3 Configuring the SAP User Management Connector
While creating a target application, you must configure connection-related parameters that the connector uses to connect Oracle Identity Governance with your target system and perform connector operations. In addition, you can view and edit attribute mappings between the process form fields in Oracle Identity Governance and target system columns, predefined correlation rules, situations and responses, and reconciliation jobs.
3.1 Basic Configuration Parameters
These are the connection-related parameters that Oracle Identity Governance requires to connect to the target applications.
The following tables list basic configuration parameters of the SAP UM and SAP AC UM connectors.
Table 3-1 Parameters in the Basic Configuration Section for the SAP UM Connector and the SAP UM Connector with SoD
Parameters | Mandatory? | Description |
---|---|---|
Connector Server Name |
No |
If you created an IT resource of the type Connector Server, then enter its name. |
TopologyName |
No |
Name of the topology of the target system host computer. |
client |
Yes |
SAP client setting Default value: |
configureConnectionTuning |
No |
Allows the connection properties to be customized when the SAP Destination is configured. Default value: |
connectionMaxGetTime |
No |
Maximum time to wait for a connection (specified in milliseconds). Default value: |
connectionPoolActiveLimit |
No |
Maximum number of active connections that can be created for a destination simultaneously. Default value: |
connectionPoolCapacity |
No |
Maximum number of idle connections that can be kept open by the destination. Default value: |
connectionPoolExpirationPeriod |
No |
Enter an integer value which specifies the number of milliseconds after which the connections that have been released have expired. See Table 3-3 for more information. Default value: |
connnectionPoolExpirationTime |
No |
Enter an integer value which specifies the number of milliseconds after which the connections that have been freed can be closed. See Table 3-3 for more information. Default value: |
destination |
Yes |
Enter a unique value that the SAPJCo library uses to interact with the SAP system. Sample value: |
dummyPassword |
No |
Enter the dummy password that you want the connector to use during a Create User provisioning operation. The connector first sets the password as this value and then changes it to the password specified on the process form. |
host |
Yes |
Enter the host name of the target system. |
jcoGroup |
No |
Group of SAP application servers. It is one of the parameters used for enabling the use of a logon group. |
jcoSAPRouter |
No |
SAP router string to be used for a system protected by a firewall Default value: |
jcoTrace |
No |
Absolute path to the directory where the trace files will be created Default value: |
jcoTraceDir |
No |
Level of SAP JCO tracing to enable. Enter 0 or any positive integer up to and including 10 Default value: |
language |
Yes |
Enter the two-letter code for the language set on the target system. Default value: |
loadBalance |
No |
Enter TRUE to enable the use of Logon Group. Default value: |
masterSystem |
Yes |
Enter the RFC Destination value that is used for identification of the SAP system. This value must be same as that of the Logical System name. Sample value: Here the sample value is based on the following format used in SAP System: <SYSTEM_ID>CLNT<CLIENT_NUM> In this sample value, EH6 is the System ID of the target system and 001 is the client number. |
maxBAPIRetries |
No |
Maximum number of retries for BAPI execution. Default value: |
msHost |
No |
Enter the host name of the message server. Default value: |
msServ |
No |
SAP message server port to be used instead of the default sapms Default value: |
password |
Yes |
When using normal authentication, password of the User account. |
r3Name |
No |
Enter the host name of the SAP ERP or SAP CUA system |
retryWaitTime |
No |
Enter a value in milliseconds within which the connection to the target system is retried after a connection failure. Default value: |
sncLib |
No |
Enter the full path and name of the crypto library on the target system host computer. This is required only if SNC is enabled.
