Components
Component | Requirement |
---|---|
Oracle Identity Manager |
You can use one of the following releases of Oracle Identity Governance or Oracle Identity Manager:
|
Target system |
The target system can be any one of the following:
These applications may run on Oracle Database 10g, 11g, 12c, or 19c as either single database or Oracle RAC implementation. Notes:
|
Connector server |
11.1.2.1.0 Note: The JDBC driver ojdbcx.jar is supported with character sets such as US7ASCII, WE8DEC, WE8ISO8859P1, WE8MSWIN1252, and UTF8. To use any other character sets and ensure all connector operations work successfully with the Connector Server, download the orai18n.jar file from the Oracle JDBC drivers OTN page and copy it to the lib directory of Connector Server. |
Connector Server JDK |
JDK 1.6 or later |
SSO system |
The target system can use one of the following single sign-on (SSO) solutions:
|
SoD engine |
If you want to enable and use the Segregation of Duties (SoD) feature of Oracle Identity Manager with this target system, then install Oracle Applications Access Controls Governor release 8.6.4. |
Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:
If you are using an Oracle Identity Manager release that is earlier than Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0) and you want to configure the connector to use the target system as a target resource, then use the 9.1.x version of the Oracle E-Business User Management connector.
If you are using any of the Oracle Identity Manager releases listed in Table 1-1, then you must use the latest 11.1.1.x version of this connector.
The connector supports the following languages:
Arabic
Chinese (Simplified)
Chinese (Traditional)
Czech
Danish
Dutch
English (US)
Finnish
French
French (Canadian)
German
Greek
Hebrew
Hungarian
Italian
Japanese
Korean
Norwegian
Polish
Portuguese
Portuguese (Brazilian)
Romanian
Russian
Slovak
Spanish
Swedish
Thai
Turkish
The Oracle E-Business User Management connector is implemented by using the Identity Connector Framework (ICF).
The ICF is a component that provides basic reconciliation and provisioning operations that are common to all Oracle Identity Manager connectors. In addition, ICF provides common features that developers would otherwise need to implement on their own, such as connection pooling, buffering, time outs, and filtering. The ICF is shipped along with Oracle Identity Manager. Therefore, you need not configure or modify the ICF.
Figure 1-1 shows the architecture of the Oracle E-Business Suite connectors.
During connector operations, Oracle Identity Manager interacts with a layer called ICF integration. ICF integration is specific to each application with which OIM interacts and uses the ICF API to invoke operations on the Identity Connector (IC). The connector then calls the target system APIs to perform operations on the resource.
The connector communicates with the target system by making calls to the stored procedures in OIM Wrapper packages, which in turn call the target system stored procedures internally. The OIM Wrapper packages are created in the target system when you run a script that is present in the connector installation package. The procedure to run this script is discussed later in this guide.
The basic function of this connector is to enable management of user data on Oracle E-Business Suite through Oracle Identity Manager. In other words, the Oracle E-Business Suite User Management connector enables you to use Oracle E-Business Suite (the target system) as a managed or target resource of Oracle Identity Manager. You can create and manage target system accounts (resources) for OIM Users through provisioning. In addition, data related to newly created and modified target system accounts can be reconciled (using scheduled tasks) and linked with existing OIM Users and provisioned resources.
The features of the connector include support for connector server, target resource reconciliation, Segregation of Duties (SoD) validation of role and responsibility entitlement requests, reconciliation of all existing or modified account data, limited and batched reconciliation, transformation and validation of account data during reconciliation and provisioning, and so on.
The following are the features of the connector:
You can use the EBS UM connector to configure the target system as a target resource of Oracle Identity Manager.
In this mode, you can use this connector to provision and reconcile the following entities from Oracle E-Business Suite:
EBS accounts/FND_USR records
TCA Party records/Vendor records
This connector supports the SoD feature. These are the focal points of this feature.
The SoD Invocation Library (SIL) is bundled with Oracle Identity Governance release. The SIL acts as a pluggable integration interface with any SoD engine.
