5 Using the Identity Cloud Service Connector

You can use the connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.

• Configuring Reconciliation

• Configuring Reconciliation Jobs

• Configuring Provisioning

• Connector Objects Used For Group Management

• Uninstalling the Connector

5.1 Configuring Reconciliation

You can configure the connector to specify the type of reconciliation and its schedule.

This section discusses the following topics related to configuring reconciliation:

• Performing Full and Incremental Reconciliation

• Performing Limited Reconciliation

• Performing Batched Reconciliation

5.1.1 Performing Full and Incremental Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Governance. During incremental reconciliation, only records that are added or modified after the last reconciliation run are fetched into Oracle Identity Governance.

After you deploy the connector, you must first perform full reconciliation. In addition, you can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Governance.

To perform a full reconciliation run, ensure that a value is not specified for the Filter and Latest Token attributes of scheduled jobs for reconciling user and group records.

At the end of the reconciliation run, the Latest Token attribute of the scheduled jobs for user and group record reconciliation is automatically set to the time stamp at which the run ended. From the next reconciliation run onward, only records created or modified after this time stamp are considered for reconciliation. This is incremental reconciliation.

See IDCS Target Resource User Reconciliation Job and IDCS Group Reconciliation Job for information about these scheduled jobs.

You specify values for these attributes by following the instructions described in Configuring Reconciliation Jobs.

5.1.2 Performing Batched Reconciliation

You can perform batched reconciliation to reconcile a specific number of records from the target system into Oracle Identity Governance.

During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Governance. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.

You can configure batched reconciliation to avoid these problems.

To configure batched reconciliation, you must specify a value for the Batch Size attribute of scheduled jobs for reconciling user and group records. The Batch Size attribute is used to specify the number of records that must be included in each batch. See IDCS Target Resource User Reconciliation Job, IDCS Target Resource User Delete Reconciliation Job, and IDCS Group Reconciliation Job for information about these scheduled jobs.

By default, the value of this attribute is empty, indicating that all records are included (no batched reconciliation).

You specify values for these attributes by following the instructions described in Configuring Reconciliation Jobs.

5.1.3 Performing Limited Reconciliation

You can perform limited reconciliation by creating filters for the reconciliation module, and reconcile records from the target system based on a specified filter criterion.

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled.

This connector provides a Filter attribute (a scheduled job attribute) that allows you to use any of the Identity Cloud Service resource attributes to filter the target system records. See IDCS Target Resource User Reconciliation Job and IDCS Group Reconciliation Job.

Note:

If you are using filters in reconciliation as described in this section, be consistent and always use the same filters for all reconciliation jobs. By using the same filters, you maintain consistency of the data and ensure that you work with the same user base in all reconciliation operations.

For detailed information about ICF Filters, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

You specify values for these attributes by following the instructions described in Configuring Reconciliation Jobs.

5.2 Configuring Reconciliation Jobs

Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.

You can apply this procedure to configure the reconciliation jobs for users and entitlements.

To configure a reconciliation job:

1. Log in to Identity System Administration.
2. In the left pane, under System Management, click Scheduler.
3. Search for and open the scheduled job as follows:
   1. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
   2. In the search results table on the left pane, click the scheduled job in the Job Name column.
4. On the Job Details tab, you can modify the parameters of the scheduled task:
   • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
   • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type. See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Governance.

   In addition to modifying the job details, you can enable or disable a job.

5. On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.

   Note:

   Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

6. Click Apply to save the changes.

   Note:

   You can use the Scheduler Status page in Identity System Administration to either start, stop, or reinitialize the scheduler.

5.3 Configuring Provisioning

Learn about performing provisioning operations in Oracle Identity Governance and the guidelines that you must apply while performing these operations.

• Guidelines on Performing Provisioning Operations

• Performing Provisioning Operations

5.3.1 Guidelines on Performing Provisioning Operations

These are the guidelines that you must apply while performing provisioning operations.

• During the Create User provisioning operation, if you do not want to send the account creation notification to users from the target system and do not want users to reset password on first login, then you must enable hashing on the default password. To do so, set the hashPasswordEnabled advanced settings parameter to true.

