6 Using the Database User Management Connector
You can use the Database User Management connector for performing reconciliation and provisioning operations after configuring your application to meet your requirements.
6.1 Guidelines on Configuring Reconciliation
These are the guidelines that you must apply while configuring reconciliation for Oracle Database and MySQL.
-
Before you perform a target resource reconciliation run, you must synchronize the lookup definitions with the lookup fields of the target system. In other words, the scheduled job for lookup field synchronization must be run before user reconciliation runs.
-
After you configure batched reconciliation, if reconciliation fails during a batched reconciliation run, then rerun the scheduled job without changing the values of the task attributes.
6.2 Configuring Reconciliation
You can configure the connector to specify the type of reconciliation and its schedule.
6.2.1 Configuring Reconciliation for Oracle Database
You can configure the connector to specify the type of reconciliation and its schedule.
6.2.1.1 Performing Full and Incremental Reconciliation from Oracle Database
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Governance. After you create the application, you must first perform full reconciliation.
At the end of the reconciliation run, the Latest Token parameter of the reconciliation job for user record reconciliation is automatically updated. From the next reconciliation run onward, only records created after this time stamp are considered for reconciliation. This is incremental reconciliation.
You can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Governance.
To perform a full reconciliation run, remove (delete) any value currently assigned to the Latest Token and Filter parameters and run one of the following reconciliation jobs:
-
For an Oracle Database Target application: DBUM Oracle User Target Reconciliation
-
For an Oracle Database Authoritative Application: DBUM Oracle User Trusted Reconciliation
See Reconciliation Jobs for Oracle Database for information about these reconciliation jobs.
For example, the Incremental Recon Attribute maps to the CREATED column in the DBA_USERS table. After the first full reconciliation run, the Latest Token parameter gets populated accordingly. In subsequent reconciliation runs, the connector fetches only the user records that are created after the timestamp in the Latest Token parameter. Users updated after the time-stamp are not fetched.
6.2.1.2 Performing Limited Reconciliation from Oracle Database
You can perform limited reconciliation by creating filters for the reconciliation module, and reconcile records from the target system based on a specified filter criterion.
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled.
This connector provides a Filter attribute (a scheduled task attribute) that allows you to use any of the DBUM resource attributes to filter the target system records. You can apply filters to the parent parameters in the reconciliation query file stored in a JAR file in the bundle directory of the connector installation media. For example, to locate the reconciliation query file, you can extract the bundle/org.identityconnectors.dbum-12.3.0.jar
file and open scripts/oracle/Search.queries
.
The following table provides a list of parent parameters that can be used with the Filter attribute of the scheduled jobs:
Parameter | Description |
---|---|
__UID__ |
Unique identity representing the user This parameter is mapped to USERNAME or __NAME__ connector attribute. |
authType |
Authentication type of the user account The value of this parameter must be PASSWORD. |
tablespace |
Default tablespace for user operations |
defaultQuota |
Quota for user operations on default tablespace If no value is specified, the quota is set to unlimited. |
globalDN |
Unique name that identifies a user across an enterprise, if the authentication type is GLOBAL |
__ENABLE__ |
Status of the user account The user is disabled if the value is one of following: LOCKED, EXPIRED, or LOCKED & EXPIRED The list of values for the disabled status is provided in the Lookup.DBUM.Oracle.Configuration lookup definition. |
tempTableSpace |
Temporary tablespace for user operations Quota is always unlimited on temporary tablespace. |
profile |
Profile of the user account |
lastModified |
Last modified time-stamp This parameter is used for incremental reconciliation operations. |
For detailed information about ICF Filters, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.
6.2.1.3 Performing Batched Reconciliation from Oracle Database
You can perform batched reconciliation to reconcile a specific number of records from the target system into Oracle Identity Governance.
During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Governance. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete. You can configure batched reconciliation to avoid these problems.
To configure batched reconciliation, you must specify value for the Batch Size reconciliation job parameter. Use this parameter to specify the number of records that must be included in each batch. By default, this value is empty.
If you specify a value other than All
, then some of the newly added or modified user records may not get reconciled during the current reconciliation run. The following example illustrates this:
Suppose you specify the Batch Size value as 200
while configuring the scheduled jobs. Suppose that 314 user records were created or modified after the last reconciliation run. Of these 314 records, only 200 records would be reconciled during the current reconciliation run. The remaining 114 records would be reconciled during the next reconciliation run.
You specify values for the Batch Size parameter by following the instructions described in Configuring Reconciliation Jobs.
6.2.2 Configuring Reconciliation for MySQL
You can configure the connector to specify the type of reconciliation and its schedule.
6.2.2.1 Performing Full Reconciliation from MySQL
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Governance. After you create the application, you must first perform full reconciliation.
To perform a full reconciliation run, remove (delete) any value currently assigned to the Filter parameter and run one of the following reconciliation jobs:
-
For a MySQL Target application: DBUM MySQL User Target Reconciliation
-
For a MySQL Authoritative application: DBUM MySQL User Trusted Reconciliation
See Reconciliation Jobs for MySQL for more information about these scheduled jobs.
6.2.2.2 Performing Limited Reconciliation from MySQL
You can perform limited reconciliation by creating filters for the reconciliation module, and reconcile records from the target system based on a specified filter criterion.
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled.
This connector provides a Filter attribute (a scheduled task attribute) that allows you to use any of the DBUM resource attributes to filter the target system records. You can apply filters to the parent parameters in the reconciliation query file stored in a JAR file in the bundle directory of the connector installation media. For example, to locate the reconciliation query file, you can extract the bundle/org.identityconnectors.dbum-12.3.0.jar
file and open scripts/mysql/Search.queries
.
