1. Configuring the Database User Management Application
  2. Using the Database User Management Connector

6 Using the Database User Management Connector

You can use the Database User Management connector for performing reconciliation and provisioning operations after configuring your application to meet your requirements.

6.1 Guidelines on Configuring Reconciliation

These are the guidelines that you must apply while configuring reconciliation for Oracle Database and MySQL.

  • Before you perform a target resource reconciliation run, you must synchronize the lookup definitions with the lookup fields of the target system. In other words, the scheduled job for lookup field synchronization must be run before user reconciliation runs.

  • After you configure batched reconciliation, if reconciliation fails during a batched reconciliation run, then rerun the scheduled job without changing the values of the task attributes.

6.2 Configuring Reconciliation

You can configure the connector to specify the type of reconciliation and its schedule.

6.2.1 Configuring Reconciliation for Oracle Database

You can configure the connector to specify the type of reconciliation and its schedule.

6.2.1.1 Performing Full and Incremental Reconciliation from Oracle Database

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Governance. After you create the application, you must first perform full reconciliation.

At the end of the reconciliation run, the Latest Token parameter of the reconciliation job for user record reconciliation is automatically updated. From the next reconciliation run onward, only records created after this time stamp are considered for reconciliation. This is incremental reconciliation.

You can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Governance.

To perform a full reconciliation run, remove (delete) any value currently assigned to the Latest Token and Filter parameters and run one of the following reconciliation jobs:

  • For an Oracle Database Target application: DBUM Oracle User Target Reconciliation

  • For an Oracle Database Authoritative Application: DBUM Oracle User Trusted Reconciliation

See Reconciliation Jobs for Oracle Database for information about these reconciliation jobs.

For example, the Incremental Recon Attribute maps to the CREATED column in the DBA_USERS table. After the first full reconciliation run, the Latest Token parameter gets populated accordingly. In subsequent reconciliation runs, the connector fetches only the user records that are created after the timestamp in the Latest Token parameter. Users updated after the time-stamp are not fetched.

6.2.1.2 Performing Limited Reconciliation from Oracle Database

You can perform limited reconciliation by creating filters for the reconciliation module, and reconcile records from the target system based on a specified filter criterion.

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled.

This connector provides a Filter attribute (a scheduled task attribute) that allows you to use any of the DBUM resource attributes to filter the target system records. You can apply filters to the parent parameters in the reconciliation query file stored in a JAR file in the bundle directory of the connector installation media. For example, to locate the reconciliation query file, you can extract the bundle/org.identityconnectors.dbum-12.3.0.jar file and open scripts/oracle/Search.queries.

The following table provides a list of parent parameters that can be used with the Filter attribute of the scheduled jobs:

Parameter Description

__UID__

Unique identity representing the user

This parameter is mapped to USERNAME or __NAME__ connector attribute.

authType

Authentication type of the user account

The value of this parameter must be PASSWORD.

tablespace

Default tablespace for user operations

defaultQuota

Quota for user operations on default tablespace

If no value is specified, the quota is set to unlimited.

globalDN

Unique name that identifies a user across an enterprise, if the authentication type is GLOBAL

__ENABLE__

Status of the user account

The user is disabled if the value is one of following: LOCKED, EXPIRED, or LOCKED & EXPIRED

The list of values for the disabled status is provided in the Lookup.DBUM.Oracle.Configuration lookup definition.

tempTableSpace

Temporary tablespace for user operations

Quota is always unlimited on temporary tablespace.

profile

Profile of the user account

lastModified

Last modified time-stamp

This parameter is used for incremental reconciliation operations.

For detailed information about ICF Filters, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

6.2.1.3 Performing Batched Reconciliation from Oracle Database

You can perform batched reconciliation to reconcile a specific number of records from the target system into Oracle Identity Governance.

During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Governance. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete. You can configure batched reconciliation to avoid these problems.

To configure batched reconciliation, you must specify value for the Batch Size reconciliation job parameter. Use this parameter to specify the number of records that must be included in each batch. By default, this value is empty.

