3 Configuring the Database Application Tables Connector
While creating an application, you must configure connection-related parameters that the connector uses to connect Oracle Identity Governance with your target system and perform connector operations. In addition, you can view and edit attribute mappings between the process form fields in Oracle Identity Governance and target system columns, predefined correlation rules, situations and responses, and reconciliation jobs.
3.1 Basic Configuration Parameters
These are the connection-related parameters that Oracle Identity Governance requires to connect to the target. These parameters are common for both target applications and authoritative applications.
Table 3-1 Parameters in the Basic Configuration Section
Parameter | Type | Mandatory? | Required for JDBC Driver Configuration? | Required for DataSource Configuration? | Default Value | Description |
---|---|---|---|---|---|---|
host | String | Yes | Yes, when %h | No | NA | Host name or IP address of the computer hosting the target system.
Sample value: |
port | String | Yes | Yes, when %p | No | NA | Enter the number of the port at which the target system database is listening.
Sample value: |
database | String | Yes | Yes, when %d | No | NA | Name of the target database.
Sample value: |
jdbcDriver | String | No | Yes | No | NA | JDBC driver class name.
Sample value for Oracle database: Sample value for MySQL: Sample value for MS SQL: Sample value for DB2: |
jdbcUrlTemplate | String | No | Yes(%h, %p, and, %d) | Yes
Provide the value as NA when DataSource is configured. |
NA | JDBC URL template of the target database. The value that you specify depends on
the database product that you are using.
Sample value
for Oracle database with SID:
Sample
value for Oracle database with Service Name:
Sample value for MySQL:
Sample value for MS SQL:
Sample value for DB2:
|
user | String | Yes | Yes | Yes for Oracle Database
No for other databases |
NA | User ID of the database user account that Oracle Identity Governance uses to connect to the target system.
Sample value: |
password | String | Yes | Yes | No | NA | Password of the database user account that Oracle Identity Governance uses to connect to the target system.
Sample value: |
table | String | Yes | Yes | Yes | NA | Name of the parent table or view that contains user records.
Sample value: |
keyColumn | String | Yes | Yes | Yes | NA | Name of the column that uniquely identifies each row in the parent table.
Sample value: |
passwordColumn | String | No | No | No | NA | Name of the column in the parent table that holds the passwords of the target system records. This is an optional parameter.
Note: The value for this parameter is the same as the value specified for the passwordColumn property in the Config entry. You cannot change the value in the IT resource. Sample value: |
statusColumn | Boolean | No | No | No | NA | Name of the column in the target system that holds the status of a user record. You must specify a value for this attribute only if both the following conditions are true:
Sample value: |
enableValue | String | No | No | No | NA | Value used on the target system that depicts that a user record is in the enabled status.
Sample value: |
disableValue | String | No | No | No | NA | Value used on the target system that depicts that a user record is in the disabled status.
Sample value: |
relationTables | String | No | No | No | NA | A comma-separated list of child table names when user data is spread across parent and child tables.
Sample value: |
Connector Server Name | String | No | No | No | NA | Name of the connector server IT resource.
Sample value: |
validConnectionQuery | String | No | No | No | NA | If no value is specified for this property, then the connection is validated by switching the auto commit mode. For example, you might have the following query, which might be more efficient for some databases:
|
changeLogColumn | String | No | No | No | NA | Name of the column where the last update-related, non-decreasing, value is stored. Can be a number or a timestamp.
The data type of this column can be any of the data types supported by the target system. However, if you are using Oracle Database, then data types such as BLOB, CLOB, and LONG are not supported. See Supported Data Types for information about data types supported for your target system. The values in this column are used during incremental reconciliation to determine the newest or youngest record reconciled from the target system. Note: You must specify a value for this property if you want to perform incremental reconciliation. |
customizedQuery | String | No | No | No | NA | A WHERE clause in a SQL query specifying the subset of newly added or modified records that you want to reconcile. The WHERE clause can contain relations to other tables or views. |
allNative | Boolean | No | No | No | false | If value of this property is false , then attribute data is converted to Strings by using the JDBC driver.
Set the value of this property to The new Date format and Timestamps format invalidate this setup. |
dateformat | String | No | No | No | dd/MM/yyyy | Allows the user to format how date data is converted to strings.
