5 Using the EBS User Management Connector
You can use the EBS User Management connector for performing reconciliation and provisioning operations after configuring your application to meet your requirements.
5.1 Lookup Definitions Used During Connector Operations
Lookup definitions that are used during reconciliation and provisioning operations are either preconfigured or synchronized with the target system.
Lookup definitions used during connector operations can be categorized as follows:
5.1.1 Lookup Definitions Synchronized with the Target System
During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Responsibilities lookup field to select a responsibility to be assigned from the list of responsibilities in the lookup field. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are created in Oracle Identity Governance. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Governance.
The following is the format in which data is stored after lookup definition synchronization:
Code Key: <IT_RESOURCE_KEY>~<LOOKUP_FIELD_VALUE>
In this format:
-
IT_RESOURCE_KEY is the numeric code assigned to each IT resource in Oracle Identity Governance.
-
LOOKUP_FIELD_VALUE is the connector attribute value defined for code.
Sample value: 245~0
Decode: <IT_RESOURCE_NAME>~<LOOKUP_FIELD_VALUE>
In this format:
-
IT_RESOURCE_KEY is the name of the IT resource in Oracle Identity Governance.
-
LOOKUP_FIELD_VALUE is the connector attribute value defined for decode.
Sample value: Oracle EBS UM~FND
During a provisioning operation, lookup fields are populated with values corresponding to the target system that you select for the operation.
5.1.2 Preconfigured Lookup Definitions for the EBS User Management Connector
This section discusses the other lookup definitions that are created in Oracle Identity Governance when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed. The other lookup definitions are as follows:
5.1.2.1 Lookup.Oracle EBS UM.PartyType
The Lookup.Oracle EBS UM.PartyType lookup definition holds information about the types of parties that you can select for a target system account, which you create through Oracle Identity Governance.
The following is the format of the Code Key and Decode values in this lookup definition:
-
Code Key: The type of party
-
Decode: Description of the type of party
Note:
You cannot add new entries to this lookup definition.
Table 5-1 lists the default entries in this lookup definition.
Table 5-1 Entries in the Lookup.Oracle EBS UM.PartyType Lookup Definition
Code Key | Decode |
---|---|
Party |
Party |
Supplier |
Supplier |
5.1.2.2 Lookup.Oracle EBS UM.PasswordExpTypes
The Lookup.Oracle EBS UM.PasswordExpTypes lookup definition holds the options that you can select to specify when the password for the target system account (created through Oracle Identity Governance) must expire.
The following is the format of entries in this lookup definition:
-
Code Key: The type of password expiry
-
Decode: The type of password expiry
Table 5-2 lists the default entries in this lookup definition.
Table 5-2 Entries in the Lookup.Oracle EBS UM.PasswordExpTypes Lookup Definition
Code Key | Decode |
---|---|
Accesses |
Accesses |
Days |
Days |
None |
None |
5.1.2.3 Lookup.Objects.EDIR User.Oracle EBS User Management.CopyAttributesMap
The Lookup.Objects.EDIR User.Oracle EBS User Management.CopyAttributesMap lookup definition is used to configure the connector to work with an SSO solution during provisioning operations. In other words, this lookup definition is used when the target system is configured to use Oracle Access Governance to authenticate users. Oracle Access Governance in turn uses Novell eDirectory as an LDAP-based repository for storing user records.
The Lookup.Objects.EDIR User.Oracle EBS User Management.CopyAttributesMap lookup definition holds information that is used internally by an OIG adapter to copy field values from a Novell eDirectory account to the target system account. For example, the entries in the Lookup.Objects.EDIR User.Oracle EBS User Management.CopyAttributesMap lookup definition are used internally by the OIG adapter to copy the Reference ID value of a Novell eDirectory account to the SSO GUID field of the EBS UM account.
The following is the format of entries in this lookup definition:
-
Code Key: Name of the field in the target system that must be populated with a value from a corresponding field in Novell eDirectory
-
Decode: Corresponding field name in Novell eDirectory
Table 5-3 lists the default entries in this lookup definition.