If you specify a value other than All, then some of the newly added or modified user records may not get reconciled during the current reconciliation run. The following example illustrates this:

Suppose you specify the Batch Size value as 200 while configuring the scheduled jobs. Suppose that 314 user records were created or modified after the last reconciliation run. Of these 314 records, only 200 records would be reconciled during the current reconciliation run. The remaining 114 records would be reconciled during the next reconciliation run.

You specify values for the Batch Size parameter by following the instructions described in Configuring Reconciliation Jobs.

6.2.2 Configuring Reconciliation for MySQL

You can configure the connector to specify the type of reconciliation and its schedule.

6.2.2.1 Performing Full Reconciliation from MySQL

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Governance. After you create the application, you must first perform full reconciliation.

To perform a full reconciliation run, remove (delete) any value currently assigned to the Filter parameter and run one of the following reconciliation jobs:

  • For a MySQL Target application: DBUM MySQL User Target Reconciliation

  • For a MySQL Authoritative application: DBUM MySQL User Trusted Reconciliation

See Reconciliation Jobs for MySQL for more information about these scheduled jobs.

6.2.2.2 Performing Limited Reconciliation from MySQL

You can perform limited reconciliation by creating filters for the reconciliation module, and reconcile records from the target system based on a specified filter criterion.

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled.

This connector provides a Filter attribute (a scheduled task attribute) that allows you to use any of the DBUM resource attributes to filter the target system records. You can apply filters to the parent parameters in the reconciliation query file stored in a JAR file in the bundle directory of the connector installation media. For example, to locate the reconciliation query file, you can extract the bundle/org.identityconnectors.dbum-12.3.0.jar file and open scripts/mysql/Search.queries.

The following table provides the description of the parent parameter that can be used with the Filter attribute of the scheduled jobs:

Parameter Description

__UID__

Unique identity representing the user

This parameter is mapped to USERNAME or __NAME__ connector attribute.

For detailed information about ICF Filters, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

6.2.2.3 Performing Batched Reconciliation from MySQL

You can perform batched reconciliation to reconcile a specific number of records from the target system into Oracle Identity Governance.

During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Governance. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete. You can configure batched reconciliation to avoid these problems.

To configure batched reconciliation, you must specify value for the Batch Size reconciliation scheduled job attribute. Use this attribute to specify the number of records that must be included in each batch. By default, this value is empty.

If you specify a value other than All, then some of the newly added or modified user records may not get reconciled during the current reconciliation run. The following example illustrates this:

Suppose you specify the Batch Size value as 200 while configuring the scheduled jobs. Suppose that 314 user records were created or modified after the last reconciliation run. Of these 314 records, only 200 records would be reconciled during the current reconciliation run. The remaining 114 records would be reconciled during the next reconciliation run.

You specify values for the Batch Size attribute by following the instructions described in Configuring Reconciliation Jobs.

6.3 Configuring Reconciliation Jobs

Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.

You can apply this procedure to configure the reconciliation jobs for users and entitlements.

To configure a reconciliation job:
  1. Log in to Identity System Administration.
  2. In the left pane, under System Management, click Scheduler.
  3. Search for and open the scheduled job as follows:
    1. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
    2. In the search results table on the left pane, click the scheduled job in the Job Name column.
  4. On the Job Details tab, you can modify the parameters of the scheduled task:
    • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
    • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type. See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Governance.

    In addition to modifying the job details, you can enable or disable a job.

  5. On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.

    Note:

    Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

  6. Click Apply to save the changes.

    Note:

    You can use the Scheduler Status page in Identity System Administration to either start, stop, or reinitialize the scheduler.

6.4 Guidelines on Performing Provisioning Operations

These are the guidelines that you must apply while performing provisioning operations.

6.4.1 Guidelines on Performing Provisioning Operations for Oracle Database

These are the guidelines that you must apply while performing provisioning operations.

  • Before you perform provisioning operations, lookup definitions must be synchronized with the lookup fields of the target system. In other words, run the scheduled jobs for lookup field synchronization before provisioning operations.