Specifying a value for this parameter invalidates the allNative parameter. |
timestampFormat | String | No | No | No | dd/MM/yyyy HH:mm:ss:SSS | Allows the user to format how timestamp data is converted to strings. Specifying this property invalidates the nativeTimestamps and allNative properties. |
nativeTimestamps | Boolean | No | No | No | false | If the value of this property is set to false , then timestamp data is read as Strings, which can cause a loss of time in milliseconds.
If the value of this property is set to |
enableEmptyString | Boolean | No | No | No | false | Set to true if you want to enable support for writing an empty string instead of a NULL value.
Set to Note: This property can be applied only to mandatory String attributes |
quoting | String | No | No | No | None | Column quoting property (such as None, Single, Double, Back, or Brackets ) that best fits your target system database.
Column names are displayed between single quotes, double quotes, back quotes, or brackets in the generated SQL when accessing the database. |
jdbcDriver | String | No | Yes | No | NA | JDBC driver class name.
Sample value for SAP HANA DB:
|
jdbcUrlTemplate | String | No | Yes | No | NA | JDBC URL template of the target database.
Sample value for SAP
HANA DB:
|
rethrowAllSQLExceptions | Boolean | No | No | No | false | Set to false if SQL exceptions with a zero (0x00) error code must be considered a success. In other words, SQL exceptions with the zero error code are caught and suppressed by the SQL statement. Otherwise, set to true .
|
3.2 Advanced Settings Parameters
These are the configuration-related entries that the connector uses during reconciliation and provisioning operations.
Note:
Unless specified, the parameters in the table are applicable to both target and authoritative applications.
Table 3-2 Advanced Setting Parameters
Parameter | Mandatory? | Required for JDBC Driver Configuration? | Required for DataSource Configuration? | Default Value | Description |
---|---|---|---|---|---|
Connector Name | Yes | Yes | Yes | org.identityconnectors.databasetable.DatabaseTableConnector |
This parameter holds the name of the connector class. |
Connector Bundle | Yes | Yes | Yes | org.identityconnectors.databasetable |
This parameter holds the name of the connector bundle package. |
Connector Version | Yes | Yes | Yes | 12.3.0 |
This parameter holds the version of the connector bundle class. |
Pool Max Idle | No | No | No | 10 | Maximum number of idle objects in a pool. |
Pool Max Size | No | No | No | 10 | Maximum number of connections that the pool can create. |
Pool Max Wait | No | No | No | 150000 | Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation. |
Pool Min Evict Idle Time | No | No | No | 120000 | Minimum time, in milliseconds, the connector must wait before evicting an idle object. |
Pool Min Idle | No | No | No | 1 | Minimum number of idle objects in a pool. |
datasource | No | No | Yes | NA | Data source name for the data source naming properties.
Sample value: jdbc/operationsDB |
jndiProperties | No | No | Yes | NA | Properties used to establish a connection with the target system by using JDBC drivers, enable additional connection properties, or look up a DataSource using JNDI.
