 Home |  Book List |  Contents |  Contact Us |
Go to main content
|
|
This chapter provides information about the following topics:
Note:
These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.
Lookup definitions that are used during reconciliation and provisioning operations are either preconfigured or synchronized with the target system.
Lookup definitions used during connector operations can be categorized as follows:
During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Responsibilities lookup field to select a responsibility to be assigned from the list of responsibilities in the lookup field. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.
The following is the format in which data is stored after lookup definition synchronization:
Code Key: <IT_RESOURCE_KEY>~<LOOKUP_FIELD_VALUE>
In this format:
IT_RESOURCE_KEY is the numeric code assigned to each IT resource in Oracle Identity Manager.
LOOKUP_FIELD_VALUE is the connector attribute value defined for code.
Sample value: 245~0
Decode: <IT_RESOURCE_NAME>~<LOOKUP_FIELD_VALUE>
In this format:
IT_RESOURCE_KEY is the name of the IT resource in Oracle Identity Manager.
LOOKUP_FIELD_VALUE is the connector attribute value defined for decode.
Sample value: Oracle EBS UM~FND
During a provisioning operation, lookup fields are populated with values corresponding to the target system that you select for the operation.
This section discusses the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed. The other lookup definitions are as follows:
The Lookup.Configuration.Oracle EBS UM holds connector configuration entries that are used during target resource reconciliation and provisioning operations.
Table 3-1 lists the default entries in this lookup definition.
Table 3-1 Entries in the Lookup.Configuration.Oracle EBS UM Lookup Definition
| Code Key | Decode | Description |
|---|---|---|
|
Bundle Name |
org.identityconnectors.ebs |
This entry holds the name of the connector bundle class. Do not modify this entry. |
|
Bundle Version |
1.0.1115 |
This entry holds the version of the connector bundle class. Do not modify this entry. |
|
Connector Name |
org.identityconnectors.ebs.EBSConnector |
This entry holds the name of the connector class. Do not modify this entry. |
|
User Configuration Lookup |
Lookup.Oracle EBS UM.UM.Configuration |
This entry holds the name of the lookup definition that contains configuration information specific to the user object type. See Lookup.Oracle EBS UM.UM.Configuration for more information about this lookup definition. |
The Lookup.Oracle EBS UM.UM.Configuration lookup definition holds configuration entries that are specific to the user object type. This lookup definition is used during user management operations when your target system is configured as a target resource.
Table 3-2 lists the default entries in this lookup definition.
Table 3-2 Entries in the Lookup.Oracle.EBS UM.UM.Configuration Lookup Definition
| Code Key | Decode | Description |
|---|---|---|
|
Provisioning Attribute Map |
Lookup.Oracle EBS UM.UM.ProvAttrMap |
This entry holds the name of the lookup definition that contains configuration information specific to the provisioning attribute map. See Lookup.Oracle EBS UM.UM.ProvAttrMap for more information about this lookup definition |
|
Recon Attribute Map |
Lookup.Oracle EBS UM.UM.ReconAttrMap |
This entry holds the name of the lookup definition that contains configuration information specific to the reconciliation attribute map. See Lookup.Oracle EBS UM.UM.ProvAttrMap for more information about this lookup definition |
The Lookup.Oracle EBS UM.UM.ProvAttrMap definition holds mappings between process form fields (Code Key values) and target system attributes (Decode). This lookup definition is used during provisioning operations. This lookup definition is preconfigured. Table 3-3 lists the default entries in this lookup definition.
