1 About the Connector
This chapter discusses the following topics:
1.1 Introduction to the Database Application Tables Connector
Oracle Identity Governance (OIG) platform automates access rights management, security, and provisioning of IT resources. Oracle Identity Governance connects users to resources, and revokes and restricts unauthorized access to protect sensitive corporate information. Oracle Identity Governance connectors are used to integrate Oracle Identity Governance with external and identity-aware applications such as PeopleSoft and MySQL.
In an enterprise setup, many applications in your organization may use relational database tables as a repository for user data. This guide describes the procedure to dynamically generate the connector based on the underlying schema of the database table user store, and to install and use this connector for managing user lifecycle and entitlements from Oracle Identity Governance. After you integrate the tables with Oracle Identity Governance by using the connector, you can use them either as a managed (target) resource or as an authoritative (trusted) source of user data for Oracle Identity Governance.
The connector that you generate is known as a Database Application Tables connector (DBAT connector). The following sample scenario describes the requirement that can be addressed by a DBAT connector:
Example Inc. has some database-driven custom applications. These applications do not have any APIs for identity administration. The company wants to manage the lifecycle of users in these custom applications by using a centralized identity management system such as OIM.
The DBAT connector is one of the solutions to this business problem. Example Inc. can use this connector to enable the exchange of user data between the database and Oracle Identity Governance.
From Oracle Identity Governance release 12.2.1.3.0 onward, connector deployment can also be handled using the application onboarding capability of Oracle Identity Self Service. This capability lets business users to onboard applications with minimum details and effort. The connector installation package includes a collection of predefined templates (XML files) that contain all the information required for provisioning and reconciling data from a given application or target system. These templates also include basic connectivity and configuration details specific to your target system. The connector uses information from these predefined templates allowing you to onboard your applications quickly and easily using only a single and simplified UI.
Note:
In this release, the DBAT connector can be deployed either by using application onboarding or the Connector Installer. In this guide, the connector that is deployed using the Applications option on the Manage tab of Identity Self Service is referred to as an AOB application. The connector that is deployed using the Manage Connector option in Oracle Identity System Administration is referred to as a CI-based connector (Connector Installer-based connector).Note:
In this guide:
-
The database tables and their relation tables that store user data are collectively referred to as the target system.
-
The computer on which the database is installed is referred to as the target system host computer.
-
RELEASE_NUMBER has been used as a placeholder for the current release number of the connector. Therefore, replace all instances of RELEASE_NUMBER with the release number of the connector. For example, 12.2.1.3.0.
1.2 Understanding Target System Discovery in the DBAT Connector
Target systems are identity-aware applications such as databases, Microsoft Active Directory, Siebel and so on that can be managed by Oracle Identity Governance connectors.
In general, there are two broad categories of target systems for which Oracle Identity Governance connectors exist:
-
Predefined target systems: These are target systems that have a static schema and the connector is aware of this schema. This means that connectors for such target systems are shipped with preconfigured metadata or connector artifacts such as IT resource definition, process forms, resource objects, and so on.
-
Discovered target systems: These are target systems for which the schema is not known in advance. For example, a flat file does not have a fixed schema. Each target system can have a totally different schema. The connector is not initially aware of the schema that it is supposed to integrate with and the attributes available.
The DBAT connector is a connector for a discovered target system.
Connectors for discovered target systems are not shipped with any artifacts. They are shipped only with a set of deployment utilities that help in discovering the schema and then generating the artifacts.
Discovery is the process of identifying the underlying schema of your database. You can discover the schema of your database by configuring a groovy file and running the DBAT Generator. This is discussed later in the guide.
1.3 Certified Components
Table 1-1 lists the certified components for this connector.