Sample value:
|
createScript | No | No | No | None |
This property is present only in the section for target resource configuration. Specify a value for this property only if you want to configure the connector to use custom stored procedures or SQL statements rather than default SQL statements for performing provisioning operations. Enter the Groovy script or the file URL of the Groovy script created for the create user account provisioning operation. When this script is called, the parent form data is added. You must enter the file URL in the following format:
Sample value: |
updateSript | No | No | No | None |
This property is present only in the section for target resource configuration. Specify a value for this property only if you want to configure the connector to use custom stored procedures or SQL statements rather than default SQL statements for performing provisioning operations. Enter the Groovy script or the file URL of the Groovy script created for the update user account provisioning operation. This script is called when you update the parent form, or enable or disable the user account. You must enter the file URL in the following format:
Sample value: |
deleteScript | No | No | No | None |
This property is present only in the section for target resource configuration. Specify a value for this property only if you want to configure the connector to use custom stored procedures or SQL statements rather than default SQL statements for performing provisioning operations. Enter the Groovy script or the file URL of the groovy script created for the delete user account provisioning operation. This script is called when you remove or delete an account without child data. You must enter the file URL in the following format:
Sample value: |
executeQueryScript | No | No | No | None |
Specify a value for this property only if you want to configure the connector to use custom stored procedures or SQL queries rather than default SQL queries to perform reconciliation. Enter the Groovy script or the file URL of the Groovy script created for reconciliation. The connector delegates the reconciliation operation to the Groovy script, which is responsible for passing the information (connector object) to the callback handler. This script is called while performing an account search (operations such as full and filtered reconciliation). You must enter the file URL in the following format:
Sample value: |
lookupScript | No | No | No | None |
This property is present only in the section for target resource configuration. Specify a value for this property only if you want to configure the connector to use custom stored procedures or SQL queries rather than default SQL queries to perform lookup field synchronization. Enter the Groovy script or the file URL of the Groovy script created for lookup field synchronization. You must enter the file URL in the following format:
Sample value: |
syncScript | No | No | No | None |
Specify a value for this property only if you want to configure the connector to use custom stored procedures or SQL queries rather than default SQL queries to perform incremental reconciliation. Enter the Groovy script or the file URL of the Groovy script created for incremental reconciliation. You must enter the file URL in the following format:
Sample value: |
addMultiValuedAttributeScript | No | No | No | None |
This property is present only in the section for target resource configuration. Specify a value for this property only if you want to configure the connector to use custom stored procedures or SQL statements rather than default SQL statements for performing provisioning operations. Enter the Groovy script or the file URL of the Groovy script created for the add multivalued attribute provisioning operation. This script is called when you add multivalued child attributes. You must enter the file URL in the following format:
Sample value: file:///home/jdoe/dbat/scripts/add_mulval_attr.groovy |
removeMultiValuedAttributeScript | No | No | No | None |
This property is present only in the section for target resource configuration. Specify a value for this property only if you want to configure the connector to use custom stored procedures or SQL statements rather than default SQL statements for performing provisioning operations. Enter the Groovy script or the file URL of the Groovy script created for lookup field synchronization. This script is called while removing multivalued child attributes. You must enter the file URL in the following format:
Sample value: |
sapHanaDb | Yes | No | No | NA | This property suggests sapHanaDb parameter support,
if using for sapHanaDb only.
Sample value:
|
3.3 Attribute Mappings for an Oracle Database Target Application
The Schema page for a target application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system columns. The connector uses these mappings during reconciliation and provisioning operations.
Table 3-3 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and Oracle Database columns. The table also lists whether a specific attribute is used during provisioning or reconciliation and whether it is a matching key field for fetching records during reconciliation. By default, there are two schema attributes.
For the DBAT connector, you must manually add the attributes based on the database table in the target application. See Creating a Target Application in Performing Self Service Tasks with Oracle Identity Governance for information about adding attribute mappings.
Table 3-3 Default Attribute Mappings for Oracle DB User Account
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Provision Field? | Recon Field? | Key Field? | Case Insensitive? |
---|---|---|---|---|---|---|---|
Unique Id | _UID_ | String | No | No | Yes | yes | No |
Password | _PASSWORD_ | String | No | Yes | No | No | No |
3.4 Rules, Situations, and Responses
Learn about the predefined rules, responses, and situations for target and authoritative applications.
The connector uses these rules and responses for performing reconciliation.
3.4.1 Rules, Situations, and Responses for a Target Application
The connector uses predefined rules, responses, and situations for a target application for performing reconciliation.
3.4.1.1 Predefined Identity Correlation Rules for a Target Application
By default, the Database Application Tables connector provides a simple correlation rule when you create a target application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determines the difference between the two repositories, and applies the latest changes to Oracle Identity Governance.
Table 3-4 lists the default simple correlation rule for Database Application Tables connector. If required, you can edit the default correlation rule or add new rules. You can also create complex correlation rules. For more information about adding or editing simple or complex correlation rules, see Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-4 Predefined Identity Correlation Rule for a Database Application Tables Target Application
Target Attribute | Element Operator | Identity Attribute | Case Sensitive? |
---|---|---|---|
_NAME_ | Equals | User Login | No |
In this identity rule:
- __NAME__ is a single-valued attribute on the target system that identifies the user account.