Table 3-3 Entries in the Lookup.Oracle EBS UM.UM.ProvAttrMap Lookup Definition
| Code Key | Decode |
|---|---|
|
Description |
DESCRIPTION |
|
Effective End Date[DATE] |
END_DATE |
|
Effective Start Date[DATE] |
START_DATE |
|
|
EMAIL_ADDRESS |
|
Fax |
FAX |
|
Party First Name |
PARTY_FIRST_NAME |
|
Party Id |
PARTY_ID |
|
Party Last Name |
PARTY_LAST_NAME |
|
Party Type |
PARTY_TYPE |
|
Password |
__PASSWORD__ |
|
Password Expiration Interval |
PASSWORD_LIFESPAN |
|
Password Expiration Type |
PASSWORD_EXP_TYPE |
|
Person Id |
EMPLOYEE_ID |
|
SSO GUID |
USER_GUID |
|
Supplier Name |
SUPPLIER_NAME |
|
Supplier Party Id[WRITEBACK] |
SUPPLIER_PARTY_ID |
|
UD_UM_RESP~Application Name[LOOKUP] |
__RESPONSIBILITY__~__RESPONSIBILITY__~RESPONSIBILITY_APP_ID |
|
UD_UM_RESP~Responsibility Description |
__RESPONSIBILITY__~__RESPONSIBILITY__~RESP_DESCRIPTION |
|
UD_UM_RESP~Responsibility End Date[DATE] |
__RESPONSIBILITY__~__RESPONSIBILITY__~RESP_END_DATE |
|
UD_UM_RESP~Responsibility Name[LOOKUP] |
__RESPONSIBILITY__~__RESPONSIBILITY__~RESPONSIBILITY_ID |
|
UD_UM_RESP~Responsibility Start Date[DATE] |
__RESPONSIBILITY__~__RESPONSIBILITY__~RESP_START_DATE |
|
UD_UM_RESP~Security Group[LOOKUP] |
__RESPONSIBILITY__~__RESPONSIBILITY__~SECURITY_GROUP_ID |
|
UD_UM_ROLE~Application Name[LOOKUP] |
__ROLE__~__ROLE__~ROLE_APP_ID |
|
UD_UM_ROLE~Role Expiration Date[DATE] |
__ROLE__~__ROLE__~EXPIRATION_DATE |
|
UD_UM_ROLE~Role Name[LOOKUP] |
__ROLE__~__ROLE__~ROLE_ID |
|
UD_UM_ROLE~Role Start Date[DATE] |
__ROLE__~__ROLE__~ROLE_START_DATE |
|
User Id |
__UID__ |
|
User Name |
__NAME__ |
The Lookup.Oracle EBS UM.UM.ReconAttrMap definition holds mappings between resource object fields (Code Key values) and target system attributes (Decode). These lookup definitions are used during reconciliation. This lookup definitions is preconfigured. Table 3-4 lists the default entries in this lookup definition.
Table 3-4 Entries in the Lookup.Oracle EBS UM.UM.ReconAttrMap Lookup Definition
| Code Key | Decode |
|---|---|
|
Description |
DESCRIPTION |
|
Effective End Date[DATE] |
END_DATE |
|
Effective Start Date[DATE] |
START_DATE |
|
|
EMAIL_ADDRESS |
|
Fax |
FAX |
|
Party First Name |
PARTY_FIRST_NAME |
|
Party Id |
PARTY_ID |
|
Party Last Name |
PARTY_LAST_NAME |
|
Party Type |
PARTY_TYPE |
|
Password Expiration Interval |
PASSWORD_LIFESPAN |
|
Password Expiration Type |
PASSWORD_EXP_TYPE |
|
Person Id |
EMPLOYEE_ID |
|
Responsibilities~Application Name[LOOKUP] |
__RESPONSIBILITY__~__RESPONSIBILITY__~RESPONSIBILITY_APP_ID |
|
Responsibilities~Responsibility Description |
__RESPONSIBILITY__~__RESPONSIBILITY__~RESP_DESCRIPTION |
|
Responsibilities~Responsibility End Date[DATE] |
__RESPONSIBILITY__~__RESPONSIBILITY__~RESP_END_DATE |
|
Responsibilities~Responsibility Name[LOOKUP] |
__RESPONSIBILITY__~__RESPONSIBILITY__~RESPONSIBILITY_ID |
|
Responsibilities~Responsibility Start Date[DATE] |
__RESPONSIBILITY__~__RESPONSIBILITY__~RESP_START_DATE |
|
Responsibilities~Security Group[LOOKUP] |
__RESPONSIBILITY__~__RESPONSIBILITY__~SECURITY_GROUP_ID |
|
Roles~Application Name[LOOKUP] |
__ROLE__~__ROLE__~ROLE_APP_ID |
|
Roles~Role Expiration Date[DATE] |
__ROLE__~__ROLE__~EXPIRATION_DATE |
|
Roles~Role Name[LOOKUP] |
__ROLE__~__ROLE__~ROLE_ID |
|
Roles~Role Start Date[DATE] |
__ROLE__~__ROLE__~ROLE_START_DATE |
|
SSO GUID |
USER_GUID |
|
Status |
__ENABLE__ |
|
Supplier Name |
SUPPLIER_NAME |
|
Supplier Party Id |
SUPPLIER_PARTY_ID |
|
User Id |
__UID__ |
|
User Name |
__NAME__ |
The Lookup.Oracle EBS UM.PartyType lookup definition holds information about the types of parties that you can select for a target system account, which you create through Oracle Identity Manager.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: The type of party
Decode: Description of the type of party
Note:
You cannot add new entries to this lookup definition.
Table 3-5 lists the default entries in this lookup definition.
