Using the Connector

5 Using the Connector

You can use the connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.

This chapter is discusses the following topics:

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

5.1 Configuring Reconciliation

You can configure the connector to specify the type of reconciliation and its schedule.

This section provides information on the following topics related to configuring reconciliation:

5.1.1 Performing Full Reconciliation and Incremental Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Governance. After you create the application, you must first perform full reconciliation.

At the end of the reconciliation run, the connector automatically sets the Latest Token parameter of the job for user record reconciliation to the time stamp at which the run ended. From the next run onward, the connector considers only records created or modified after this time stamp for reconciliation. This is incremental reconciliation.

You can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Governance. To perform a full reconciliation run, ensure that no values are specified for the following parameters of the jobs for reconciling user records:

Filter
Latest Token

Note:

Incremental reconiliation leverages AWS CloudTrail capability. Hence, there can be a slight delay for the changes to reflect on CloudTrail.

5.1.2 Performing Limited Reconciliation

By default, all target system records are reconciled during the current reconciliation run. You can customize this process by specifying the subset of target system records that must be reconciled.

Limited or filtered reconciliation is the process of limiting the number of records being reconciled based on a set filter criteria. By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.

This connector provides a Filter Query parameter (a reconciliation job parameter) that allows you to use various filter conditions to filter the target system records. When you specify a value for the Filter Query parameter, the connector reconciles only the target system records that match the filter criterion into Oracle Identity Governance.

The following are filters that are supported by the Amazon Web Services connector:

Filter Account using UserName

For example, UserName=Alex

Here any user with UserName Alex is reconciled.
Filter Account using Path
- For example, Path=/
  
  Here all users with path as / is reconciled.
- For example, Path=/Oracle/
  
  Here all users with path under Oracle folder and sub folder are reconciled.
- For example, Path=/Ora
  
  Here all users with path, folder starting with Ora (for example Oracle or OracleAdmin) and sub folder users are reconciled.

Note:

Amazon Web Services connector does not support any other filters.

For detailed information about ICF Filters, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.

5.2 Configuring Reconciliation Jobs

Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.

You can apply this procedure to configure the reconciliation jobs for users and entitlements.

To configure a reconciliation job:

Log in to Identity System Administration.
In the left pane, under System Management, click Scheduler.
Search for and open the scheduled job as follows:
1. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
2. In the search results table on the left pane, click the scheduled job in the Job Name column.
On the Job Details tab, you can modify the parameters of the scheduled task:
- Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
- Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type. See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Governance.
In addition to modifying the job details, you can enable or disable a job.
On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.

Note:

Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.
Click Apply to save the changes.

Note:

You can use the Scheduler Status page in Identity System Administration to either start, stop, or reinitialize the scheduler.

5.3 Performing Provisioning Operations

You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.

To perform provisioning operations in Oracle Identity Governance:

Log in to Identity Self Service.
Create a user as follows:
1. In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
2. From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
3. Enter details of the user in the Create User page and click Submit.
On the Account tab, click Request Accounts.
In the Catalog page, search for the application instance for the connector that you configured earlier, click Add to Cart, and then click Next.
Specify value for fields in the application form and then click Update.
Click Submit.

5.4 Performance Recommendation for the Amazon Web Services connector

You can improve the performace of full and incremental reconciliation operations.

To improve the full reconciliation performance, in the Advanced configuration settings, set the value for PolicyGroup and PasswordLastUsed configuration attributes to False. With this configuration change, the values for Inherited policies in the child policy table and Password Last Used attributes in the account form will show as blank.

To improve the filter reconciliation performance, it is recommended to use USERNAME as the filter value. Path filter will take more time due to extra calls based on the users for the specified path.

5.5 Uninstalling the Connector

Uninstalling the connector deletes all the account-related data associated with its resource objects.

If you want to uninstall the connector for any reason, then run the Uninstall Connector utility. Before you run this utility, ensure that you set values for ObjectType and ObjectValues properties in the ConnectorUninstall.properties file. For example, if you want to delete resource objects, scheduled tasks, and scheduled jobs associated with the connector, then enter "ResourceObject", "ScheduleTask", "ScheduleJob" as the value of the ObjectType property and a semicolon-separated list of object values corresponding to your connector as the value of the ObjectValues property.

Note:

If you set values for the ConnectorName and Release properties along with the ObjectType and ObjectValue properties, then the deletion of objects listed in the ObjectValues property is performed by the utility and the Connector information is skipped.

For more information, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Governance.

5.6 Connector Objects Used for Groups Management

Learn about the objects that are used by the connector to perform group management operations such as create, update, and delete.

Topics:

5.6.1 Lookup Definitions for Groups Management

The lookup definitions for Groups are automatically created in Oracle Identity Governance after you create the application by using the connector.

5.6.1.1 Lookup.AWS.GM.Configuration

The Lookup.AWS.GM.Configuration lookup definition holds mappings between process form fields (Code Key values) and target system attributes (Decode). This lookup definition is preconfigured and is used during group provisioning operations.

The following table lists the default entries.

Table 5-1 Entries in the Lookup.AWS.GM.Configuration Lookup Definition

Code Key	Decode	Description
Provisioning Attribute Map	Lookup.AWS.GM.ProvAttrMap	This entry holds the name of the lookup definition that stores attribute mappings between Oracle Identity Manager and the target system. This lookup definition is used during provisioning operations.
Recon Attribute Map	Lookup.AWS.GM.ReconAttrMap	This entry holds the name of the lookup definition that stores attribute mappings between Oracle Identity Manager and the target system. This lookup definition is used during reconciliation.