- User Login is the field on the OIG User form.
Figure 3-1 shows the simple correlation rule for a Database Application Tables target application.
Figure 3-1 Simple Correlation Rule for a Database Application Tables Target Application
Description of "Figure 3-1 Simple Correlation Rule for a Database Application Tables Target Application"
3.4.1.2 Predefined Situations and Responses for a Target Application
The Database Application Tables connector provides a default set of situations and responses when you create a target application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.
Table 3-5 Predefined Situations and Responses for a Database Application Tables Target Application
Situation | Response |
---|---|
No Matches Found | Assign to Administrator With Least Load |
One Entity Match Found | Establish Link |
One Process Match Found | Establish Link |
Figure 3-2 shows the situations and responses for Database Application Tables that the connector provides by default.
Figure 3-2 Predefined Situations and Responses for a Database Application Tables Target Application
Description of "Figure 3-2 Predefined Situations and Responses for a Database Application Tables Target Application"
3.4.2 Rules, Situations, and Responses for an Authoritative Application
Learn about the predefined rules, responses, and situations for an authoritative application.
The connector uses these rules and responses for performing reconciliation.
3.4.2.1 Predefined Identity Correlation Rules for an Authoritative Application
By default, the Database Application Tables connector provides a simple correlation rule when you create an authoritative application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the authoritative application repository, determines the difference between the two repositories, and applies the latest changes to Oracle Identity Governance.
Table 3-6 lists the default simple correlation rule for Database Application Tables connector. If required, you can edit the default correlation rule or add new rules. You can also create complex correlation rules. For more information about adding or editing simple or complex correlation rules, see Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-6 Predefined Identity Correlation Rule for a Database Application Tables Authoritative Application
Authoritative Attribute | Element Operator | Identity Attribute | Case Sensitive? |
---|---|---|---|
_UID_ | Equals | User Login | No |
- __UID__ is an attribute on the target system that uniquely identifies the user account.
- User Login is the field on the OIG User form.
Figure 3-3 shows the simple correlation rule for a Database Application Tables authoritative application.
Figure 3-3 Simple Correlation Rule for a Database Application Tables Authoritative application
Description of "Figure 3-3 Simple Correlation Rule for a Database Application Tables Authoritative application"
3.4.2.2 Predefined Situations and Responses for an Authoritative Application
The Database Application Tables connector provides a default set of situations and responses when you create an Authoritative application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.
Table 3-7 lists the default situations and responses for a Database Application Tables authoritative application. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-7 Predefined Situations and Responses for a Database Application Tables Authoritative Application
Situation | Response |
---|---|
No Matches Found | Create User |
One Entity Match Found | Establish Link |
Figure 3-4 shows the situations and responses for Database Application Tables that the connector provides by default.
Figure 3-4 Predefined Situations and Responses for a Database Application Tables Authoritative Application
Description of "Figure 3-4 Predefined Situations and Responses for a Database Application Tables Authoritative Application"
3.5 Reconciliation Scheduled Jobs
When you run the Connector Installer, scheduled jobs are automatically created in Oracle Identity Governance.
This section discusses the following topics:
3.5.1 Scheduled Job for Lookup Field Synchronization
The RESOURCE Lookup Reconciliation scheduled job is used for lookup field synchronization. You must specify values for the attributes of this scheduled job.
Table 3-8 describes the attributes of the RESOURCE Lookup Reconciliation scheduled job.
Note:
-
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.
-
Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.
Table 3-8 Attributes of the RESOURCE Lookup Reconciliation Scheduled Job
Attribute | Description |
---|---|
Code Key Attribute |
Enter the name of the attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). The value must be in the following format:
|
Decode Attribute |
Enter the name of the attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). The value must be in the following format:
|
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile records. Default value: |
Lookup Name |
Enter the name of the lookup definition in Oracle Identity Governance that must be populated with values fetched from the target system. Default value: Note: Before you perform lookup field synchronization, the lookup definition name that you specify must exist in Oracle Identity Governance. |
Object Type |
Enter the type of object you want to reconcile. Default value: Note: For lookup field synchronization, the object type must be any object other than "User." |
3.5.2 Attributes of the Scheduled Jobs
This section discusses the attributes of the following scheduled jobs:
3.5.2.1 Scheduled Jobs for Reconciliation of User Records
After you create the connector, the scheduled task for user data reconciliation is automatically created in Oracle Identity Governance. A scheduled job, which is an instance of this scheduled task is used to reconcile user data from the target system. The following scheduled jobs are used for user data reconciliation:
-
RESOURCE Target Resource User Reconciliation
This scheduled job is used to reconcile user data in the target resource (account management) mode of the connector.