The following table provides the description of the parent parameter that can be used with the Filter attribute of the scheduled jobs:
Parameter | Description |
---|---|
__UID__ |
Unique identity representing the user This parameter is mapped to USERNAME or __NAME__ connector attribute. |
For detailed information about ICF Filters, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.
6.2.2.3 Performing Batched Reconciliation from MySQL
You can perform batched reconciliation to reconcile a specific number of records from the target system into Oracle Identity Governance.
During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Governance. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete. You can configure batched reconciliation to avoid these problems.
To configure batched reconciliation, you must specify value for the Batch Size reconciliation scheduled job attribute. Use this attribute to specify the number of records that must be included in each batch. By default, this value is empty.
If you specify a value other than All
, then some of the newly added or modified user records may not get reconciled during the current reconciliation run. The following example illustrates this:
Suppose you specify the Batch Size value as 200
while configuring the scheduled jobs. Suppose that 314 user records were created or modified after the last reconciliation run. Of these 314 records, only 200 records would be reconciled during the current reconciliation run. The remaining 114 records would be reconciled during the next reconciliation run.
You specify values for the Batch Size attribute by following the instructions described in Configuring Reconciliation Jobs.
6.3 Configuring Reconciliation Jobs
Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.
You can apply this procedure to configure the reconciliation jobs for users and entitlements.
6.4 Guidelines on Performing Provisioning Operations
These are the guidelines that you must apply while performing provisioning operations.
6.4.1 Guidelines on Performing Provisioning Operations for Oracle Database
These are the guidelines that you must apply while performing provisioning operations.
-
Before you perform provisioning operations, lookup definitions must be synchronized with the lookup fields of the target system. In other words, run the scheduled jobs for lookup field synchronization before provisioning operations.
-
Passwords for user accounts provisioned from Oracle Identity Governance must adhere to the password policy set in the target system.
-
The character length of target system fields must be taken into account when specifying values for the corresponding Oracle Identity Governance fields.
-
During an update password provisioning operation, ensure that you clear the existing text in the Password field, and then enter the new password.
-
During a Create User provisioning operation, the following are some of the fields that are optional:
-
Default Tablespace
-
Default Tablespace Quota (in MB)
This field is dependent on Default Tablespace. To specify a quota, you must specify a value for Default Tablespace.
-
Temporary Tablespace
-
Profile Name
If you specify a value for any of these fields during a Create User provisioning operation, then you must not leave them empty during an Update User provisioning operation. Otherwise, the provisioning operation will fail. However, you can modify the existing values in these fields.
-
-
For creating password-authenticated database users, you must specify values for the following fields:
-
Username: Enter the name of the database user.
-
Password: Enter the password for the database user.
-
Authentication Type: Specify
PASSWORD
as the value of this lookup field.
-
-
For creating globally-authenticated database users, you must specify a value for the following mandatory fields:
-
Username: Enter the name of the database user.
-
Authentication Type: Specify
GLOBAL
as the value of this lookup field. -
Global DN: Enter the distinguished name (DN) for your organization.
Sample value:
cn=ajones,cn=users,dc=oracle,dc=vm
After you submit the data required, the connector runs the following query to create a globally-authenticated database user:
CREATE USER {__NAME__} IDENTIFIED GLOBALLY AS {globalDN}
-
-
If you specify a value for the Default Tablespace Quota (in MB) field, then enter values in the following format:
TABLESPACE_QUOTA
M
In this format, TABLESPACE_QUOTA is the tablespace quota allocated to the user and M indicates that megabytes is the unit of measurement of quota. The following is a sample value:
300 M
If you want to allocate to a user unlimited quota on a tablespace, then specify the following as the value of the Default Tablespace Quota (in MB) field:
UNLIMITED
6.4.2 Guidelines on Performing Provisioning Operations for MySQL
These are the guidelines that you must apply while performing provisioning operations.
-
Before you perform provisioning operations, lookup definitions must be synchronized with the lookup fields of the target system. In other words, run the scheduled jobs for lookup field synchronization before provisioning operations.
-
Passwords for user accounts provisioned from Oracle Identity Governance must adhere to the password policy set in the target system.
-
The character length of target system fields must be taken into account when specifying values for the corresponding Oracle Identity Governance fields.
-
During an update password provisioning operation, ensure that you clear the existing text in the Password field, and then enter the new password.
6.5 Performing Provisioning Operations
You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.
To perform provisioning operations in Oracle Identity Governance:
- Log in to Identity Self Service.
- Create a user as follows:
- In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
- From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
- Enter details of the user in the Create User page.
- On the Account tab, click Request Accounts.
- In the Catalog page, search for and add to cart the application instance for the connector that you configured earlier, and then click Checkout.
- Specify value for fields in the application form and then click Ready to Submit.
- Click Submit.
See Also:
Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for details about the fields on the Create User page6.6 Uninstalling the Connector
Uninstalling the connector deletes all the account-related data associated with its resource objects.
If you want to uninstall the connector for any reason, then run the Uninstall Connector utility. Before you run this utility, ensure that you set values for ObjectType
and ObjectValues
properties in the ConnectorUninstall.properties file. For example, if you want to delete resource objects, scheduled tasks, and scheduled jobs associated with the connector, then enter "ResourceObject", "ScheduleTask", "ScheduleJob" as the value of the ObjectType
property and a semicolon-separated list of object values corresponding to your connector (for example, GoogleApps User; GoogleApps Group) as the value of the ObjectValues
property.
Note:
If you set values for theConnectorName
and Release
properties along with the ObjectType
and ObjectValue
properties, then the deletion of objects listed in the ObjectValues
property is performed by the utility and the Connector information is skipped.
For more information, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Governance.