1 About the Oracle E-Business Suite User Management Connector
The Oracle E-Business Suite User Management connector integrates Oracle Identity Governance with Oracle E-Business Suite.
The following topics provide a high-level overview of the connector:
Note:
In this guide, Oracle E-Business Suite User Management connector is referred to as the EBS User Management connector.
1.1 Introduction to the Connector
Note:
In this guide, the connector that is deployed using the Applications option on the Manage tab of Identity Self Service is referred to as an AOB application. The connector that is deployed using the Manage Connector option in Oracle Identity System Administration is referred to as a CI-based connector (Connector Installer-based connector).Application onboarding is the process of registering or associating an application with Oracle Identity Governance and making that application available for provisioning and reconciliation of user information.
An FND_USER record represents an Oracle E-Business User Management account. This record is the main component of the account data whose management is enabled by the connector. This connector can be used to manage either the FND_USER records or FND_USER records with TCA records. In other words, this connector is used to manage plain user accounts or user accounts with parties.
You can use the User Management connector to create Oracle E-Business Suite user accounts (FND_USER records) for OIG users and to grant user roles and responsibilities to these accounts. You can also reconcile newly created users and modified user accounts (FND_USER records) from the target system. These reconciled records are used to create and update Oracle E-Business User Management accounts assigned to OIG Users.
In addition to creating Oracle E-Business User Management accounts, you can use this connector to create Party or Vendors (Suppliers) in the target system. Party or vendors represent a Trading Community Architecture (TCA) record in the HZ_PARTIES table. Some applications such as iStore, iProcurement in the Oracle E-Business Suite require users to have a TCA record that is a representative or employee of parties and vendors in your organization.
The following are the types of TCA records that this connector supports:
-
Parties
-
Vendors or Suppliers
The object class used for the User Management connector with TCA party is __ACCOUNT__. Roles and responsibilities are handled as child data. You can use this connector to remove existing roles and responsibilities as well.
During user provisioning, if you enter the party or supplier information along with the EBS user information, the connector creates an E-Business user account first, creates the party or vendor next, and then establishes the link between the user record and TCA record. For target system users that are linked with party or Supplier records, the value in the PERSON_PARTY_ID column in the FND_USER table is the same as the value in the PARTY_ID column of the HZ_PARTIES table.
During a create or update user provisioning operation, you can link the target system user account with an existing HRMS employee record by providing Person ID.
1.2 Certified Components
These are the software components and their versions required for installing and using the connector.
Note:
If you are using Oracle Identity Manager release 11.1.x, then you can install and use the connector only in the CI-based mode. If you want to use the AOB application, then you must upgrade to Oracle Identity Governance release 12.2.1.3.0 or later.Table 1-1 Certified Components
| Component | Requirement for AOB Application | Required for CI-Based Connector |
|---|---|---|
|
Oracle Identity Governance or Oracle Identity Manager |
You can use one of the following releases of Oracle Identity Governance or Oracle Identity Manager:
|
You can use one of the following releases of Oracle Identity Governance or Oracle Identity Manager:
|
|
Target system |
The target system can be any one of the following:
These applications may run on Oracle Database 10g, 11g, 12c, or 19c, as either single database or Oracle RAC implementation. Note:
|
The target system can be any one of the following:
These applications may run on Oracle Database 10g, 11g, 12c, or 19c, as either single database or Oracle RAC implementation. Note:
|
|
Connector server |
11.1.2.1.0 or later |
11.1.2.1.0 or later |
|
Connector Server JDK |
JDK 1.6 or later |
JDK 1.6 or later |
|
SSO system |
The target system can use one of the following single sign-on (SSO) solutions:
|
The target system can use one of the following single sign-on (SSO) solutions:
|
1.3 Usage Recommendation
These are the recommendations for the EBS User Management connector versions that you can deploy and use depending on the Oracle Identity Governance or Oracle Identity Manager version that you are using.
-
If you are using Oracle Identity Governance release 12c (12.2.1.3.0) or later, then use the latest 12.2.1.x version of this connector. Deploy the connector using the Applications option on the Manage tab of Identity Self Service.
-
If you are using any of the Oracle Identity Manager releases listed in the “Requirement for CI-Based Connector” column in Certified Components, then use the 11.1.x version of the connector. If you want to use the 12.2.1.x version of this connector, then you can install and use it only in the CI-based mode. If you want to use the AOB application, then you must upgrade to Oracle Identity Governance release 12c (12.2.1.3.0) or later.
Note:
If you are using the latest 12.2.1.x version of the EBS User Management connector in the CI-based mode, then see Oracle Identity Manager Connector Guide for Oracle E-Business Suite User Management, Release 11.1.1 for complete details on connector deployment, usage, and customization.1.4 Certified Languages
These are the languages that the connector supports.