  • Passwords for user accounts provisioned from Oracle Identity Governance must adhere to the password policy set in the target system.

  • The character length of target system fields must be taken into account when specifying values for the corresponding Oracle Identity Governance fields.

  • During an update password provisioning operation, ensure that you clear the existing text in the Password field, and then enter the new password.

  • During a Create User provisioning operation, the following are some of the fields that are optional:

    • Default Tablespace

    • Default Tablespace Quota (in MB)

      This field is dependent on Default Tablespace. To specify a quota, you must specify a value for Default Tablespace.

    • Temporary Tablespace

    • Profile Name

    If you specify a value for any of these fields during a Create User provisioning operation, then you must not leave them empty during an Update User provisioning operation. Otherwise, the provisioning operation will fail. However, you can modify the existing values in these fields.

  • For creating password-authenticated database users, you must specify values for the following fields:

    • Username: Enter the name of the database user.

    • Password: Enter the password for the database user.

    • Authentication Type: Specify PASSWORD as the value of this lookup field.

  • For creating globally-authenticated database users, you must specify a value for the following mandatory fields:

    • Username: Enter the name of the database user.

    • Authentication Type: Specify GLOBAL as the value of this lookup field.

    • Global DN: Enter the distinguished name (DN) for your organization.

      Sample value: cn=ajones,cn=users,dc=oracle,dc=vm

    After you submit the data required, the connector runs the following query to create a globally-authenticated database user:

    CREATE USER {__NAME__} IDENTIFIED GLOBALLY AS {globalDN}

  • If you specify a value for the Default Tablespace Quota (in MB) field, then enter values in the following format:

    TABLESPACE_QUOTA M

    In this format, TABLESPACE_QUOTA is the tablespace quota allocated to the user and M indicates that megabytes is the unit of measurement of quota. The following is a sample value: 300 M

    If you want to allocate to a user unlimited quota on a tablespace, then specify the following as the value of the Default Tablespace Quota (in MB) field:

    UNLIMITED

6.4.2 Guidelines on Performing Provisioning Operations for MySQL

These are the guidelines that you must apply while performing provisioning operations.

  • Before you perform provisioning operations, lookup definitions must be synchronized with the lookup fields of the target system. In other words, run the scheduled jobs for lookup field synchronization before provisioning operations.

  • Passwords for user accounts provisioned from Oracle Identity Governance must adhere to the password policy set in the target system.

  • The character length of target system fields must be taken into account when specifying values for the corresponding Oracle Identity Governance fields.

  • During an update password provisioning operation, ensure that you clear the existing text in the Password field, and then enter the new password.

6.5 Performing Provisioning Operations

You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.

To perform provisioning operations in Oracle Identity Governance:

  1. Log in to Identity Self Service.
  2. Create a user as follows:
    1. In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
    2. From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
    3. Enter details of the user in the Create User page.
  3. On the Account tab, click Request Accounts.
  4. In the Catalog page, search for and add to cart the application instance for the connector that you configured earlier, and then click Checkout.
  5. Specify value for fields in the application form and then click Ready to Submit.
  6. Click Submit.

See Also:

Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for details about the fields on the Create User page

6.6 Uninstalling the Connector

Uninstalling the connector deletes all the account-related data associated with its resource objects.

If you want to uninstall the connector for any reason, then run the Uninstall Connector utility. Before you run this utility, ensure that you set values for ObjectType and ObjectValues properties in the ConnectorUninstall.properties file. For example, if you want to delete resource objects, scheduled tasks, and scheduled jobs associated with the connector, then enter "ResourceObject", "ScheduleTask", "ScheduleJob" as the value of the ObjectType property and a semicolon-separated list of object values corresponding to your connector (for example, GoogleApps User; GoogleApps Group) as the value of the ObjectValues property.

Note:

If you set values for the ConnectorName and Release properties along with the ObjectTypeand ObjectValue properties, then the deletion of objects listed in the ObjectValues property is performed by the utility and the Connector information is skipped.

For more information, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Governance.