|
sncName |
No |
Enter a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Governance. Sample value: |
sncPartnerName |
No |
Enter the domain name of the target system host computer. Enter a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Governance. Sample value: |
sncProtectionLevel |
No |
Enter the protection level (quality of protection, QOP) at which data is transferred. The value can be any one of the following numbers:
Note: Enter a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Governance. Default value: |
sncX509Cert |
No |
The X509 certificate that does not contain the BEGIN CERTIFICATE or END CERTIFICATE strings when using SNC |
systemNumber |
Yes |
SAP system number Default value: |
useSNC |
No |
Enter true, if you want to configure secure communication between Oracle Identity Governance and the target system. Otherwise, enter false. Default value: |
user |
Yes |
Enter a user name that has permissions to create accounts in target. |
Table 3-2 Parameters in the Basic Configuration Section for the SAP AC UM Connector
Parameters | Mandatory? | Description |
---|---|---|
Connector Server Name |
No |
If you created an IT resource of the type Connector Server, then enter its name. |
TopologyName |
No |
Name of the topology of the target system host computer. |
client |
Yes |
SAP client setting Default value: |
configureConnectionTuning |
No |
Allows the connection properties to be customized when the SAP Destination is configured. Default value: |
connectionMaxGetTime |
No |
Maximum time to wait for a connection (specified in milliseconds). Default value: |
connectionPoolActiveLimit |
No |
Maximum number of active connections that can be created for a destination simultaneously. Default value: |
connectionPoolCapacity |
No |
Maximum number of idle connections that can be kept open by the destination. Default value: |
connectionPoolExpirationPeriod |
No |
Enter an integer value which specifies the number of milliseconds after which the connections that have been released have expired. See Table 3-3 for more information. Default value: |
connnectionPoolExpirationTime |
No |
Enter an integer value which specifies the number of milliseconds after which the connections that have been freed can be closed. See Table 3-3 for more information. Default value: |
destination |
Yes |
Enter a unique value that the SAPJCo library uses to interact with the SAP system. Sample value: |
dummyPassword |
No |
Enter the dummy password that you want the connector to use during a Create User provisioning operation. The connector first sets the password as this value and then changes it to the password specified on the process form. |
host |
Yes |
Enter the host name of the target system. |
jcoGroup |
No |
Group of SAP application servers. It is one of the parameters used for enabling the use of a logon group. |
jcoSAPRouter |
No |
SAP router string to be used for a system protected by a firewall Default value: |
jcoTrace |
No |
Absolute path to the directory where the trace files will be created Default value: |
jcoTraceDir |
No |
Level of SAP JCO tracing to enable. Enter 0 or any positive integer up to and including 10 Default value: |
language |
Yes |
Enter the two-letter code for the language set on the target system. Default value: |
loadBalance |
No |
Enter TRUE to enable the use of Logon Group. Default value: |
masterSystem |
Yes |
Enter the RFC Destination value that is used for identification of the SAP system. This value must be same as that of the Logical System name. Sample value: Here the sample value is based on the following format used in SAP System: <SYSTEM_ID>CLNT<CLIENT_NUM> In this sample value, EH6 is the System ID of the target system and 001 is the client number. |
maxBAPIRetries |
No |
Maximum number of retries for BAPI execution. Default value: |
msHost |
No |
Enter the host name of the message server. Default value: |
msServ |
No |
SAP message server port to be used instead of the default sapms Default value: |
password |
Yes |
When using normal authentication, password of the User account. |
r3Name |
No |
Enter the host name of the SAP ERP or SAP CUA system |
retryWaitTime |
No |
Enter a value in milliseconds within which the connection to the target system is retried after a connection failure. Default value: |
sncLib |
No |
Enter the full path and name of the crypto library on the target system host computer. This is required only if SNC is enabled.
|
sncName |
No |
Enter a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Governance. Sample value: |
sncPartnerName |
No |
Enter the domain name of the target system host computer. Enter a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Governance. Sample value: |
sncProtectionLevel |
No |
Enter the protection level (quality of protection, QOP) at which data is transferred. The value can be any one of the following numbers:
Note: Enter a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Governance. Default value: |
sncX509Cert |
No |
The X509 certificate that does not contain the BEGIN CERTIFICATE or END CERTIFICATE strings when using SNC |
systemNumber |
Yes |
SAP system number Default value: |
useSNC |
No |
Enter true, if you want to configure secure communication between Oracle Identity Governance and the target system. Otherwise, enter false. Default value: |
user |
Yes |
Enter a user name that has permissions to create accounts in target. |
grcLanguage |
yes |
Enter the two-letter code for the language set on the GRC system. Sample value: Note: This is applicable only to the SAP AC UM connector. |
grcPassword |
Yes |
Enter the password of the GRC System. Note: This is applicable only to the SAP AC UM connector. |
grcUsername |
Yes |
Enter the user name of the GRC System. Note: This is applicable only to the SAP AC UM connector. |
3.2 Advanced Settings Parameters
These are the configuration-related entries that the connector uses during reconciliation and provisioning operations.