-
Arabic
-
Chinese (Simplified)
-
Chinese (Traditional)
-
Czech
-
Danish
-
Dutch
-
English
-
Finnish
-
French
-
French (Canadian)
-
German
-
Greek
-
Hebrew
-
Hungarian
-
Italian
-
Japanese
-
Korean
-
Norwegian
-
Polish
-
Portuguese
-
Portuguese (Brazilian)
-
Romanian
-
Russian
-
Slovak
-
Spanish
-
Swedish
-
Thai
-
Turkish
1.5 Supported Connector Operations
These are the list of operations that the connector supports for your target system.
Table 1-2 Supported Connector Operations
| Operation | Supported? |
|---|---|
|
User Management |
|
|
Create person |
Yes |
|
Update person |
Yes |
|
Delete person |
Yes |
|
Enable person |
Yes |
|
Disable person |
Yes |
|
Entitlement Grant Management |
|
|
Add role |
Yes |
|
Update role |
Yes |
|
Remove role |
Yes |
|
Add responsibility |
Yes |
|
Update responsibility |
Yes |
|
Remove responsibility |
Yes |
1.6 Connector Architecture
You can configure the Oracle E-Business User Management connector to run in the Target (or account management) mode, and is implemented using the Integrated Common Framework (ICF) component.
The ICF is a component that provides basic reconciliation and provisioning operations that are common to all Oracle Identity Governance connectors. In addition, ICF provides common features that developers would otherwise need to implement on their own, such as connection pooling, buffering, time outs, and filtering. The ICF is shipped along with Oracle Identity Governance. Therefore, you need not configure or modify the ICF.
Figure 1-1 shows the architecture of the Oracle E-Business Suite connectors.
Figure 1-1 Architecture of the Oracle E-Business Suite Connectors
Description of "Figure 1-1 Architecture of the Oracle E-Business Suite Connectors "
During connector operations, Oracle Identity Governance interacts with a layer called ICF integration. ICF integration is specific to each application with which OIG interacts and uses the ICF API to invoke operations on the Identity Connector (IC). The connector then calls the target system APIs to perform operations on the resource.
The connector communicates with the target system by making calls to the stored procedures in OIG Wrapper packages, which in turn call the target system stored procedures internally. The OIG Wrapper packages are created in the target system when you run a script that is present in the connector installation package. The procedure to run this script is discussed later in this guide.
The basic function of this connector is to enable management of user data on Oracle E-Business Suite through Oracle Identity Governance. In other words, the Oracle E-Business Suite User Management connector enables you to use Oracle E-Business Suite (the target system) as a managed or target resource of Oracle Identity Governance. You can create and manage target system accounts (resources) for OIG Users through provisioning. In addition, data related to newly created and modified target system accounts can be reconciled (using scheduled tasks) and linked with existing OIG Users and provisioned resources.
1.7 Supported Connector Features Matrix
Provides the list of features supported by the AOB application and CI-based connector.
Table 1-3 Supported Connector Features Matrix
| Feature | AOB Application | CI-Based Connector |
|---|---|---|
|
Integrate the target system as a target resource of Oracle Identity Governance |
Yes |
Yes |
|
Perform Segregation of Duties (SoD) validation of role and responsibility entitlement requests |
Yes |
Yes |
|
Configure the connector for a single sign-on solution |
Yes |
Yes |
|
Set account status for reconciliation and provisioning |
Yes |
Yes |
|
Perform basic password management tasks |
Yes |
Yes |
|
Perform full and incremental reconciliation |
Yes |
Yes |
|
Perform limited reconciliation |
Yes |
Yes |
|
Perform batched reconciliation |
Yes |
Yes |
|
Configure validation and transformation of account data |
Yes |
Yes |
|
Install connector in a connector server |
Yes |
Yes |
|
Use connection pooling |
Yes |
Yes |
|
Use scheduled jobs for reconciliation of user entities |
Yes |
Yes |
|
Configure SSL communication between the target system and Oracle Identity Governance |
Yes |
Yes |
1.8 Connector Features
The features of the connector include support for connector server, target resource reconciliation, Segregation of Duties (SoD) validation of role and responsibility entitlement requests, reconciliation of all existing or modified account data, limited and batched reconciliation, transformation and validation of account data during reconciliation and provisioning, and so on.
The following are the features of the connector:
1.8.1 Support for Target Resource Reconciliation
You can use the EBS UM connector to configure the target system as a target resource of Oracle Identity Governance.
In this mode, you can use this connector to provision and reconcile the following entities from Oracle E-Business Suite:
-
EBS accounts/FND_USR records
-
TCA Party records/Vendor records
See Configuring Reconciliation for related information.
1.8.2 SoD Validation of Entitlement Provisioning
This connector supports the SoD feature. Use the Identity Audit (IDA) feature of Oracle Identity Governance to detect SoD violations.