Table 3-5 Entries in the Lookup.Oracle EBS UM.PartyType Lookup Definition
| Code Key | Decode |
|---|---|
|
Party |
Party |
|
Supplier |
Supplier |
The Lookup.Oracle EBS UM.PasswordExpTypes lookup definition holds the options that you can select to specify when the password for the target system account (created through Oracle Identity Manager) must expire.
The following is the format of entries in this lookup definition:
Code Key: The type of password expiry
Decode: The type of password expiry
Table 3-6 lists the default entries in this lookup definition.
Table 3-6 Entries in the Lookup.Oracle EBS UM.PasswordExpTypes Lookup Definition
| Code Key | Decode |
|---|---|
|
Accesses |
Accesses |
|
Days |
Days |
|
None |
None |
The Lookup.Objects.EDIR User.Oracle EBS User Management.CopyAttributesMap lookup definition is used to configure the connector to work with an SSO solution during provisioning operations. In other words, this lookup definition is used when the target system is configured to use Oracle Access Manager to authenticate users. Oracle Access Manager in turn uses Novell eDirectory as an LDAP-based repository for storing user records.
The Lookup.Objects.EDIR User.Oracle EBS User Management.CopyAttributesMap lookup definition holds information that is used internally by an OIM adapter to copy field values from a Novell eDirectory account to the target system account. For example, the entries in the Lookup.Objects.EDIR User.Oracle EBS User Management.CopyAttributesMap lookup definition are used internally by the OIM adapter to copy the Reference ID value of a Novell eDirectory account to the SSO GUID field of the EBS UM account.
The following is the format of entries in this lookup definition:
Code Key: Name of the field in the target system that must be populated with a value from a corresponding field in Novell eDirectory
Decode: Corresponding field name in Novell eDirectory
Table 3-7 lists the default entries in this lookup definition.
Table 3-7 Entries in the Lookup.Objects.EDIR User.Oracle EBS User Management.CopyAttributesMap Lookup Definition
| Code Key | Decode |
|---|---|
|
Reference ID |
SSO GUID |
The Lookup.Objects.LDAP User.Oracle EBS User Management.CopyAttributesMap lookup definition is used when the target system is configured to use either Oracle Single Sign-On or Oracle Access Manager, to authenticate users. Oracle Single Sign-On and Oracle Access Manager in turn use an LDAP-based repository for storing user records.
The Lookup.Objects.LDAP User.Oracle EBS User Management.CopyAttributesMap lookup definition holds information is used internally by an OIM adapter to copy field values from an LDAP-based repository account to the target system account. For example, the entries in the Lookup.Objects.LDAP User.Oracle EBS User Management.CopyAttributesMap lookup definition are used internally by the OIM adapter to copy the NsuniqueID value of an LDAP account to the SSO GUID field of the EBS UM account.
The following is the format of entries in this lookup definition:
Code Key: Name of the field in the target system that must be populated with a value from a corresponding field in any LDAP-based repository
Decode: Corresponding field name in the LDAP-based repository
Table 3-8 lists the default entries in this lookup definition.
Table 3-8 Entries in the Lookup.Objects.LDAP User.Oracle EBS User Management.CopyAttributesMap Lookup Definition
| Code Key | Decode |
|---|---|
|
NsuniqueID |
SSO GUID |
The Lookup.Objects.OID User.Oracle EBS User Management.CopyAttributesMap lookup definition is used when the target system is configured to use Oracle Single Sign-On to authenticate users. Oracle Single Sign-On in turn uses Oracle Internet Directory as an LDAP-based repository for storing user records.
The Lookup.Objects.OID User.Oracle EBS User Management.CopyAttributesMap lookup definition holds information that is used internally by an OIM adapter to copy field values from an Oracle Internet Directory account to the target system account. For example, the entries in the Lookup.Objects.OID User.Oracle EBS User Management.CopyAttributesMap lookup definition are used internally by the OIM adapter to copy the orclGuid value of an OID account to the SSO GUID field of the EBS UM account.
The following is the format of entries in this lookup definition:
Code Key: Name of the field in the target system that must be populated with a value from a corresponding field in OID
Decode: Corresponding field name in OID
Table 3-9 lists the default entries in this lookup definition.
Table 3-9 Entries in the Lookup.Objects.OID User.Oracle EBS User Management.CopyAttributesMap Lookup Definition
| Code Key | Decode |
|---|---|
|
orclGuid |
SSO GUID |
The Lookup.Objects.AD User.Oracle EBS User Management.CopyAttributesMap lookup definition is used when the target system is configured to use Oracle Single Sign-On to authenticate users. Oracle Single Sign-On in turn uses Active Directory as an LDAP-based repository for storing user records.