Table 5-3 Entries in the Lookup.Objects.EDIR User.Oracle EBS User Management.CopyAttributesMap Lookup Definition
Code Key | Decode |
---|---|
Reference ID |
SSO GUID |
5.1.2.4 Lookup.Objects.LDAP User.Oracle EBS User Management.CopyAttributesMap
The Lookup.Objects.LDAP User.Oracle EBS User Management.CopyAttributesMap lookup definition is used when the target system is configured to use either Oracle Single Sign-On or Oracle Access Governance, to authenticate users. Oracle Single Sign-On and Oracle Access Governance in turn use an LDAP-based repository for storing user records.
The Lookup.Objects.LDAP User.Oracle EBS User Management.CopyAttributesMap lookup definition holds information is used internally by an OIG adapter to copy field values from an LDAP-based repository account to the target system account. For example, the entries in the Lookup.Objects.LDAP User.Oracle EBS User Management.CopyAttributesMap lookup definition are used internally by the OIG adapter to copy the NsuniqueID value of an LDAP account to the SSO GUID field of the EBS UM account.
The following is the format of entries in this lookup definition:
-
Code Key: Name of the field in the target system that must be populated with a value from a corresponding field in any LDAP-based repository
-
Decode: Corresponding field name in the LDAP-based repository
Table 5-4 lists the default entries in this lookup definition.
Table 5-4 Entries in the Lookup.Objects.LDAP User.Oracle EBS User Management.CopyAttributesMap Lookup Definition
Code Key | Decode |
---|---|
NsuniqueID |
SSO GUID |
5.1.2.5 Lookup.Objects.OID User.Oracle EBS User Management.CopyAttributesMap
The Lookup.Objects.OID User.Oracle EBS User Management.CopyAttributesMap lookup definition is used when the target system is configured to use Oracle Single Sign-On to authenticate users. Oracle Single Sign-On in turn uses Oracle Internet Directory as an LDAP-based repository for storing user records.
The Lookup.Objects.OID User.Oracle EBS User Management.CopyAttributesMap lookup definition holds information that is used internally by an OIG adapter to copy field values from an Oracle Internet Directory account to the target system account. For example, the entries in the Lookup.Objects.OID User.Oracle EBS User Management.CopyAttributesMap lookup definition are used internally by the OIG adapter to copy the orclGuid value of an OID account to the SSO GUID field of the EBS UM account.
The following is the format of entries in this lookup definition:
-
Code Key: Name of the field in the target system that must be populated with a value from a corresponding field in OID
-
Decode: Corresponding field name in OID
Table 5-5 lists the default entries in this lookup definition.
Table 5-5 Entries in the Lookup.Objects.OID User.Oracle EBS User Management.CopyAttributesMap Lookup Definition
Code Key | Decode |
---|---|
orclGuid |
SSO GUID |
5.1.2.6 Lookup.Objects.AD User.Oracle EBS User Management.CopyAttributesMap
The Lookup.Objects.AD User.Oracle EBS User Management.CopyAttributesMap lookup definition is used when the target system is configured to use Oracle Single Sign-On to authenticate users. Oracle Single Sign-On in turn uses Active Directory as an LDAP-based repository for storing user records.
The Lookup.Objects.AD User.Oracle EBS User Management.CopyAttributesMap lookup definition holds information that is used internally by an OIG adapter to copy field values from a Microsoft Active Directory account to the target system account. For example, the entries in the Lookup.Objects.AD User.Oracle EBS User Management.CopyAttributesMap lookup definition are used internally by the OIG adapter to copy the Unique Id value of an AD account to the SSO GUID field of the EBS UM account.
The following is the format of entries in this lookup definition:
-
Code Key: Name of the field in the target system that must be populated with a value from a corresponding field in AD
-
Decode: Corresponding field name in AD
Table 5-5 lists the default entries in this lookup definition.
Table 5-6 Entries in the Lookup.Objects.AD User.Oracle EBS User Management.CopyAttributesMap Lookup Definition
Code Key | Decode |
---|---|
Unique Id |
SSO GUID |
5.2 About Reconciliation Queries and Provisioning Procedures
Reconciliation queries and provisioning procedures help the connector in performing reconciliation and provisioning operations efficiently.
5.2.1 About Reconciliation Queries
The User Management connector is configured to perform target resource reconciliation with the target system. Data from newly created and updated target system records is brought to Oracle Identity Governance and used to create and update Oracle E-Business Suite resources provisioned to OIG Users.