The following table lists the advanced settings parameters for the SAP UM connector.
Table 3-3 Advanced Settings Parameters for the SAP UM Connector and the SAP UM Connector with SoD
Parameter | Mandatory? | Description |
---|---|---|
aliasUser |
No |
Enter the logon on user alias depending on the target system. Default value: |
batchSize |
No |
Enter the number of records in each batch that must be fetched from the target system during a reconciliation run. Default value: |
Bundle Name |
No |
Name of the connector bundle package. Default value: |
Bundle Version |
No |
Version of the connector bundle class. Default value: |
changePasswordAtNextLogon |
No |
For accounts created through Oracle Identity Governance, password management can be configured by using the changePasswordAtNextLogon entry. Enter |
codePage |
No |
This entry holds the initial code page in SAP notation.
Default value: |
compositeRoles |
No |
Enter yes if you want to fetch composite roles from target. Otherwise enter no. Note: Both singleRoles and compositeRoles decode values cannot be "no", at least one of the values should be "yes." |
Connector Name |
No |
Name of the connector class. Default value: |
cuaChildInitialPasswordChangeFuncModule |
No |
Name of the Remote Enabled function module that changes the initial password for a user on all CUA child systems. This parameter is not used unless CUA is enabled. If the value is not set, then the password changes will only apply to the CUA system. Setting productive passwords on CUA child systems will also automatically fail without this setting. Do not this entry. Default value: |
cuaChildPasswordChangeFuncModue |
No |
Name of the Remote Enabled function module which changes the productive password for a user on a CUA child system. This attribute is not used unless CUA is enabled. Note: If the default value is used, then only the password stored on the CUA central system will be changed. Default value: |
disableLockStatus |
No |
Enter a lock status of a user in SAP system. Default value: |
enableCUA |
No |
Enter yes if the target system is SAP CUA. Otherwise, enter no. |
gatewayHost |
No |
This entry holds the name or IP address of the gateway host. Default value: |
gatewayService |
No |
This entry holds the name of the gateway service. Default value: |
getSSO2 |
No |
Get or do not get a SSO ticket after logon. The value of this entry can be 1 or 0. |
groups |
No |
This field is an embedded object that is defined in the attribute mapping. In the default entry, GROUPS is a table name and USERGROUP is a field name on the target system. Default value: |
ICheck |
No |
Enable or disable logon check at open time. The value of this entry can be set to |
mySAPSSO2 |
No |
Specifies the SAP Cookie Version 2 that must be used as a logon ticket. |
parameters |
No |
This field is an embedded object that is defined in the attribute mapping. In the default entry, PARAMETER1 is a table name, and PARID and PARVA are the field names on the target system. Default value: |
overwriteLink |
No |
Enter |
passwordPropagateToChildSystem |
No |
Enter yes if you want the connector to propagate user password changes from the SAP CUA parent system to its child systems. Otherwise, enter no |
profiles |
No |
This field is an embedded object defined in the attribute mapping. In the decode entry, PROFILES is a table name, and SUBSYSTEM and PROFILE are the field names on the target system. Default value: |
ProfileAttributeLabel |
No |
This field holds the label name of the profile name field in the child form. Sample value: |
Profile attribute name |
No |
This field holds a list of field names for the Profile duty type. The values of this list are separated by a semicolon (;). Sample value: |
Profile form names |
No |
This field holds a list of all profile child form names used during direct and request-based provisioning. Sample value: |
reconcilefuturedatedroles |
No |
Enter |
reconcilepastdatedroles |
No |
Enter |
repositoryDestination |
No |
Specifies the destination to be used as repository. Default value: |
repositoryPassword |
No |
Specifies the password for a repository user. This entry is mandatory if a repository user is used Default value: |
repositorySNCMode |
No |