The EBS UM connector is preconfigured to work with Oracle Applications Access Controls Governor as the SoD engine. To enable this, changes have been made in the approval and provisioning workflows of the connector.
The SoD engine processes role and responsibility entitlement requests that are sent through the connector. Potential conflicts in role and responsibility assignments can be automatically detected.
See Configuring SoD for more information on configuring the connector for the SoD feature.
Oracle E-Business Suite can be configured to use a single sign-on solution such as Oracle Single Sign-On and Oracle Access Manager, to authenticate users. Oracle Single Sign-On uses Oracle Internet Directory as an LDAP-based repository for storing user records. Oracle Access Manager can use Microsoft Active Directory, Oracle Directory Server Enterprise Edition, or Novell eDirectory as the LDAP-based repository.
You can configure the connector to work with either one of these SSO solutions during reconciliation and provisioning operations.
The connector is shipped with an adapter that is responsible for copying SSO account details such as GUID and so on from an enterprise directory process form to EBS user process form.
See Configuring the Connector for SSO for information about configuring the connector for a single sign-on solution.
When you enable an account on the target system, the Effective Date From field is set to the current date and the Effective Date To field is set to NULL on the target system.
When you disable an account on the target system, the Effective Date To field is set to the current date on the target system.
The same effect can be achieved through provisioning operations performed on Oracle Identity Manager. In addition, status changes made directly on the target system can be copied into Oracle Identity Manager during reconciliation.
See Provisioning Operations Performed in an SoD-Enabled Environment for more information about provisioning operations in an SoD-enabled environment.
The connector supports basic password management features. For a particular user, you can specify when the user's password must expire by using the following process form fields:
Password Expiration Type
You use the Password Expiration Type field to specify the factor (or measure) that you want to use to set a value for password expiration. You can select either Accesses
or Days
as the password expiration type.
Password Expiration Interval
In the Password Expiration Interval field, you specify the number of access or days for which the user must be able to use the password.
For example, if you specify Accesses
in the Password Expiration Type field and enter 20
in the Password Expiration Interval field, then the user is prompted to change the user's password at the twenty-first login. Similarly, if you specify Days
in the Password Expiration Type field and enter 100
in the Password Expiration Interval field, then the user is prompted to change the user's password on the hundred and first day after setting a new password.
See Lookup.Oracle EBS UM.PasswordExpTypes for information about the lookup definition corresponding to the Password Expiration Type field.
In full reconciliation, all records are fetched from the target system to Oracle Identity Manager. In incremental reconciliation, only records that are added or modified after the last reconciliation run are fetched into Oracle Identity Manager.
You can switch from incremental to full reconciliation at any time after you deploy the connector. See section Performing Full and Incremental Reconciliation for more information on performing full and incremental reconciliation runs.
You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.
See Performing Batched Reconciliation for more information on performing batched reconciliation.
To limit or filter the records that are fetched into Oracle Identity Manager during a reconciliation run, you can specify the subset of added or modified target system records that must be reconciled.
See Performing Limited Reconciliation for more information on performing limited reconciliation.
Connector Server is a component provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles. In other words, a connector server enables remote execution of an Oracle Identity Manager connector.
A Java connector server is useful when you do not wish to execute a Java connector bundle in the same VM as your application. It can be beneficial to run a Java connector on a different host for performance improvements.
See Installation for more information about the installation options for this connector.
A connection pool is a cache of objects that represent physical connections to the target. Oracle Identity Manager connectors can use these connections to communicate with target systems.
At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads like network latency, memory allocation, and authentication.
One connection pool is created for each IT resource. For example, if you have three IT resources for three installations of the target system, then three connection pools will be created, one for each target system installation.
For more information about the parameters that you can configure for connection pooling, see Setting up the Lookup Definition for Connection Pooling.
You can configure SSL to secure communication between Oracle Identity Manager and the target system.
See Configuring Secure Communication Between the Target System and Oracle Identity Governance for more information about securing communication between the target system and Oracle Identity Manager.