A SQL query is used to fetch target system records during reconciliation. All predefined SQL queries that are required to perform reconciliation are stored in the search.properties file. The search.properties file is a common file for all EBS Suite connectors. In other words, the search.properties file contains the queries for the EBS UM, HRMS Target, HRMS Trusted connectors.
When you run a scheduled job, the connector locates the corresponding SQL query in the search.properties file and then runs it on the target system database. Target system records that meet the query criteria are returned to Oracle Identity Governance.
Depending on your requirements, you can modify existing queries or add your own query in the search.properties. This is discussed later in this guide.
Information in the search.properties file is virtually divided into two parts. The first part lists entries containing the SQL query names in the following format:
OBJ_NAME.OP_NAME.MODE=QUERY_NAME
In this format:
-
OBJ_CLASS is the name of the object class on which the reconciliation operation must be performed.
-
OP_NAME is the type of reconciliation operation to be performed. A reconciliation operation can be a search op, sync op, or lookup op.
-
QUERY_NAME is the name of the SQL query that is to be run on the target system database.
The second part lists the SQL query names and the corresponding SQL queries.
The following are the entries corresponding to the EBS UM connector in the search.properties file:
-
__ACCOUNT__.search=UM_USER_RECON
This query is used to reconcile all newly created and modified user records from the target system. The reconciliation operation that is performed is search based.
-
__ACCOUNT__.sync=UM_USER_SYNC
This query is used to reconcile all newly created and modified user records from the target system. The reconciliation operation that is performed is sync based.
-
__APPLICATIONS__.lookup=LOOKUP_APPLICATION_QUERY
This query is used to synchronize values in the fnd_application table of the target system with the Lookup.Oracle EBS UM.Applications lookup definition in Oracle Identity Governance.
-
__ROLES__.lookup=LOOKUP_ROLES_QUERY
This query is used to synchronize values in the fnd_application table of the target system with the Lookup.Oracle EBS UM.Roles lookup definition in Oracle Identity Governance.
-
__RESPONSIBILITIES__.lookup=LOOKUP_RESPONSIBILITY_QUERY
This query is used to synchronize values in the fnd_responsibility_vl table of the target system with the Lookup.Oracle EBS UM.Responsibilities lookup definition in Oracle Identity Governance.
-
__SECURITY_GROUPS__.lookup=LOOKUP_SECURITY_GROUP_QUERY
This query is used to synchronize values in the fnd_security_groups table of the target system with the Lookup.Oracle EBS UM.SecurityGroups lookup definition in Oracle Identity Governance.
5.2.2 About Provisioning Procedures
Provisioning involves management of user accounts and assignment of responsibilities and roles to users in the target system. When you allocate (or provision) an Oracle E-Business Suite resource to an OIG User, the operation results in the creation of an account on Oracle E-Business Suite for that user. Similarly, when you update the resource on Oracle Identity Governance, the same update is made to the account on the target system.
Information about all stored procedures used for performing provisioning operations is defined in the Procedures.properties file. The same file contains stored procedures information for both the EBS UM and HRMS Target connectors.
When you perform a provisioning operation, the connector locates the corresponding stored procedure in the Procedures.properties file and then runs it on the target system to complete the provisioning operation.
Depending on your requirements, you can modify existing stored procedures or add your own stored procedures to the Procedures.properties file. This is discussed later in the guide.
The first property in the Procedures.properties file, DB.PACKAGES, lists all the wrapper packages that are used during connector operations. The subsequent entries in this file are in the following format:
OBJ_NAME.OP_NAME.TCA_TYPE=WRAPPER_PCKG.STORED_PROC
In this format:
-
OBJ_NAME is the name of the object on which the provisioning operation must be performed.
-
OP_NAME is the type of provisioning operation to be performed. For example, a provisioning operation can be either create, update, delete, enable, or disable.
-
TCA_TYPE is the type of TCA record, whether party or supplier. TCA_TYPE is present only for entries corresponding to TCA record provisioning.
-
WRAPPER_PCKG is the name of the wrapper package.
-
STORED_PROC is the name of the stored procedure in the wrapper package that is to be run to on the target system to complete the provisioning operation.
The following are the entries corresponding to the EBS UM connector in the Procedures.properties file:
-
Entries corresponding to the __ACCOUNT__ object:
-
__ACCOUNT__.create=OIM_FND_USER_TCA_PKG.CREATEUSER
In this entry, the CREATEUSER stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Create User provisioning operation against the __ACCOUNT__ object.