This entry is optional. If SNC is used for this destination, you can turn off SNC for repository connections by setting the value of this parameter to |
repositoryUser |
No |
This entry is optional. If the repository destination is not set, and this entry is set, this entry will be used as user for repository calls. With this entry, you can use a different user for repository lookups. Default value: |
RoleAttributeLabel |
No |
This entry holds the label name of the role name field in the child form. Sample value: |
Role attribute name |
No |
This field holds a list of field names for the Role duty type. The values of this list are separated by a semicolon (;). Sample value: |
Role form names |
No |
This field holds a list of all role child form names used during direct and request-based provisioning. Sample value: |
sapSystemTimeZone |
No |
This entry holds the SAP target system time zone. Default value: |
singleRoles |
No |
Enter |
tpHost |
No |
This entry holds the host name of the external server program. Default value: |
tpName |
No |
This entry holds the program ID of the tp server program Default value: |
type |
No |
This entry holds the type of the remote host. This entry can hold the following values:
|
validatePERNR |
No |
Enter |
wsdlFilePath |
No |
Enter the absolute path of the directory containing the following file: GRAC_RISK_ANALYSIS_WOUT_NO_WS.WSDL Note:
|
roles |
No |
This field is an embedded object defined in the attribute mapping. In the decode entry, ACTIVITYGROUPS is a table name on the target system. SUBSYSTEM, TO_DAT, FROM_DAT, AGR_NAME and ORG_FLAG are the field names on the target system. Default value: |
Pool Max Idle |
No |
Maximum number of idle objects in a pool.
Default value: |
Pool Max Size |
No |
Maximum number of connections that the pool can create.
Default value: |
Pool Max Wait |
No |
Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation.
Default value: |
Pool Min Evict Idle Time |
No |
Minimum time, in milliseconds, the connector must wait before evicting an idle object.
Default value: |
Pool Min Idle |
No |
Minimum number of idle objects in a pool.
Default value: |
entitlementRiskAnalysisAccessURl |
No |
This entry holds the URL for Entitlement Risk Analysis web service. Note: This parameter is applicable only for SAP UM with SoD. |
entitlementRiskAnalysisWS |
No |
Web service client class to do the risk analysis in SAP BusinessobjectAC. Default value: Note: This parameter is applicable only for SAP UM with SoD. |
ReportFormat |
No |
Note: For webService grac_risk_analysis_wout_no_ws, ReportFormat is a mandatory field from SP17 onwards. Default value: Note: This parameter is applicable only for SAP UM with SoD. |
The following table lists the advanced settings parameters for the SAP AC UM connector.
Table 3-4 Advanced Settings Parameters for the SAP AC UM Connector
Parameter | Mandatory? | Description |
---|---|---|
aliasUSer |
No |
Enter the logon on user alias depending on the target system.
Default value: |
appLookupAccessURL |
No |
URL for Application Lookup web service. Default value: |
appLookupWS |
No |
Web service client class to get all applications configured in SAP GRC. Default value: |
assignRoleReqType |
No |
This entry holds the name of the request type that is used for assign role request in SAP GRC. The format of the decode value is as follows: RequestType~RequestTypeName~ItemProvActionForSystem~ItemProvActionForRole The value of RequestType is available in Lookup.SAPAC10ABAP.RequestType. The values of ItemProvActionForSystem and ItemProvActionForRole are available in Lookup.SAPAC10ABAP.ItemProvAction. Default value: |
auditLogsAccessURL |
No |
URL for Audit Logs web service. Default value: |
auditLogsWS |
No |
Web service client class to get audit logs. Default value: |
batchSize |
No |
Enter the number of records in each batch that must be fetched from the target system during a reconciliation run. Default value: |
Bundle Name |
No |
Name of the connector bundle package. Default value: |
Bundle Version |
No |
Version of the connector bundle class. Default value: |
changePasswordAtNextLogon |
No |
For accounts created through Oracle Identity Governance, password management can be configured by using the changePasswordAtNextLogon entry. Enter |
codePage |
No |
This entry holds the initial code page in SAP notation.