The Lookup.Objects.AD User.Oracle EBS User Management.CopyAttributesMap lookup definition holds information that is used internally by an OIM adapter to copy field values from a Microsoft Active Directory account to the target system account. For example, the entries in the Lookup.Objects.AD User.Oracle EBS User Management.CopyAttributesMap lookup definition are used internally by the OIM adapter to copy the Unique Id value of an AD account to the SSO GUID field of the EBS UM account.
The following is the format of entries in this lookup definition:
Code Key: Name of the field in the target system that must be populated with a value from a corresponding field in AD
Decode: Corresponding field name in AD
Table 3-9 lists the default entries in this lookup definition.
Table 3-10 Entries in the Lookup.Objects.AD User.Oracle EBS User Management.CopyAttributesMap Lookup Definition
| Code Key | Decode |
|---|---|
|
Unique Id |
SSO GUID |
When you run the Connector Installer, the scheduled jobs are automatically created in Oracle Identity Manager.
The following sections provide more information:
Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.
The following scheduled jobs are used for lookup fields synchronization:
Oracle EBS UM Target Applications Lookup Reconciliation
Oracle EBS UM Target Responsibilities Lookup Reconciliation
Oracle EBS UM Target Roles Lookup Reconciliation
Oracle EBS UM Target Security Groups Lookup Reconciliation
You must specify values for the attributes of these scheduled jobs. Table 3-11 describes the attributes of these scheduled jobs. Configuring Scheduled Jobs describes the procedure to configure scheduled jobs.
Table 3-11 Attributes of the Scheduled Jobs for Lookup Field Synchronization
| Attribute | Description |
|---|---|
|
Code Key Attribute |
Name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: Note: Do not change the value of this attribute. |
|
Decode Attribute |
Name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: Note: Do not change the value of this attribute. |
|
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
|
Lookup Name |
Enter the name of the lookup definition in Oracle Identity Manager that must be populated with values fetched from the target system. Depending on the scheduled job that you are using, the default values are as follows:
|
|
Object Type |
Enter the type of object you want to reconcile. Depending on the scheduled job that you are running, the default value is one of the following:
|
The Oracle EBS UM Target User Reconciliation scheduled job is used for user data reconciliation.
You must specify values for the attributes of the Oracle EBS UM Target User Reconciliation scheduled job. Table 3-12 describes the attributes of this scheduled job.
Table 3-12 Attributes of the Oracle EBS UM Target User Reconciliation Scheduled Job
| Attribute | Description |
|---|---|
|
Filter |
Enter the search filter for fetching records from the target system during a reconciliation run. See Performing Limited Reconciliation for more information. Sample Value: |
|
Incremental Recon Attribute |
Enter the name of the target system attribute that holds the timestamp at which the user record was modified. |
|
ITResource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
|
Latest Token |
This attribute holds the value of the attribute that is specified as the value of the Incremental Recon Attribute attribute. The Latest Token attribute is used for internal purposes. By default, this value is empty. Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute. Sample value: |
|
Object Type |
Enter the type of object you want to reconcile. Default value: Note: User is the only object that is supported. Therefore, do not change the value of the attribute. |
|
Resource Object Name |
Enter the name of the resource object that is used for reconciliation. Default value: |
|
Scheduled Task Name |
Name of the scheduled task that is used for reconciliation. Default value: |
The Oracle EBS UM Target Incremental User Reconciliation scheduled job is used for incremental reconciliation of user data.
You must specify values for the attributes of the Oracle EBS UM Target Incremental User Reconciliation scheduled job. Table 3-13 describes the attributes of this scheduled job.
Table 3-13 Attributes of the Oracle EBS UM Target Incremental User Reconciliation Scheduled Job
| Attribute | Description |
|---|---|
|
ITResource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
|
Object Type |
Enter the type of object you want to reconcile. Default value: |
|
Resource Object Name |
Enter the name of the resource object that is used for reconciliation. Default value: |
|
Scheduled Task Name |
Name of the scheduled task that is used for reconciliation. Default value: |
|
Sync Token |
This attribute must be left blank when you run incremental reconciliation for the first time. This ensures that data about all records from the target system are fetched into Oracle Identity Manager. After the first reconciliation run, the connector automatically enters a value for this attribute in an XML serialized format. From the next reconciliation run onward, only data about records that are modified since the last reconciliation run ended are fetched into Oracle Identity Manager. Sample value: |
The Oracle EBS UM Target User Delete Reconciliation scheduled job is used for user data reconciliation.
You must specify values for the attributes Oracle EBS UM Target User Delete Reconciliation scheduled job.
Table 3-14 describes the attributes of this scheduled job.