  As a result, accounts are provisioned on Identity Cloud Service with the password that is assigned to the corresponding Oracle Identity Governance Users. Also, the e-mail notification is not sent from Identity Cloud Service and users do not need to reset password on first login in Identity Cloud Service.

• During the Delete User provisioning operation, if you want to delete users that are associated with one or more entities (Groups or Applications) in Identity Cloud Service, then you must update the relURLs advanced settings parameter. To do so, add the "__ACCOUNT__.DeleteOp=/Users/$(__ACCOUNT__.__UID__)$?forceDelete=true" value at the end of the relURLs entry.

  The updated sample value is: "__ACCOUNT__.password.UpdateOp=/Users/$(__ACCOUNT__.__UID__)$","__ACCOUNT__.DeleteOp=/Users/$(__ACCOUNT__.__UID__)$?forceDelete=true".

For details on the hashPasswordEnabled and relURLs parameters, see Advanced Settings Parameters.

5.3.2 Performing Provisioning Operations

You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.

To perform provisioning operations in Oracle Identity Governance:

1. Log in to Identity Self Service.
2. Create a user as follows:
   1. In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
   2. From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
   3. Enter details of the user in the Create User page.
3. On the Account tab, click Request Accounts.
4. In the Catalog page, search for and add to cart the application instance for the connector that you configured earlier, and then click Checkout.
5. Specify value for fields in the application form and then click Ready to Submit.
6. Click Submit.

See Also:

Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for details about the fields on the Create User page

5.4 Connector Objects Used For Group Management

Learn about the objects that are used by the connector to perform group management operations such as create, update, and delete.

This section provides information related to connector objects used during a provisioning or reconciliation operation:

• Lookup Definitions for Group Management

• Reconciliation Scheduled Jobs for Group Management

• Reconciliation Rules for Group Management

• Reconciliation Action Rules for Group Management

5.4.1 Lookup Definitions for Group Management

These are the lookup definitions that map group resource object fields in Oracle Identity Governance and the target system attributes. The Lookup.IDCS.GM.ReconAttrMap lookup definition is used for performing target resource group reconciliation runs. The Lookup.IDCS.GM.ProvAttrMap lookup definition is used for performing group provisioning operations.

Table 5-1 lists the entries in the Lookup.IDCS.GM.ReconAttrMap and Lookup.IDCS.GM.ProvAttrMap lookup definitions.

Table 5-1 Entries in the Lookup Definitions for Group Management

Code Key	Decode
Description	description
Group Id	__UID__
Group Name	__NAME__
OIG Organization Name	OIG Organization Name

5.4.2 Reconciliation Scheduled Jobs for Group Management

After you create an application, reconciliation scheduled jobs are automatically created for group management operations in Oracle Identity Governance. You must configure these scheduled jobs to suit your requirements by specifying values for its attributes.

This topic provides information about the following scheduled jobs

• IDCS Group Reconciliation Job

• IDCS Group Delete Reconciliation Job

5.4.2.1 IDCS Group Reconciliation Job

You use the IDCS Group Reconciliation scheduled job to reconcile group data from the target system.

Table 5-2 Attributes of the IDCS Group Reconciliation Scheduled Job

Attribute	Description
Filter	Enter the search filter for fetching records from the target system during a reconciliation run. See Performing Limited Reconciliation for more information about filtered reconciliation.
Incremental Recon Attribute	This attribute holds the value of the attribute that is specified as the value of the Incremental Recon Attribute. Default value: meta.lastModified Note: Do not change the value of this attribute.
IT Resource Name	Enter the name of the IT resource for the target system installation from which you want to reconcile group records. Default value: Identity Cloud Services
Latest Token	Attribute that holds the date on which the token record was modified. The Latest Token attribute is used for internal purposes. By default, this value is empty. Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute. Sample value: <String>2016-10-19T07:24:49Z</String>
Object Type	This attribute holds the name of the object type for the reconciliation run. Default value: Group Note: Group is the only object that is supported. Therefore, do not change the value of this attribute.
OIM Organization Name	Name of the organization that is used for reconciliation.
Resource Object Name	This attribute holds the name of the resource object used for reconciliation. Default value: IDCS Group

5.4.2.2 IDCS Group Delete Reconciliation Job

You use the IDCS Group Delete Reconciliation scheduled job to reconcile deleted group data from the target system.