Default value: |
compositeRoles |
No |
Enter yes if you want to fetch composite roles from target. Otherwise enter no. Note: Both singleRoles and compositeRoles decode values cannot be "no", at least one of the values should be "yes." |
Connector Name |
No |
Name of the connector class. Default value: |
createUserReqType |
No |
Name of the request type that the connector must use for the create user request in SAP GRC. The format of the decode value is as follows: The value of RequestType is available in Lookup.SAPAC10ABAP.RequestType. The value of ItemProvActionForSystem is available in Lookup.SAPAC10ABAP.ItemProvAction. Default value: |
UserReqType |
No |
Name of the request type to use for modifying user request in SAP GRC. Default value: |
cuaChildInitialPasswordChangeFuncModule |
No |
Name of the Remote Enabled function module that changes the initial password for a user on all CUA child systems. This parameter is not used unless CUA is enabled. If the value is not set, then the password changes will only apply to the CUA system. Setting productive passwords on CUA child systems will also automatically fail without this setting. Do not this entry. Default value: |
cuaChildPasswordChangeFuncModue |
No |
Name of the Remote Enabled function module which changes the productive password for a user on a CUA child system. This attribute is not used unless CUA is enabled. Note: If the default value is used, then only the password stored on the CUA central system will be changed. Default value: |
deleteUserReqType |
No |
Name of the request type that the connector must use for the delete user request in SAPGRC. Default value: |
disableLockStatus |
No |
Enter a lock status of a user in SAP system. Default value: |
enableCUA |
No |
Enter yes if the target system is SAP CUA. Otherwise, enter no. |
gatewayHost |
No |
This entry holds the name or IP address of the gateway host. Default value: |
gatewayService |
No |
This entry holds the name of the gateway service. Default value: |
getSSO2 |
No |
Get or do not get a SSO ticket after logon. The value of this entry can be 1 or 0. |
ignoreOpenStatus |
No |
Specify whether new requests can be sent for a particular user, even if the last request for the user is in the Open status. Default value: |
ICheck |
No |
Enable or disable logon check at open time. The value of this entry can be set to |
lockUserReqType |
No |
Name of the request type to use for lock user request in SAP GRC. Default value: |
logAuditTrial |
No |
Specify whether complete audit trial needs to be logged whenever status request web service is invoked. Default value: |
mySAPSSO2 |
No |
Specifies the SAP Cookie Version 2 that must be used as a logon ticket. Default value: |
otherLookupAccessURL |
No |
URL for Other Lookup web service areas such as Business Process, Functional Area, and so on. Default value: |
otherLookupWS |
No |
Web service client class to get other lookup fields such as Business Process, Functional Area, and so on. Default value: |
overwriteLink |
No |
Enter |
provActionAttrName |
No |
Name of the attribute in the target system that contains the details required for performing provisioning operations to a specific backend system. Default value: Note: Do not this value. |
provItemActionAttrName |
No |
Name of the attribute in the target system that contains the details required for performing provisioning roles. Default value: Note: Do not this value. |
reconcilefuturedatedroles |
No |
Enter |
reconcilepastdatedroles |
No |
Enter |
removeRoleReqType |
No |
Name of the request type to use for remove user request in SAP GRC. Default value: |
repositoryDestination |
No |
Specifies the destination to be used as repository. Default value: |