Table 3-14 Attributes of the Oracle EBS UM Target User Delete Reconciliation Scheduled Job
| Attribute | Description |
|---|---|
|
ITResource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
|
Object Type |
Enter the type of object you want to reconcile. Default value: |
|
Resource Object Name |
Enter the name of the resource object that is used for reconciliation. Default value: |
You can apply this procedure to configure the scheduled jobs for lookup field synchronization and reconciliation.
See Scheduled Jobs for Lookup Field Synchronization and Reconciliation for the list of scheduled jobs that you can configure.
To configure a scheduled job:
Log in to Oracle Identity System Administration.
In the left pane, under System Management, click Scheduler.
Search for and open the scheduled task as follows:
On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
In the search results table on the left pane, click the scheduled job in the Job Name column.
On the Job Details tab, you can modify the following parameters:
Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.
Note:
See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about schedule types.
In addition to modifying the job details, you can enable or disable a job.
On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.
Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.
Click Apply to save the changes.
Note:
You can use the Scheduler Status page in Identity System Administration to either start, stop, or reinitialize the scheduler.
Reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system.
This section provides details on the following topics related to configuring reconciliation:
The User Management connector is configured to perform target resource reconciliation with the target system. Data from newly created and updated target system records is brought to Oracle Identity Manager and used to create and update Oracle E-Business Suite resources provisioned to OIM Users.
A SQL query is used to fetch target system records during reconciliation. All predefined SQL queries that are required to perform reconciliation are stored in the search.properties file. The search.properties file is a common file for all EBS Suite connectors. In other words, the search.properties file contains the queries for the EBS UM, HRMS Target, HRMS Trusted connectors.
When you run a scheduled job, the connector locates the corresponding SQL query in the search.properties file and then runs it on the target system database. Target system records that meet the query criteria are returned to Oracle Identity Manager.
Depending on your requirements, you can modify existing queries or add your own query in the search.properties. This is discussed later in this guide.
Information in the search.properties file is virtually divided into two parts. The first part lists entries containing the SQL query names in the following format:
OBJ_NAME.OP_NAME.MODE=QUERY_NAME
In this format:
OBJ_CLASS is the name of the object class on which the reconciliation operation must be performed.
OP_NAME is the type of reconciliation operation to be performed. A reconciliation operation can be a search op, sync op, or lookup op.
QUERY_NAME is the name of the SQL query that is to be run on the target system database.
The second part lists the SQL query names and the corresponding SQL queries.
The following are the entries corresponding to the EBS UM connector in the search.properties file:
__ACCOUNT__.search=UM_USER_RECON
This query is used to reconcile all newly created and modified user records from the target system. The reconciliation operation that is performed is search based.
__ACCOUNT__.sync=UM_USER_SYNC
This query is used to reconcile all newly created and modified user records from the target system. The reconciliation operation that is performed is sync based.
__APPLICATIONS__.lookup=LOOKUP_APPLICATION_QUERY
This query is used to synchronize values in the fnd_application table of the target system with the Lookup.Oracle EBS UM.Applications lookup definition in Oracle Identity Manager.
__ROLES__.lookup=LOOKUP_ROLES_QUERY
This query is used to synchronize values in the fnd_application table of the target system with the Lookup.Oracle EBS UM.Roles lookup definition in Oracle Identity Manager.
__RESPONSIBILITIES__.lookup=LOOKUP_RESPONSIBILITY_QUERY
This query is used to synchronize values in the fnd_responsibility_vl table of the target system with the Lookup.Oracle EBS UM.Responsibilities lookup definition in Oracle Identity Manager.
__SECURITY_GROUPS__.lookup=LOOKUP_SECURITY_GROUP_QUERY
This query is used to synchronize values in the fnd_security_groups table of the target system with the Lookup.Oracle EBS UM.SecurityGroups lookup definition in Oracle Identity Manager.
The following sections provide information about the reconciliation rules for this connector:
The following is the process-matching rule:
Rule name: Oracle EBS User
Rule element: User Login Equals User Name
In the rule element:
User Login is the User ID field of the OIM User form.
User Name is the __NAME__ field of the target system.
After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:
Note:
Perform the following procedure only after the connector is deployed.
Figure 3-1 shows the reconciliation rule for target resource reconciliation.
Figure 3-1 Reconciliation Rule for Target Resource Reconciliation
The following sections provide information about the reconciliation rules for this connector:
Table 3-15 lists the action rules for target resource reconciliation.
Table 3-15 Action Rules for Target Resource Reconciliation
| Rule Condition | Action |
|---|---|
|
No Matches Found |
None |
|
One Entity Match Found |
Establish Link |
|
One Process Match Found |
Establish Link |
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See the following sections in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about setting or modifying a reconciliation action rule:
After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:
Figure 3-2 Reconciliation Action Rules for Target Resource Reconciliation
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation. In addition, you can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Manager.