-
__ACCOUNT__.create.userparty=OIM_FND_USER_TCA_PKG.CREATEUSERPARTY
In this entry, the CREATEUSERPARTY stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for creating a user record with an existing TCA record.
-
__ACCOUNT__.validatepartyandperson=OIM_FND_USER_TCA_PKG.VALIDATEPARTYANDPERSON
In this entry, the VALIDATEPARTYANDPERSON stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for validating person and party records before creating an account.
-
__ACCOUNT__.update=OIM_FND_USER_TCA_PKG.UPDATEUSER
In this entry, the UPDATEUSER stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Update provisioning operation against the __ACCOUNT__ object.
-
__ACCOUNT__.enable=OIM_FND_USER_TCA_PKG.ENABLEUSER
In this entry, the ENABLEUSER stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for enabling the user account of the __ACCOUNT__ object.
-
__ACCOUNT__.disable=OIM_FND_USER_TCA_PKG.DISABLEUSER
In this entry, the DISABLEUSER stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for disabling the user account of the __ACCOUNT__ object.
-
__ACCOUNT__.update.username=OIM_FND_USER_TCA_PKG.CHANGE_USER_NAME
In this entry, the CHANGE_USER_NAME stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Update user name provisioning operation against the __ACCOUNT__ object.
-
__ACCOUNT__.update.password=OIM_FND_USER_TCA_PKG.CHANGEPASSWORD
In this entry, the CHANGEPASSWORD stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Update user password provisioning operation against the __ACCOUNT__ object.
-
__ACCOUNT__.update.userparty=OIM_FND_USER_TCA_PKG.UPDATEUSERPARTY
In this entry, the UPDATEUSERPARTY stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Update user party provisioning operation against the __ACCOUNT__ object.
-
__ACCOUNT__.delete=OIM_FND_USER_TCA_PKG.REVOKEUSER
In this entry, the DELETE_PERSON_API stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Delete provisioning operation against the __ACCOUNT__ object.
-
__ACCOUNT__.create.supplier=OIM_FND_USER_TCA_PKG.CREATE_SUPPLIER
In this entry, the CREATE_SUPPLIER stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Create Supplier provisioning operation against the __ACCOUNT__ object.
-
__ACCOUNT__.create.supplier_contact=OIM_FND_USER_TCA_PKG.CREATE_SUPPLIER_CONTACT
In this entry, the CREATE_SUPPLIER_CONTACT stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Create Supplier Contact provisioning operation against the __ACCOUNT__ object.
-
__ACCOUNT__.create.supplier_secattr=OIM_FND_USER_TCA_PKG.CREATE_SUPPLIER_SECURITY_ATTRS
In this entry, the CREATE_SUPPLIER_SECURITY_ATTRS stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Create Security Attributes provisioning operation against the __ACCOUNT__ object.
-
__ACCOUNT__.create.linkuser=OIM_FND_USER_TCA_PKG.LINK_USER_PARTY
In this entry, the LINK_USER_PARTY stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for linking a user record with an existing party record. The LINK_USER_PARTY stored procedure is invoked soon after CREATEUSERPARTY stored procedure.
-
__ACCOUNT__.create.party=OIM_FND_USER_TCA_PKG.CREATE_PARTY
In this entry, the CREATE_PARTY stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for creating a new party record.
-
__ACCOUNT__.update.party=OIM_FND_USER_TCA_PKG.UPDATE_PARTY
In this entry, the UPDATE_PARTY stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for performing the Update Party record provisioning operation against the __ACCOUNT__ object.
-
-
Entries corresponding to child objects:
-
__RESPONSIBILITY__.add=OIM_FND_USER_TCA_PKG.ADDRESP
In this entry, the ADDRESP stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for adding responsibilities for the __ACCOUNT__ object.
-
__RESPONSIBILITY__.remove =OIM_FND_USER_TCA_PKG.DELRESP
In this entry, the DELRESP stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for removing responsibilities for the __ACCOUNT__ object.
-
__ROLE__.add=OIM_FND_USER_TCA_PKG.PROPAGATEUSERROLE
In this entry, the PROPAGATEUSERROLE stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for adding roles for the __ACCOUNT__ object.