-
RESOURCE Trusted Resource User Reconciliation
This scheduled job is used to reconcile user data in the trusted source (identity management) mode of the connector.
You must specify values for the attributes of the user reconciliation scheduled jobs. Table 3-9 describes the attributes of both scheduled jobs.
Table 3-9 Attributes of the User Reconciliation Scheduled Jobs
Attribute | Description |
---|---|
Filter |
Enter the search filter for fetching records from the target system during a reconciliation run. See Performing Limited Reconciliation for more information. |
ITResource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Sample value: |
Object Type |
Enter the type of object you want to reconcile. Sample value: Note: User is the only object that is supported. Therefore, do not change the value of the attribute. |
Resource Object Name |
Enter the name of the resource object that is used for reconciliation. Sample value: |
Scheduled Task Name |
Name of the scheduled task that is used for reconciliation. The default value of this attribute in the RESOURCE Target Resource User Reconciliation scheduled job is RESOURCE The default value of this attribute in the RESOURCE Trusted User Reconciliation scheduled job is |
3.5.2.2 Scheduled Jobs for Reconciliation of Deleted Users Records
After you create the connector, the scheduled task for reconciling data about deleted user records is automatically created in Oracle Identity Governance. A scheduled job, which is an instance of this scheduled task is used to reconcile user data from the target system. The following scheduled jobs are used for reconciliation of deleted user records data:
-
RESOURCE Target Resource User Delete Reconciliation
This scheduled job is used to reconcile data about deleted user records in the target resource (account management) mode of the connector.
-
RESOURCETrusted User Delete Reconciliation
This scheduled job is used to reconcile data about deleted user records in the trusted source (identity management) mode of the connector.
You must specify values for the attributes of the user reconciliation scheduled jobs. Table 3-10 describes the attributes of both scheduled jobs.
Table 3-10 Attributes of the Delete User Reconciliation Scheduled Jobs
Attribute | Description |
---|---|
Filter |
No value should be provided in filter. |
ITResource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Sample value: |
Object Type |
Enter the type of object you want to reconcile. Sample value: Note: User is the only object that is supported. Therefore, do not change the value of the attribute. |
Resource Object Name |
Enter the name of the resource object that is used for reconciliation. Sample value: |
3.5.2.3 Scheduled Jobs for Incremental Reconciliation
When you create a DBAT application, then the scheduled job for incremental reconciliation is automatically created in Oracle Identity Governance. To configure incremental reconciliation, you need to specify a value for the changeLogColumn
property in the Basic Configurations section of the application.
The following scheduled jobs are used for incremental reconciliation:
-
RESOURCE Target Incremental Resource User Reconciliation
This scheduled job is used to perform incremental reconciliation in the target resource (account management) mode of the connector.
-
RESOURCE Trusted Incremental Resource User Reconciliation
This scheduled job is used to perform incremental reconciliation in the trusted source (identity management) mode of the connector.
Table 3-9 describes the attributes of both scheduled jobs.
Table 3-11 Attributes of the Scheduled Jobs for Incremental Reconciliation
Attribute | Description |
---|---|
ITResource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Sample value: |
Object Type |
Enter the type of object you want to reconcile. Default value: Note: User is the only object that is supported. Therefore, do not change the value of the attribute. |
Resource Object Name |
Enter the name of the resource object that is used for reconciliation. Sample value: |
Scheduled Task Name |
Name of the scheduled task that is used for reconciliation. Default value: |
Sync Token |
Depending on the value specified for the changeLogColumn property in the Config entry of the DBATConfiguration.groovy file, this attribute holds one of the following values:
Sample value: Note: - Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute. - This attribute stores values in an XML serialized format. |