To perform full reconciliation, ensure that no values are specified for the Latest Token and Filter attributes of the scheduled jobs for reconciling user records.
In incremental reconciliation, only records created or modified after the latest date/ timestamp the last reconciliation was run are considered for reconciliation. To perform incremental reconciliation, configure and run the scheduled job for incremental reconciliation. The first time you run the scheduled job for incremental reconciliation, note that a full reconciliation is performed.
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled.
You can perform limited reconciliation by creating filters for the reconciliation module. This connector provides a Filter attribute (a scheduled job attribute) that allows you to use any of the Oracle EBS User Management resource attributes to filter the target system records.
When you specify a value for the Filter attribute, only the target system records that match the filter criterion are reconciled into Oracle Identity Manager. If you do not specify a value for the Filter attribute, then all the records in the target system are reconciled into Oracle Identity Manager.
You specify a value for the Filter attribute while configuring the user reconciliation scheduled job. The following are a few examples of the values for the Filter attribute:
To reconcile all target system accounts whose user name is like 'jo*', use the filter startsWith('user_name', 'jo').
To reconcile all target system accounts whose email address is like '*@example.com', use the filter endsWith('EMAIL_ADDRESS', '@example.com').
To reconcile all target system accounts whose start date is later than 1st August, 2015, use the filter greaterThan('START_DATE', 1438367400000). Note that the date value must be specified in milliseconds.
For detailed information about ICF Filters, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Manager. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.
You can configure batched reconciliation to avoid these problems.
To configure batched reconciliation, you must specify value for the batchSize parameter of the IT resource. Use this parameter to specify the number of records that must be included in each batch. By default, this value is set to 1000.
This section discusses the following topics:
Provisioning involves management of user accounts and assignment of responsibilities and roles to users in the target system. When you allocate (or provision) an Oracle E-Business Suite resource to an OIM User, the operation results in the creation of an account on Oracle E-Business Suite for that user. Similarly, when you update the resource on Oracle Identity Manager, the same update is made to the account on the target system.
The connector uses stored procedures for performing provisioning operations. These stored procedures are available in the wrapper packages of the target system. Information about all stored procedures used for performing provisioning operations is defined in the Procedures.properties file. The same file contains stored procedures information for both the EBS UM and HRMS Target connectors.
When you perform a provisioning operation, the connector locates the corresponding stored procedure in the Procedures.properties file and then runs it on the target system to complete the provisioning operation.
Depending on your requirements, you can modify existing stored procedures or add your own stored procedures to the Procedures.properties file. This is discussed later in the guide.
The first property in the Procedures.properties file, DB.PACKAGES, lists all the wrapper packages that are used during connector operations. The subsequent entries in this file are in the following format:
OBJ_NAME.OP_NAME.TCA_TYPE=WRAPPER_PCKG.STORED_PROC
In this format:
OBJ_NAME is the name of the object on which the provisioning operation must be performed.
OP_NAME is the type of provisioning operation to be performed. For example, a provisioning operation can be either create, update, delete, enable, or disable.
TCA_TYPE is the type of TCA record, whether party or supplier. TCA_TYPE is present only for entries corresponding to TCA record provisioning.
WRAPPER_PCKG is the name of the wrapper package.
STORED_PROC is the name of the stored procedure in the wrapper package that is to be run to on the target system to complete the provisioning operation.
The following are the entries corresponding to the EBS UM connector in the Procedures.properties file:
Entries corresponding to the __ACCOUNT__ object:
__ACCOUNT__.create=OIM_FND_USER_TCA_PKG.CREATEUSER
In this entry, the CREATEUSER stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Create User provisioning operation against the __ACCOUNT__ object.
__ACCOUNT__.create.userparty=OIM_FND_USER_TCA_PKG.CREATEUSERPARTY
In this entry, the CREATEUSERPARTY stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for creating a user record with an existing TCA record.
__ACCOUNT__.validatepartyandperson=OIM_FND_USER_TCA_PKG.VALIDATEPARTYANDPERSON
In this entry, the VALIDATEPARTYANDPERSON stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for validating person and party records before creating an account.
__ACCOUNT__.update=OIM_FND_USER_TCA_PKG.UPDATEUSER
In this entry, the UPDATEUSER stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Update provisioning operation against the __ACCOUNT__ object.
__ACCOUNT__.enable=OIM_FND_USER_TCA_PKG.ENABLEUSER
In this entry, the ENABLEUSER stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for enabling the user account of the __ACCOUNT__ object.