5.6.1.2 Lookup.AWS.GM.ProvAttrMap

The Lookup.AWS.GM.ProvAttrMap definition holds mappings between process form fields (Code Key values) and target system attributes (Decode). This lookup definition is preconfigured and is used during group provisioning operations.

The following table lists the default entries.

Table 5-2 Entries in the Lookup.AWS.GM.ProvAttrMap Lookup Definition

Group Field on Oracle Identity Manager	Amazon Web Services Connector Field
CreateDate[WRITEBACK]	CreateDate
GroupId[WRITEBACK]	__UID__
GroupName	__NAME__
Arn[WRITEBACK]	Arn
Path[WRITEBACK]	Path

5.6.1.3 Lookup.AWS.GM.ReconAttrMap

The Lookup.AWS.GM.ReconAttrMap definition holds mappings between resource object fields (Code Key values) and target system attributes (Decode). This lookup definition is pre-configured and is used during target resource group reconciliation runs.

The following table lists the entries.

Table 5-3 Entries in the Lookup.AWS.GM.ReconAttrMap Lookup Definition

Group Field on Oracle Identity Manager	Amazon Web Services Connector Field
CreateDate	CreateDate
Arn	Arn
GroupName	__NAME__
GroupId	__UID__
OIM Org Name	Organization Name Note: This is a connector attribute. The value of this attribute is used internally by the connector to specify the organization of the groups in Oracle Identity Manager.
Path	Path

5.6.2 Reconciliation Rules and Action Rules for Groups Management

Reconciliation rules are used by the reconciliation engine to determine the identity to which Oracle Identity Governance must assign a newly discovered account on the target system. Reconciliation action rules define that actions the connector must perform based on the reconciliation rules.

5.6.2.1 Reconciliation Rule for Groups

The following is the process-matching rule for groups:

Rule name: AWS Group Recon Rule

Rule element: Organization Name Equals OIM Org Name

In this rule element:

Organization Name is the Organization Name field of the OIM User form.
OIM Org Name is the organization name of the groups in Oracle Identity Manager. OIM Org Name is the value specified in the Organization Name attribute of the AWS Group Recon scheduled job

5.6.2.2 Reconciliation Action Rules for Groups

The following table lists the action rules for groups reconciliation.

Table 5-4 Action Rules for Reconciliation

Rule Condition	Action
No Matches Found	Assign To Authorizer With Least Load
One Entity Match Found	Establish Link
One Process Match Found	Establish Link

5.6.2.3 Viewing Reconciliation Rules

After you deploy the connector, you can view the reconciliation rule for reconciliation by performing the following steps:

Note:

Perform the following steps:

Log in to the Oracle Identity Manager Design Console.
Expand Development Tools.
Double-click Reconciliation Rules.
Search for the AWS Group Recon Rule.

The following figure shows the reconciliation rule for groups.

Figure 5-1 Reconciliation Rule for Groups

This is a screen shot of the group reconciliation rule for the AWS connector

5.6.2.4 Viewing Reconciliation Action Rules

After you create the application by using connector, you can view the reconciliation action rules for groups by performing the following steps:

Log in to the Design Console.
Expand Resource Management, and double-click Resource Objects.
Search for and open the AWS Group resource object.
Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector.
The following figure shows the reconciliation action rules for groups.

Figure 5-2 Reconciliation Action Rules for Groups

5.6.3 Reconciliation Scheduled Jobs for Groups Management

After you create an application, reconciliation scheduled jobs are automatically created in Oracle Identity Governance. You must configure these scheduled jobs to suit your requirements by specifying values for its attributes.

You must specify values for the attributes of the following scheduled job:

5.6.3.1 AWS Group Recon

You use the AWS Group Recon scheduled job to reconcile group data from the target system.

The following table describes the attributes of this scheduled job.

Table 5-5 Attributes of the AWS Group Recon Scheduled Job

Attribute	Description
Resource Object Name	This attribute holds the name of the resource object used for reconciliation. Default value: `AWS Group` Note: You must not change the default value.
IT Resource Name	Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: `AWSGroup`
Organization Name	Enter the name of the Oracle Identity Manager organization in which reconciled groups must be created or updated.
Filter	This attribute holds the ICF Filter written using ICF-Common Groovy DSL. Filter suffix: equalTo('GroupName', '<GroupName>') Sample value: equalTo('GroupName','AWSGroup') In this example, the record whose Group Name AWSGroup is reconciled.
Batch Size	Enter the number of records that must be included in each batch fetched from the target system.
Scheduled Task Name	Name of the scheduled task used for reconciliation. Default value: `AWS Group Recon`
Object Type	This attribute holds the name of the object type for the reconciliation run. Default value: `Group` Note: Do not change the default value.

5.6.3.2 AWS Group Delete Recon

You use the AWS Group Recon scheduled job to reconcile group data from the target system.

The following table describes the attributes of this scheduled job.

Table 5-6 Attributes of the AWS Group Recon Scheduled Job

Attribute	Description
Resource Object Name	This attribute holds the name of the resource object used for reconciliation. Default value: `AWS Group` Note: You must not change the default value.
IT Resource Name	Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: `AWSGroup`
Organization Name	Enter the name of the Oracle Identity Manager organization in which reconciled groups must be created or updated.
Filter	This attribute holds the ICF Filter written using ICF-Common Groovy DSL. Filter suffix: equalTo('GroupName', '<GroupName>') Sample value: equalTo('GroupName','AWSGroup') In this example, the record whose Group Name AWSGroup is reconciled.
Batch Size	Enter the number of records that must be included in each batch fetched from the target system.
Scheduled Task Name	Name of the scheduled task used for reconciliation. Default value: `AWS Group Recon`
Object Type	This attribute holds the name of the object type for the reconciliation run. Default value: `Group` Note: Do not change the default value.