Table 1-1 Certified Components
| Component | Requirement for AOB Application | Requirement for CI-Based Connector |
|---|---|---|
|
Oracle Identity Governance or Oracle Identity Manager |
You can use one of the following releases of Oracle Identity Governance:
|
You can use one of the following releases of Oracle Identity Governance or Oracle Identity Manager:
|
|
Target systems |
The target system can be database tables from any one of the following RDBMSs:
|
The target system can be database tables from any one of the following RDBMSs:
|
|
JDBC drivers |
Depending on the target system that you use, download one of the following sets of JDBC drivers from the Vendor's Web site: For IBM DB2:
For Microsoft SQL Server:
For MySQL: mysql-connector-java-5.1.12-bin For Oracle Database or Oracle RAC:
|
Depending on the target system that you use, download one of the following sets of JDBC drivers from the Vendor's Web site: For IBM DB2:
For Microsoft SQL Server:
For MySQL: mysql-connector-java-5.1.12-bin For Oracle Database or Oracle RAC:
|
|
ngdbc |
For SAP HANA DB: Download SAP HANA Database JDBC Driver jar, for example,
|
For SAP HANA DB: Download SAP HANA Database JDBC Driver jar, for example,
|
|
Connector Server |
11.1.2.1.0 or later |
11.1.2.1.0 or later |
|
Connector Server JDK |
JDK 1.6 or later |
JDK 1.6 or later |
|
Format in which user data is stored in the target system |
You can use a Database Application Tables connector only if user data is stored in the target system in any one of the following formats:
|
You can use a Database Application Tables connector only if user data is stored in the target system in any one of the following formats:
|
|
Other requirements of the target system |
The target system must meet the following requirement: If parent and child tables are not joined by a foreign key (for example, if you are using views), then the names of the foreign key columns in both tables must be the same. |
The target system must meet the following requirement: If parent and child tables are not joined by a foreign key (for example, if you are using views), then the names of the foreign key columns in both tables must be the same. |
1.4 Usage Recommendation
These are the recommendations for the Database Application Tables connector version that you can deploy and use depending on the Oracle Identity Governance or Oracle Identity Manager version that you are using.
- If you are using Oracle Identity Governance release 12c (12.2.1.4.0) or 12c (12.2.1.3.0) or later, SAP HANA DB version 2.0 SP 01 or SP 02 or SP 03, then use the 12.2.1.3.A (p30197332_122130_Generic.zip) version of this connector.
- If you are using Oracle Identity Governance release 12c (12.2.1.4.0) or 12c (12.2.1.3.0) or later, SAP HANA DB version 2.0 SP 04 , then use the 12.2.1.3.0 version of this connector.
- If you are using Oracle Identity Governance release 12c (12.2.1.3.0) or later, then use the latest 12.2.1.x version of this connector. Deploy the connector using the Applications option on the Manage tab of Identity Self Service.
- If you are using any of the Oracle Identity Manager releases listed in the 'Requirement for CI-Based Connector' column in Table 1-1, then use the latest 11.1.x version of this connector.
- If you want to use the 12.1.x version of this connector, then you can install and use it only in the CI-based mode. If you want to use the AOB application, then you must upgrade to Oracle Identity Governance release 12c (12.2.1.3.0) or later.
1.5 Certified Languages
The connector will support the languages that are supported by Oracle Identity Manager. Resource bundles are not part of the connector installation media as the resource bundle entries vary depending on the target system being used.
1.6 Supported Data Types
The data types supported for reconciliation and provisioning operations are listed in the following section:
Note:
Complex data types, such as RAW, Binary File, CLOB, and BLOB, are not supported. Any data type that is not supported and is not a complex data type is treated as a String data type.
For IBM DB2 Database:
-
SMALLINT
-
BIGINT
-
INTEGER
-
REAL
-
FLOAT
-
DOUBLE
-
DECIMAL
-
CHARACTER
-
VARCHAR
-
DATE
-
TIMESTAMP
For Microsoft SQL Server:
-
CHAR
-
VARCHAR
-
SMALLINT
-
INT
-
BIGINT
-
DECIMAL
-
NUMERIC
-
NVARCHAR
-
FLOAT
-
REAL
-
SMALLDATETIME
-
DATETIME
For MySQL:
-
BOOL
-
SMALLINT
-
MEDIUMINT
-
INT
-
BIGINT
-
FLOAT
-
DOUBLE
-
DECIMAL
-
CHAR
-
VARCHAR
-
TINYTEXT
-
DATE
-
DATETIME
-
TIMESTAMP
For Oracle Database:
-
VARCHAR2
-
CHAR
-
NUMBER
-
NUMERIC
-
INTEGER
-
INT
-
SMALLINT
-
DOUBLE
-
FLOAT
-
DECIMAL
-
DEC
-
REAL
-
DATE
-
TIMESTAMP
1.7 Connector Architecture
Figure 1-1 shows the architecture of the connector.
The Database Application Tables connector is implemented by using the Identity Connector Framework (ICF). The ICF is a component that provides basic reconciliation and provisioning operations that are common to all Oracle Identity Governance connectors. In addition, ICF provides common features that developers would otherwise need to implement on their own, such as connection pooling, buffering, time outs, and filtering. The ICF is shipped along with Oracle Identity Governance.
The DBAT connector can be configured to run in one of the following modes:
-
Identity reconciliation
In the identity reconciliation mode, the target system is used as the trusted source and users are directly created and modified on it directly outside Oracle Identity Governance.