repositoryPassword |
No |
Specifies the password for a repository user. This entry is mandatory if a repository user is used Default value: |
repositorySNCMode |
No |
This entry is optional. If SNC is used for this destination, you can turn off SNC for repository connections by setting the value of this parameter to |
repositoryUser |
No |
This entry is optional. If the repository destination is not set, and this entry is set, this entry will be used as user for repository calls. With this entry, you can use a different user for repository lookups. Default value: |
requestStatusAccessURL |
No |
URL for Status Request web service. Default value: |
requeststatusvalue |
No |
The value that gets updated in the AC Request Status field on the process form. Default value: |
requestStatusWS |
No |
Web service client class to get status of provisioning request. Default value: |
requestTypeAttrName |
No |
Name of the request type attribute used to differentiate request flows from the SAPUMCREATE adapter. Default value: |
riskLevel |
No |
In SAP GRC, each business risk is assigned a criticality level. You can control the risk analysis data returned by SAP GRC by specifying a risk level. Default value: |
roleLookupAccessURL |
No |
URL for Role Lookup web service. Default value: |
roleLookupWS |
No |
Web service client class to get all roles. Default value: |
sapSystemTimeZone |
No |
This entry holds the SAP target system time zone. Default value: |
singleRoles |
No |
Enter |
tpHost |
No |
This entry holds the host name of the external server program. Default value: |
tpName |
No |
This entry holds the program ID of the tp server program Default value: |
type |
No |
This entry holds the type of the remote host. This entry can hold the following values:
|
unlockUserReqType |
No |
Name of the request type to use for unlock user request in SAP GRC. Default value: |
userAccessAccessURL |
No |
URL for User Access web service. Default value: |
userAccessWS |
No |
Web service client class to get status of user access. Default value: |
wsdlFilePath |
No |
Enter the absolute path of the directory containing the following files: GRAC_USER_ACCESS_WS.WSDL GRAC_SEARCH_ROLES_WS.WSDL GRAC_SELECT_APPL_WS.WSDL GRAC_REQUEST_STATUS_WS.WSDL GRAC_LOOKUP_WS.WSDL GRAC_AUDIT_LOGS_WS.WSDL Note:
|
parameters |
No |
This field is an embedded object that is defined in the attribute mapping. In the default entry, PARAMETER1 is a table name, and PARID and PARVA are the field names on the target system. Default value: |
profiles |
No |
This field is an embedded object defined in the attribute mapping. In the decode entry, PROFILES is a table name, and SUBSYSTEM and PROFILE are the field names on the target system. Default value: |
roles |
No |
This field is an embedded object defined in the attribute mapping. In the decode entry, ACTIVITYGROUPS is a table name on the target system. SUBSYSTEM, TO_DAT, FROM_DAT, AGR_NAME and ORG_FLAG are the field names on the target system. Default value: |
groups |
No |
This field is an embedded object that is defined in the attribute mapping. In the default entry, GROUPS is a table name and USERGROUP is a field name on the target system. Default value: |
3.3 Attribute Mappings
The attribute mappings on the Schema page vary depending on whether you are using the SAP UM or SAP AC UM connector.
3.3.1 Attribute Mappings for the SAP UM Connector
The Schema page for a target application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system attributes. The SAP UM connector uses these mappings during reconciliation and provisioning operations.
SAP UM User Account Attributes
