You can use the connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.
This chapter is discusses the following topics:
Note:
These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.You can configure the connector to specify the type of reconciliation and its schedule.
This section discusses the following topics related to configuring reconciliation:
Reconciliation rules are automatically created when you generate the Generic REST connector.
The following is the format of the rule element:
User Login Equals NameAttribute
User Login is the User ID field on the OIM User form.
NameAttribute is the value of the account qualifier in the schema.properties file that you created in Creating a Schema File.
For example, if the value of the NameAttribute account qualifier is __NAME__, then the rule element is as follows:
User Login Equals__NAME__
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. In incremental reconciliation, only records created or modified after the latest date or timestamp the last reconciliation was run are considered for reconciliation.
After you deploy the connector, you must first perform full reconciliation.
You can perform a full reconciliation run by removing or deleting any value currently assigned to the Filter Suffix attribute and then run the scheduled job for user data reconciliation. See Scheduled Jobs for Reconciliation of User Records for more information about the user reconciliation scheduled job and Filter Suffix attribute.
If the target system contains more number of records than what it can return in a single response, then use the Flat File connector to perform full reconciliation. See Reconciling Large Number of Records.
To perform incremental reconciliation, you must update and run the scheduled job for user data reconciliation to include the following attributes:
Incremental Recon Attribute — Name of the target system attribute that holds the time stamp at which the record was last modified. The value in this attribute is used to determine the newest or latest record reconciled from the target system.
Latest Token — Holds the value of the attribute that is specified as the value of the Incremental Recon Attribute attribute. The Latest Token attribute is used for internal purposes. Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute. Sample value: 1354753427000
See Updating the User Reconciliation Scheduled Job for Incremental Reconciliation for more information about the scheduled job for incremental reconciliation.
If your target system contains an attribute that holds the timestamp at which an object is created or modified, then you must manually update the user reconciliation schedule job to include attributes for incremental reconciliation.
Note:
See Exporting Deployments and Importing Deployments in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed instructions on performing each of the steps discussed in this procedure.Limited or filtered reconciliation is the process of limiting the number of records being reconciled based on a set filter criteria.
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.
You can perform limited reconciliation by creating filters that your target system supports. This connector provides the Filter Suffix attribute (scheduled task attributes) that allows you to use any of the attributes of the target system to filter target system records.
Lookup field synchronization involves obtaining the most current values from specific attributes in the target system to the lookup definitions (used as an input source for lookup fields) in Oracle Identity Manager.
You can perform lookup field synchronization by configuring and running the scheduled jobs for lookup field synchronization.
Scheduled jobs for lookup field synchronization are created only if you have specified a value for the lookupAttributeList entry in the GenericRestConfiguration.groovy file. The names of these scheduled jobs are in the following format:
IT_RES_NAME Target FIELD_NAME Lookup Reconciliation
For every attribute specified in the lookupAttributeList entry, a corresponding scheduled job for reconciling lookup values from the target system is created. This is illustrated by the following example:
Suppose the value of the itResourceDefName entry is GenRest. If the value of the lookupAttributeList entry is ['Roles', 'Groups'],
then the connector creates the following scheduled jobs:
GenRest Target Roles Lookup Reconciliation
GenRest Target Groups Lookup Reconciliation
During a reconciliation run, if the target system contains more number of records than what it can return in a single response, then you must use the Flat File connector to fetch all the records into Oracle Identity Manager.
When you run the Connector Installer, reconciliation scheduled jobs are automatically created in Oracle Identity Manager. You must configure these scheduled jobs to suit your requirements by specifying values for its attributes.
This section discusses the following scheduled jobs that you can configure for reconciliation:
After you generate the connector, scheduled jobs for lookup field synchronization are created only if you have specified a value for the lookupAttributeList entry in the GenericRestConfiguration.groovy file. For every attribute specified in the lookupAttributeList entry, a corresponding scheduled job for reconciling lookup values from the target system is created.
Table 5-1 describes the attributes of the scheduled job for lookup field synchronization.
Table 5-1 Attributes of the Scheduled Job for Lookup Field Synchronization
Attribute | Description |
---|---|
Code Key Attribute |
Enter the name of the attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). |
Decode Attribute |
Enter the name of the attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). |
IT Resource Name |
Name of the IT resource for the target system installation from which you want to reconcile records. The default value of this attribute is the same as the value of the ITResourceDefName entry in the GenericRestConfiguration.groovy file. |
Lookup Name |
Name of the lookup definition in Oracle Identity Manager that must be populated with values fetched from the target system. The value for this attribute is populated automatically if you have specified a value for the lookupAttributeList entry while configuring the GenericRestConfiguration.groovy file. The value of this attribute is in the following format: Lookup.${IT_RES_NAME}.${FIELD_NAME} For example, if you have specified Roles as the value of the lookupAttributeList entry, then the value of this attribute is Lookup.GenRestTrusted.Roles. |
Object Type |
Enter the type of object you want to reconcile. Default value: Note: For lookup field synchronization, the object type must be any object other than "User." |
After you generate the connector, the scheduled task for user data reconciliation is automatically created in Oracle Identity Manager. A scheduled job, which is an instance of this scheduled task is used to reconcile user data from the target system.
The following scheduled jobs are used for user data reconciliation:
RESOURCE Target Resource User Reconciliation
This scheduled job is used to reconcile user data in the target resource (account management) mode of the connector.
RESOURCE Trusted Resource User Reconciliation
This scheduled job is used to reconcile user data in the trusted source (identity management) mode of the connector.
Table 5-2 describes the attributes of both scheduled jobs.
Table 5-2 Attributes of the User Reconciliation Scheduled Jobs
Attribute | Description |
---|---|
Filter Suffix |
Enter the search filter for fetching user records from the target system during a reconciliation run. |
IT Resource Name |
Name of the IT resource for the target system installation from which you want to reconcile user records. Sample value: |
Object Type |
Type of object you want to reconcile. Default value: Note: User is the only object that is supported. Therefore, do not change the value of this attribute. |
Resource Object Name |
Name of the resource object that is used for reconciliation. Sample value: |
Scheduled Task Name |
Name of the scheduled task that is used for reconciliation. The default value of this attribute in the RESOURCE Target Resource User Reconciliation scheduled job is RESOURCE The default value of this attribute in the RESOURCE Trusted Resource User Reconciliation scheduled job is RESOURCE |
You create a new user in Oracle Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.
Uninstalling the connector involves deleting data related to the connector from Oracle Identity Manager Database. You use the Uninstall Connectors utility to uninstall a connector.
If you want to uninstall the connector for any reason, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.