5 Using the Connector
You can use the connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.
This chapter is discusses the following topics:
Note:
These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.5.1 Configuring Reconciliation
You can configure the connector to specify the type of reconciliation and its schedule.
This section provides information on the following topics related to configuring reconciliation:
5.1.1 Performing Full Reconciliation and Incremental Reconciliation
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Governance. After you create the application, you must first perform full reconciliation.
At the end of the reconciliation run, the connector automatically sets the Latest Token parameter of the job for user record reconciliation to the time stamp at which the run ended. From the next run onward, the connector considers only records created or modified after this time stamp for reconciliation. This is incremental reconciliation.
You can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Governance. To perform a full reconciliation run, ensure that no values are specified for the following parameters of the jobs for reconciling user records:
-
Filter
-
Latest Token
Note:
Incremental reconiliation leverages AWS CloudTrail capability. Hence, there can be a slight delay for the changes to reflect on CloudTrail.5.1.2 Performing Limited Reconciliation
By default, all target system records are reconciled during the current reconciliation run. You can customize this process by specifying the subset of target system records that must be reconciled.
Limited or filtered reconciliation is the process of limiting the number of records being reconciled based on a set filter criteria. By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.
This connector provides a Filter Query parameter (a reconciliation job parameter) that allows you to use various filter conditions to filter the target system records. When you specify a value for the Filter Query parameter, the connector reconciles only the target system records that match the filter criterion into Oracle Identity Governance.
The following are filters that are supported by the Amazon Web Services connector:
-
Filter Account using UserName
For example, UserName=Alex
Here any user with UserName Alex is reconciled.
-
Filter Account using Path
-
For example, Path=/
Here all users with path as / is reconciled.
-
For example, Path=/Oracle/
Here all users with path under Oracle folder and sub folder are reconciled.
-
For example, Path=/Ora
Here all users with path, folder starting with Ora (for example Oracle or OracleAdmin) and sub folder users are reconciled.
-
Note:
Amazon Web Services connector does not support any other filters.For detailed information about ICF Filters, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
5.2 Configuring Reconciliation Jobs
Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.
You can apply this procedure to configure the reconciliation jobs for users and entitlements.
5.3 Performing Provisioning Operations
You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.
To perform provisioning operations in Oracle Identity Governance:
- Log in to Identity Self Service.
- Create a user as follows:
- In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
- From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
- Enter details of the user in the Create User page and click Submit.
- On the Account tab, click Request Accounts.
- In the Catalog page, search for the application instance for the connector that you configured earlier, click Add to Cart, and then click Next.
- Specify value for fields in the application form and then click Update.
- Click Submit.
See Also:
Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for details about the fields on the Create User page5.4 Performance Recommendation for the Amazon Web Services connector
You can improve the performace of full and incremental reconciliation operations.
To improve the full reconciliation performance, in the Advanced configuration
settings, set the value for PolicyGroup and PasswordLastUsed
configuration attributes to False
. With this configuration change,
the values for Inherited policies in the child policy table and Password
Last Used attributes in the account form will show as blank.
To improve the filter reconciliation performance, it is recommended to use USERNAME as the filter value. Path filter will take more time due to extra calls based on the users for the specified path.
5.5 Uninstalling the Connector
Uninstalling the connector deletes all the account-related data associated with its resource objects.
If you want to uninstall the connector for any reason, then run the Uninstall
Connector utility. Before you run this utility, ensure that you set values for
ObjectType
and ObjectValues
properties in the
ConnectorUninstall.properties file. For example, if you want to delete resource
objects, scheduled tasks, and scheduled jobs associated with the connector, then
enter "ResourceObject", "ScheduleTask", "ScheduleJob" as the
value of the ObjectType
property and a semicolon-separated list of
object values corresponding to your connector as the value of the
ObjectValues
property.
Note:
If you set values for theConnectorName
and Release
properties along
with the ObjectType
and ObjectValue
properties,
then the deletion of objects listed in the ObjectValues
property is
performed by the utility and the Connector information is skipped.
For more information, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Governance.