Table 3-5 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and the SAP UM attributes. The table also lists whether a specific attribute is used during provisioning or reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit these attributes mappings by adding new attributes or deleting existing attributes on the Schema page as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
-
SoDCheckStatus
-
SodCheckResult
-
SoDCheckEntitlement
-
SodCheckTimestamp
Table 3-5 Default Attribute Mappings for SAP UM User Account
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Provision Field? | Recon Field? | Key Field? | Case Insensitive? |
---|---|---|---|---|---|---|---|
User ID | _NAME_ |
String |
Yes |
Yes |
Yes |
Yes |
Yes |
Password | _PASSWORD_ |
String |
No |
Yes |
No |
No |
No |
First Name | FIRSTNAME;ADDRESS;FIRSTNAME;ADDRESSX |
String |
No |
Yes |
Yes |
No |
No |
Last Name | LASTNAME;ADDRESS;LASTNAME;ADDRESSX |
String |
yes |
Yes |
Yes |
No |
No |
Title | TITLE_P;ADDRESS;TITLE_P;ADDRESSX |
String |
No |
Yes |
Yes |
No |
No |
Alias | USERALIAS;ALIAS;BAPIALIAS;ALIASX |
String |
No |
Yes |
Yes |
No |
No |
E Mail | E_MAIL;ADDRESS;E_MAIL;ADDRESSX |
String |
No |
Yes |
Yes |
No |
No |
Telephone Number | TEL1_NUMBR;ADDRESS;TEL1_NUMBR;ADDRESSX |
String |
No |
Yes |
Yes |
No |
No |
Telephone Extension | TEL1_EXT;ADDRESS;TEL1_EXT;ADDRESSX |
String |
No |
Yes |
Yes |
No |
No |
Valid From | GLTGV;LOGONDATA;GLTGV;LOGONDATAX |
Date |
No |
Yes |
Yes |
No |
No |
Valid Through | GLTGB;LOGONDATA;GLTGB;LOGONDATAX |
String |
No |
Yes |
Yes |
No |
No |
Fax Number | FAX_NUMBER;ADDRESS;FAX_NUMBER;ADDRESSX |
Date |
No |
Yes |
Yes |
No |
No |
Fax Extension | FAX_EXTENS;ADDRESS;FAX_EXTENS;ADDRESSX |
String |
No |
Yes |
Yes |
No |
No |
Building | BUILDING_P;ADDRESS;BUILDING_P;ADDRESSX |
String |
No |
Yes |
Yes |
No |
No |
Room Number | ROOM_NO_P;ADDRESS;ROOM_NO_P;ADDRESSX |
String |
No |
Yes |
Yes |
No |
No |
Floor | FLOOR_P;ADDRESS;FLOOR_P;ADDRESSX |
String |
No |
Yes |
Yes |
No |
No |
Function | FUNCTION;ADDRESS;FUNCTION;ADDRESSX |
String |
No |
Yes |
Yes |
No |
No |
Group Name | CLASS;LOGONDATA;CLASS;LOGONDATAX |
String |
No |
Yes |
Yes |
No |
No |
Department | DEPARTMENT;ADDRESS;DEPARTMENT;ADDRESSX |
String |
No |
Yes |
Yes |
No |
No |
Accounting Number | ACCNT;LOGONDATA;ACCNT;LOGONDATAX |
String |
No |
Yes |
Yes |
No |
No |
Cost Center | KOSTL;DEFAULTS;KOSTL;DEFAULTSX |
String |
No |
No |
Yes |
No |
No |
User Lock | __LOCK_OUT__ |
String |
No |
Yes |
Yes |
No |
No |
Logon language | LANGU;DEFAULTS;LANGU;DEFAULTSX |
String |
No |
Yes |
Yes |
No |
No |
User Type | USTYP;LOGONDATA;USTYP;LOGONDATAX |
String |
No |
Yes |
Yes |
No |
No |
Date Format | DATFM;DEFAULTS;DATFM;DEFAULTSX |
String |
No |
Yes |
Yes |
No |
No |
Decimal Notation | DCPFM;DEFAULTS;DCPFM;DEFAULTSX |
String |
No |
Yes |
Yes |
No |
No |
Time Zone | TZONE;LOGONDATA;TZONE;LOGONDATAX |
String |
No |
Yes |
Yes |
No |
No |
Start Menu | START_MENU;DEFAULTS;START_MENU;DEFAULTSX |
String |
No |
Yes |
Yes |
No |
No |
Company | COMPANY;COMPANY;COMPANY;COMPANYX |
String |
No |
Yes |
Yes |
No |
No |
Contractual User | LIC_TYPE;UCLASS;UCLASS;UCLASSX |
String |
No |
Yes |
Yes |
No |
No |
Communication Type | COMM_TYPE;ADDRESS;COMM_TYPE;ADDRESSX |
String |
No |
Yes |
Yes |
No |
No |
Language Comm | LANGU_P;ADDRESS;LANGU_P;ADDRESSX |
String |
No |
Yes |
Yes |
No |
No |
unique ID | _UID_ |
String |
No |
Yes |
Yes |
No |
No |
Personnel Number | PERNR |
String |
No |
Yes |
No |
No |
No |
SoDCheckStatus | NA |
String |
No |
No |
No |
No |
No |
SodCheckResult | NA |
String |
No |
No |
No |
No |
No |
SoDCheckEntitlement | NA |
String |
No |
No |
No |
No |
No |
SodCheckTimestamp | NA |
String |
No |
No |
No |
No |
No |
Status | _ENABLE_ |
String |
No |
No |
Yes |
No |
No |
Figure 3-1 shows the default User account attribute mappings.