Table 5-3 Attributes of the IDCS Group Delete Reconciliation Scheduled Job

Attribute	Description
Batch Size	Enter the number of records that must be included in each batch fetched from the target system during reconciliation. By default, the value of this attribute is empty, indicating that all records are included for reconciliation.
IT Resource Name	Enter the name of the IT resource for the target system installation from which you want to reconcile group records. Default value: Identity Cloud Services
Object Type	This attribute holds the name of the object type for the reconciliation run. Default value: Group Note: Group is the only object that is supported. Therefore, do not change the value of this attribute.
OIM Organization Name	Name of the organization that is used for delete reconciliation.
Resource Object Name	This attribute holds the name of the resource object used for reconciliation. Default value: IDCS Group

5.4.3 Reconciliation Rules for Group Management

The reconciliation engine uses rules to determine the identity to which Oracle Identity Governance must assign a newly discovered account on the target system.

This section discuss the following topics related to group reconciliation rule for target resource reconciliation:

• Reconciliation Rule for Groups

• Viewing Reconciliation Rules in the Design Console

5.4.3.1 Reconciliation Rule for Groups

The Identity Cloud Service connector can perform reconciliation of groups. Therefore, the connector has reconciliation rules defined specifically for groups.

Rule name: IDCS Groups Recon Rule

Rule element: Organization Name Equals OIG Org Name.

In this rule:

• Organization Name is the Organization Name field of the Oracle Identity Governance User form.

• OIG Org Name is the organization name of the groups in Oracle Identity Governance. OIG Org Name is the value specified in the Organization Name attribute of the IDCS Group Recon scheduled job.

5.4.3.2 Viewing Reconciliation Rules in the Design Console

You can view reconciliation rules for groups on the Reconciliation Rule Builder form in Oracle Identity Manager Design Console.

To view the reconciliation rule for groups:

1. Log in to the Oracle Identity Manager Design Console.
2. Expand Development Tool and then double-click Reconciliation Rules.
3. Search for and open the IDCS Groups Recon Rule.

5.4.4 Reconciliation Action Rules for Group Management

Reconciliation action rules specify the actions that the connector must perform depending on whether or not matching the Identity Cloud Service resources or Oracle Identity Governance Users are found when the reconciliation rule is applied.

Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions.

The following sections provide information about the action rules for this connector:

• Reconciliation Action Rules for Groups

• Viewing Reconciliation Action Rules in Design Console

5.4.4.1 Reconciliation Action Rules for Groups

Reconciliation action rules specify the actions the connector must perform based on the result of the processing of a reconciliation event. These are the reconciliation action rules for groups.

Table 5-4 Reconciliation Action Rules for Groups

Rule Condition	Action
No matches found	None
One entity match found	Establish link
One process match found	Establish link

5.4.4.2 Viewing Reconciliation Action Rules in Design Console

You can view reconciliation action rules for groups by performing the following steps:

1. Log in to the Oracle Identity Manager Design Console.
2. Expand Resource Management, and double-click Resource Objects.
3. Search for and open the IDCS Group resource object.
4. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab.
   The Reconciliation Action Rules tab displays the action rules that are defined for this connector.

5.5 Uninstalling the Connector

Uninstalling the Identity Cloud Service connector deletes all the account-related data associated with its resource objects.

If you want to uninstall the connector for any reason, then run the Uninstall Connector utility. Before you run this utility, ensure that you set values for ObjectType and ObjectValues properties in the ConnectorUninstall.properties file. For example, if you want to delete resource objects, scheduled tasks, and scheduled jobs associated with the connector, then enter "ResourceObject", "ScheduleTask", "ScheduleJob" as the value of the ObjectType property and a semicolon-separated list of object values corresponding to your connector as the value of the ObjectValues property.

For example: IDCS User; IDCS Group

Note:

If you set values for the ConnectorName and Release properties along with the ObjectType and ObjectValue properties, then the deletion of objects listed in the ObjectValues property is performed by the utility and the Connector information is skipped.

For more information, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Governance.