__ACCOUNT__.disable=OIM_FND_USER_TCA_PKG.DISABLEUSER
In this entry, the DISABLEUSER stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for disabling the user account of the __ACCOUNT__ object.
__ACCOUNT__.update.username=OIM_FND_USER_TCA_PKG.CHANGE_USER_NAME
In this entry, the CHANGE_USER_NAME stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Update user name provisioning operation against the __ACCOUNT__ object.
__ACCOUNT__.update.password=OIM_FND_USER_TCA_PKG.CHANGEPASSWORD
In this entry, the CHANGEPASSWORD stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Update user password provisioning operation against the __ACCOUNT__ object.
__ACCOUNT__.update.userparty=OIM_FND_USER_TCA_PKG.UPDATEUSERPARTY
In this entry, the UPDATEUSERPARTY stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Update user party provisioning operation against the __ACCOUNT__ object.
__ACCOUNT__.delete=OIM_FND_USER_TCA_PKG.REVOKEUSER
In this entry, the DELETE_PERSON_API stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Delete provisioning operation against the __ACCOUNT__ object.
__ACCOUNT__.create.supplier=OIM_FND_USER_TCA_PKG.CREATE_SUPPLIER
In this entry, the CREATE_SUPPLIER stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Create Supplier provisioning operation against the __ACCOUNT__ object.
__ACCOUNT__.create.supplier_contact=OIM_FND_USER_TCA_PKG.CREATE_SUPPLIER_CONTACT
In this entry, the CREATE_SUPPLIER_CONTACT stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Create Supplier Contact provisioning operation against the __ACCOUNT__ object.
__ACCOUNT__.create.supplier_secattr=OIM_FND_USER_TCA_PKG.CREATE_SUPPLIER_SECURITY_ATTRS
In this entry, the CREATE_SUPPLIER_SECURITY_ATTRS stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Create Security Attributes provisioning operation against the __ACCOUNT__ object.
__ACCOUNT__.create.linkuser=OIM_FND_USER_TCA_PKG.LINK_USER_PARTY
In this entry, the LINK_USER_PARTY stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for linking a user record with an existing party record. The LINK_USER_PARTY stored procedure is invoked soon after CREATEUSERPARTY stored procedure.
__ACCOUNT__.create.party=OIM_FND_USER_TCA_PKG.CREATE_PARTY
In this entry, the CREATE_PARTY stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for creating a new party record.
__ACCOUNT__.update.party=OIM_FND_USER_TCA_PKG.UPDATE_PARTY
In this entry, the UPDATE_PARTY stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Update Party record provisioning operation against the __ACCOUNT__ object.
Entries corresponding to child objects:
__RESPONSIBILITY__.add=OIM_FND_USER_TCA_PKG.ADDRESP
In this entry, the ADDRESP stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for adding responsibilities for the __ACCOUNT__ object.
__RESPONSIBILITY__.remove =OIM_FND_USER_TCA_PKG.DELRESP
In this entry, the DELRESP stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for removing responsibilities for the __ACCOUNT__ object.
__ROLE__.add=OIM_FND_USER_TCA_PKG.PROPAGATEUSERROLE
In this entry, the PROPAGATEUSERROLE stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for adding roles for the __ACCOUNT__ object.
__ROLE__.remove=OIM_FND_USER_TCA_PKG.REVOKEUSERROLE
In this entry, the REVOKEUSERROLE stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for removing roles for the __ACCOUNT__ object.
Table 3-16 lists the provisioning functions that are supported by the connector. The Adapter column gives the name of the adapter that is used when the function is performed.
Table 3-16 Provisioning Functions
| Function | Adapter |
|---|---|
|
Add Child Data |
adpEBSUMADDCHILDDATA |
|
Create |
adpEBSUMCREATE |
|
Delete |
adpEBSUMDELETE |
|
Disable User |
adpEBSUMDISABLEUSER |
|
Enable User |
adpEBSUMENABLEUSER |
|
Remove Child Data |
adpEBSUMREMOVECHILDDATA |
|
Update Child Data |
adpEBSUMUPDATECHILDDATA |
|
Update Single Attributes |
adpEBSUMUPDATESINGLEATTRIBUTE |
|
User Bulk Update |
adpEBSUMUSERBULKUPDATE |
To perform provisioning operations in Oracle Identity Manager:
Log in to Oracle Identity Administrative and User console.
Create a user. See Managing Users in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for more information about creating a user.
On the Account tab, click Request Accounts.
In the Catalog page, search for and add to cart the application instance created in Associating the Form with the Application Instance, and then click Checkout.
Specify value for fields in the application form and then click Ready to Submit.
Click Submit.
If you want to provision entitlements, then:
On the Entitlements tab, click Request Entitlements.