The SoD engine processes role and responsibility entitlement requests that are sent through the connector. Potential conflicts in role and responsibility assignments can be automatically detected.
If you want to enable and use the SoD feature of Oracle Identity Governance with this target system, then you must enable and configure the Identity Audit feature as described in Managing Identity Audit of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
1.8.3 Support for an SSO-Enabled Target System Installation
Oracle E-Business Suite can be configured to use a single sign-on solution such as Oracle Single Sign-On and Oracle Access Manager, to authenticate users. Oracle Single Sign-On uses Oracle Internet Directory as an LDAP-based repository for storing user records. Oracle Access Manager can use Microsoft Active Directory, Oracle Directory Server Enterprise Edition, or Novell eDirectory as the LDAP-based repository.
You can configure the connector to work with either one of these SSO solutions during reconciliation and provisioning operations.
The connector is shipped with an adapter that is responsible for copying SSO account details such as GUID and so on from an enterprise directory process form to EBS user process form.
See Configuring the Connector for SSO for information about configuring the connector for a single sign-on solution.
1.8.4 Account Status Reconciliation and Provisioning
When you enable an account on the target system, the Effective Date From field is set to the current date and the Effective Date To field is set to NULL on the target system.
When you disable an account on the target system, the Effective Date To field is set to the current date on the target system.
The same effect can be achieved through provisioning operations performed on Oracle Identity Governance. In addition, status changes made directly on the target system can be copied into Oracle Identity Governance during reconciliation.
1.8.5 Account Password Management
The connector supports basic password management features. For a particular user, you can specify when the user's password must expire by using the process form fields.
-
Password Expiration Type
You use the Password Expiration Type field to specify the factor (or measure) that you want to use to set a value for password expiration. You can select either
AccessesorDaysas the password expiration type. -
Password Expiration Interval
In the Password Expiration Interval field, you specify the number of access or days for which the user must be able to use the password.
For example, if you specify Accesses in the Password Expiration Type field and enter 20 in the Password Expiration Interval field, then the user is prompted to change the user's password at the twenty-first login. Similarly, if you specify Days in the Password Expiration Type field and enter 100 in the Password Expiration Interval field, then the user is prompted to change the user's password on the hundred and first day after setting a new password.
See Lookup.Oracle EBS UM.PasswordExpTypes for information about the lookup definition corresponding to the Password Expiration Type field.
1.8.6 Full and Incremental Reconciliation
After you deploy the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Governance. After the first full reconciliation run, incremental reconciliation is automatically enabled from the next run of the user reconciliation.
You can perform a full reconciliation run at any time. See Performing Full and Incremental Reconciliation for more information on performing full and incremental reconciliation runs.
1.8.7 Support for Batched Reconciliation
You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.
See Performing Batched Reconciliation for more information on performing batched reconciliation.
1.8.8 Support for Limited (Filtered) Reconciliation
You can set a reconciliation filter as the value of the Filter attribute of the scheduled tasks. This filter specifies the subset of newly added and modified target system records that must be reconciled.
See Performing Limited Reconciliation for more information on performing limited reconciliation.
1.8.9 Support for Cloning Applications and Creating Instance Applications
You can configure this connector for multiple installations of the target system by cloning applications or by creating instance applications.
When you clone an application, all the configurations of the base application are copied into the cloned application. When you create an instance application, it shares all configurations as the base application.
For more information about these configurations, see Cloning Applications and Creating Instance Applications in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
1.8.10 Transformation and Validation of Account Data
You can configure transformation and validation of account data that is brought into or sent from Oracle Identity Governance during reconciliation and provisioning operations by writing Groovy scripts while creating your application.
For more information, see Validation and Transformation of Provisioning and Reconciliation Attributes in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
1.8.11 Support for the Connector Server
Connector Server is one of the features provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles.
A Java connector server is useful when you do not wish to execute a Java connector bundle in the same VM as your application. It can be beneficial to run a Java connector on a different host for performance improvements.
For information about installing, configuring, and running the Connector Server, and then installing the connector in a Connector Server, see Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.
1.8.12 Connection Pooling
A connection pool is a cache of objects that represent physical connections to the target. Oracle Identity Governance connectors can use these connections to communicate with target systems.
At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads like network latency, memory allocation, and authentication.
One connection pool is created for each set of basic configuration parameters that you provide while creating an application. For example, if you have three applications for three installations of the target system, then three connection pools will be created, one for each target system installation.
For more information about the parameters that you can configure for connection pooling, see Advanced Settings Parameters.
1.8.13 Support for SSL Communication Between the Target System and Oracle Identity Governance
You can configure SSL to secure communication between Oracle Identity Governance and the target system.
See Configuring Secure Communication Between the Target System and Oracle Identity Governance for more information about securing communication between the target system and Oracle Identity Governance.