-
__ROLE__.remove=OIM_FND_USER_TCA_PKG.REVOKEUSERROLE
In this entry, the REVOKEUSERROLE stored procedure of the OIM_FND_USER_TCA_PKG wrapper package is used for removing roles for the __ACCOUNT__ object.
-
5.3 Configuring Reconciliation
You can configure the connector to specify the type of reconciliation and its schedule.
This section provides details on the following topics related to configuring reconciliation:
5.3.1 Performing Full and Incremental Reconciliation
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Governance. During incremental reconciliation, only records that are added or modified after the last reconciliation run are fetched into Oracle Identity Governance.
After you create the application, you must first perform full reconciliation. To perform a full reconciliation run, remove (delete) any value currently assigned to the Filter attribute of the Full User Reconciliation job. During a full reconciliation run, if you provide both batching parameters and filters, the connector processes the data in batches. Then, filters are applied to the processed data.
To perform incremental reconciliation, you can configure and run the Target Incremental User Reconciliation job.
See Reconciliation Jobs for information about these reconciliation jobs.
5.3.2 Performing Limited Reconciliation
You can perform limited reconciliation by creating filters for the reconciliation module, and reconcile records from the target system based on a specified filter criterion.
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled.
This connector provides a Filter attribute (a scheduled job attribute) that allows you to use any of the Oracle EBS User Management resource attributes to filter the target system records.
When you specify a value for the Filter attribute, only the target system records that match the filter criterion are reconciled into Oracle Identity Governance. If you do not specify a value for the Filter attribute, then all the records in the target system are reconciled into Oracle Identity Governance.
You specify a value for the Filter attribute while configuring the user reconciliation scheduled job. The following are a few examples of the values for the Filter attribute:
-
To reconcile all target system accounts whose user name is like 'jo*', use the filter
startsWith('user_name', 'jo').
-
To reconcile all target system accounts whose email address is like '*@example.com', use the filter
endsWith('EMAIL_ADDRESS', '@example.com').
-
To reconcile all target system accounts whose start date is later than 1st August, 2015, use the filter
greaterThan('START_DATE', 1438367400000).
Note that the date value must be specified in milliseconds.
For detailed information about ICF Filters, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.
While creating the application, follow the instructions in Configuring Reconciliation Jobs to specify attribute values.
5.3.3 Performing Batched Reconciliation
You can perform batched reconciliation to reconcile a specific number of records from the target system into Oracle Identity Governance.
During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Governance. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.
You can configure batched reconciliation to avoid these problems.
To configure batched reconciliation, you must specify value for the batchSize basic configuration parameter. Use this parameter to specify the number of records that must be included in each batch. By default, this value is set to 1000.
You specify values for these attributes by following the instructions described in Configuring Reconciliation Jobs.
5.4 Configuring Reconciliation Jobs
Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.
You can apply this procedure to configure the reconciliation jobs for users and entitlements.
5.5 Performing Provisioning Operations
You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.
To perform provisioning operations in Oracle Identity Governance:
- Log in to Identity Self Service.
- Create a user as follows:
- In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
- From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
- Enter details of the user in the Create User page.
- On the Account tab, click Request Accounts.
- In the Catalog page, search for and add to cart the application instance for the connector that you configured earlier, and then click Checkout.
- Specify value for fields in the application form and then click Ready to Submit.
- Click Submit.
See Also:
Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for details about the fields on the Create User page5.6 Uninstalling the Connector
Uninstalling the connector deletes all the account-related data associated with its resource objects.
If you want to uninstall the connector for any reason, then run the Uninstall Connector utility. Before you run this utility, ensure that you set values for ObjectType
and ObjectValues
properties in the ConnectorUninstall.properties file. For example, if you want to delete resource objects, scheduled tasks, and scheduled jobs associated with the connector, then enter "ResourceObject", "ScheduleTask", "ScheduleJob" as the value of the ObjectType
property and a semicolon-separated list of object values corresponding to your connector (for example, GoogleApps User; GoogleApps Group) as the value of the ObjectValues
property.
Note:
If you set values for theConnectorName
and Release
properties along with the ObjectType
and ObjectValue
properties, then the deletion of objects listed in the ObjectValues
property is performed by the utility and the Connector information is skipped.
For more information, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Governance.