During reconciliation, a scheduled job establishes a connection with the target system and sends reconciliation criteria to the APIs. The APIs extract user records that match the reconciliation criteria and hand them over to the scheduled task, which brings the records to Oracle Identity Governance. The next step depends on the mode of connector configuration.
Each record fetched from the target system is compared with existing OIM Users. If a match is found, then the update made to the record on the target system is copied to the OIM User attributes. If no match is found, then the target system record is used to create an OIM User.
Note:
Trusted reconciliation does not support multivalued attributes, for example, child table entries.
-
Account Management
In the account management mode, the target system is used as a target resource. The connector enables the target resource reconciliation and provisioning operations. Through provisioning operations performed on Oracle Identity Governance, user accounts are created and updated on the target system for OIM Users. During reconciliation from the target resource, the Database Application Tables connector fetches into Oracle Identity Governance data about user accounts that are created or modified on the target system. This data is used to add or modify resources allocated to OIM Users.
During provisioning operations, adapters carry provisioning data submitted through the process form to the target system. APIs on the target system accept provisioning data from the adapters, carry out the required operation on the target system, and return the response from the target system to the adapters. The adapters return the response to Oracle Identity Governance.
During reconciliation, a scheduled task calls the connector bundle which gets the data from target and handles it and returns to OIM and associates it based on Recon rule.
Note:
-
It is recommended that you do not configure the target system as both an authoritative (trusted) source and a managed (target) resource.
-
See Installing Connectors in Oracle Fusion Middleware Administering Oracle Identity Governance for detailed information about connector deployment configurations.
1.8 Supported Connector Features Matrix
Provides the list of features supported by the AOB application and CI-based connector.
Table 1-2 Supported Connector Features Matrix
| Feature | AOB Application | CI-Based Connector | Supported Target Systems |
|---|---|---|---|
| Full reconciliation | Yes | Yes | All |
| Incremental reconciliation | Yes | Yes | All |
| Limited (filtered) reconciliation | Yes | Yes | All |
| Both target resource and trusted source reconciliation | Yes | Yes | All |
| Reconciliation of deleted user records | Yes | Yes | All |
| Transformation and validation of account data | Yes | Yes | All |
| Adding user-defined fields for reconciliation and provisioning | Yes | Yes | All |
| Configuring the connector for stored procedures | Yes | Yes | All |
1.9 Features of the Connector
The following are features of the connector:
1.9.1 Full and Incremental Reconciliation
After you create the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Governance. After the first full reconciliation run, you can configure your connector for incremental reconciliation. In incremental reconciliation, only records that are added or modified after the last reconciliation run are fetched into Oracle Identity Governance.
See Performing Full Reconciliation and Incremental Reconciliation for more information on full and incremental reconciliation.
1.9.2 Limited (Filtered) Reconciliation
To limit or filter the records that are fetched into Oracle Identity Governance during a reconciliation run, you add conditions in the Filter attribute of the scheduled job or in the customizedQuery parameter of the IT resource.
See Performing Limited Reconciliation for more information.
1.9.3 Support for Both Target Resource and Trusted Source Reconciliation
You can use the connector to configure your target system as either a target resource or trusted source of Oracle Identity Governance.
See Reconciliation Scheduled Jobs for more information.
1.9.4 Support for Reconciliation of Deleted User Records
Apart from the scheduled jobs for user records reconciliation, there are independent scheduled jobs for reconciliation of deleted user records. In target resource mode, if a record is deleted on the target system, then the corresponding Database Application Tables resource is revoked from the OIM User. In trusted source mode, if a record is deleted on the target system, then the corresponding OIM User is deleted.
See Scheduled Jobs for Reconciliation of Deleted Users Records for more information about the scheduled jobs used for reconciling deleted user records.
1.9.5 Transformation and Validation of Account Data
You can configure validation of account data that is brought into or sent from Oracle Identity Governance during reconciliation and provisioning. In addition, you can configure transformation of account data that is brought into Oracle Identity Governance during reconciliation. For more information, see Configuring Transformation and Validation of Data.
1.9.6 Support for Adding User-Defined Fields for Reconciliation and Provisioning
You can create mappings for OIM User fields that are not included in the list of default mappings. These fields can be either a part of the standard set of OIM User fields provided on the target system or user-defined fields that you add to Oracle Identity Governance.
1.9.7 Support for Configuring the Connector for Stored Procedures
The connector runs default SQL queries and statements when you use it to perform reconciliation and provisioning operations. The connector supports calling custom stored procedures to perform connector operations. Instead of these default SQL queries and statements, you can configure the connector to call a script written in the Groovy scripting language, which runs the custom stored procedures.
See Configuring the Connector for Stored Procedures and Groovy Scripts for more information.