In the Catalog page, search for and add to cart the entitlement, and then click Checkout.
Click Submit.
Provisioning a resource for an OIM User involves using Oracle Identity Governance to create an Oracle E-Business Suite User Management account for the user.
The following are the types of provisioning operations:
Direct provisioning
Provisioning triggered by policy changes
This section discusses the following topics:
The following is the sequence of steps that take places during a provisioning operation performed in an SoD-enabled environment:
The provisioning operation triggers the appropriate adapter.
The adapter carries provisioning data to the corresponding API on the target system.
If you select an account or entitlements to be provisioned to the OIM User, then the SoD check is initiated. The SoDChecker task submits the User Account and Entitlements details in a form of Duties list to Oracle Application Access Controls Governor. In other words, the SoD validation process takes place asynchronously.
The Web service of Oracle Application Access Controls Governor receives the entitlement data.
After Oracle Application Access Controls Governor runs the SoD validation process on the entitlement data, the response from the process is returned to Oracle Identity Governance.
The status of the process task that received the response depends on the response. If the entitlement data clears the SoD validation process, then the status of the process task changes to Completed. This translates into the entitlement being granted to the user. If the SoD validation process returns the failure response, then status of the process task changes to Canceled.
The procedure for direct provisioning in an SoD-enabled environment is similar to the procedure for direct provisioning in a typical environment.
To provision a resource by using the direct provisioning approach:
Log in to the Administrative and User Console.
If you want to first create an OIM User and then provision a target system account, then:
On the Identity Manager - Self Service page, click Administration.
On the Welcome to Identity Administration page, in the Users section, click Create User.
On the Create User page, enter values for the OIM User fields, and then click Save.
If you want to provision a target system account to an existing OIM User, then:
On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the drop-down list on the left pane.
From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.
On the user details page, click the Resources tab.
From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.
On the Step 1: Select a Resource page, select the resource that you want to provision from the list and then click Continue.
On the Step 2: Verify Resource Selection page, click Continue.
On the Step 3: Provide Resource Data page for process data, enter the details of the account that you want to create on the target system and then click Continue.
On the Step 3: Provide Process Data page for role data, specify the role name for the account, and then click Add. If you want to add more than one role, repeat the process. Then, click Continue.
On the Step 4: Verify Process Data page, verify the data that you have provided and then click Continue.
The "Provisioning has been initiated" message is displayed. To view the newly provisioned resource, perform one of the following steps:
Close the window displaying the "Provisioning has been initiated" message.
On the Accounts tab of the user details page, click Refresh to view the newly provisioned resource.
To view the process form, on the Accounts tab of the user details page, select the row displaying the newly provisioned resource, and then click Open. The Edit Form page is displayed.
Note:
If Oracle Identity Governance is not SoD enabled, then SOD Check Status field shows SODCheckNotInitiated.
To view the Resource Provisioning Details page, on the Accounts tab of the user details page, select Resource History.
Note:
SoD validation by Oracle Application Access Controls Governor is asynchronous. The validation process returns a result as soon as it is completed.
After the SoD validation process is initiated, the results of the process are brought to Oracle Identity Governance. To view the process form, on the Accounts tab of the User Details page, select the row displaying the newly provisioned resource, and then click Open. The Edit Form page is displayed.
On this page, the SOD Check Status field shows SoDCheckCompleted. Because a violation by the SoD engine in this particular example, the SoD Check Violation field shows the details of the violation.
In addition, the Resource Provisioning Details page shows the status of the SODChecker and Holder tasks as Completed.
On this page, the status of the Add User Role tasks is Canceled because the request failed the SoD validation process.
As the administrator assigning a resource to a user, you can either end the process when a violation is detected or modify the assignment data and then resend it. To modify the assignment data, on the Resource tab of the user details page, select the row containing the resource, and then click Open.
In the Edit Form window that is displayed, you can modify the role and profile data that you had selected earlier.
Note:
To modify a set of entitlements In the Edit Form window, you must first remove all entitlements and then add the ones that you want to use.
After the SoD validation process is initiated, the results of the process are brought to Oracle Identity Governance. On the Accounts tab of the user details page, select the row containing the resource, and then click Open. The process form is displayed.
On this form, the SOD Check Status field shows SoDCheckCompleted. Because no violation was detected by the SoD engine, the SoDCheckResult field shows Passed.
In addition, the Resource Provisioning Details page shows the status of the SODChecker and Holder tasks as Completed.
On the Resource Provisioning Details page, the state of the Add Role to User task is completed.
Uninstalling the connector deletes all the account-related data associated with the resource objects of the connector.
If you want to uninstall the connector for any reason, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.