Figure 3-1 Default Attribute Mappings for SAP UM User Account
![Description of Figure 3-1 follows Description of Figure 3-1 follows](img/schema_attr_sapum.gif)
Description of "Figure 3-1 Default Attribute Mappings for SAP UM User Account"
Group Attributes
Table 3-6 lists the group-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP UM attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit these attributes mappings by adding new attributes or deleting existing attributes on the Schema page as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-6 Default Attribute Mappings for Groups
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field? | Key Field? | Case Insensitive? |
---|---|---|---|---|---|---|
User Group |
groups~GROUPS~USERGROUP |
String |
No |
Yes |
Yes |
No |
Figure 3-2 shows default attribute mappings for groups.
Figure 3-2 Default Attribute Mappings for Groups
![Description of Figure 3-2 follows Description of Figure 3-2 follows](img/grp_entitmnt_sapum.gif)
Description of "Figure 3-2 Default Attribute Mappings for Groups"
Parameter Attributes
Table 3-7 lists the parameter-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP UM attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit these attributes mappings by adding new attributes or deleting existing attributes on the Schema page as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-7 Default Attribute Mappings for Parameters
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field? | Key Field? | Case Insensitive? |
---|---|---|---|---|---|---|
Parameter Id |
parameters~PARAMETER1~PARID |
String |
Yes |
Yes |
Yes |
No |
Parameter Value |
parameters~PARAMETER1~PARVA |
String |
No |
Yes |
No |
No |
Figure 3-3 shows default attribute mappings for parameters.
Figure 3-3 Default Attribute Mappings for Parameters
![Description of Figure 3-3 follows Description of Figure 3-3 follows](img/parameter_entlmnt_sapum.gif)
Description of "Figure 3-3 Default Attribute Mappings for Parameters"
Role Entitlement Attributes
Table 3-8 lists the role-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP UM attributes. The table lists whether a given role is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
Table 3-8 Default Attribute Mappings for Role Entitlement
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field? | Key Field? | Case Insensitive? |
---|---|---|---|---|---|---|
Role System Name |
roles~ACTIVITYGROUPS~SUBSYSTEM |
String |
No |
Yes |
No |
No |
Role Name |
roles~ACTIVITYGROUPS~AGR_NAME |
String |
Yes |
Yes |
Yes |
No |
Start Date |
roles~ACTIVITYGROUPS~FROM_DAT |
String |
No |
Yes |
No |
No |
End Date |
roles~ACTIVITYGROUPS~TO_DAT |
String |
No |
Yes |
No |
No |
Figure 3-4 Default Attribute Mappings for Role Entitlement
![Description of Figure 3-4 follows Description of Figure 3-4 follows](img/role_entlemnt_sapum.gif)
Description of "Figure 3-4 Default Attribute Mappings for Role Entitlement "
Profile Entitlement Attributes
Table 3-9 lists the profile-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP UM attributes. The table lists whether a given profile is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
Table 3-9 Default Attribute Mappings for Profile Entitlement
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field? | Key Field? | Case Insensitive? |
---|---|---|---|---|---|---|
Profile System Name |
profiles~PROFILES~SUBSYSTEM |
String |
No |
Yes |
No |
No |
Profile Name |
profiles~PROFILES~PROFILE |
String |
Yes |
Yes |
Yes |
No |
Figure 3-5 Default Attribute Mappings for Profile Entitlement
![Description of Figure 3-5 follows Description of Figure 3-5 follows](img/profile_entlemnt_sapum.gif)
Description of "Figure 3-5 Default Attribute Mappings for Profile Entitlement "
3.3.2 Attribute Mappings for the SAP AC UM Connector
The Schema page for an SAP AC UM target application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system attributes. The connector uses these mappings during reconciliation and provisioning operations.
SAP AC UM User Account Attributes
Table 3-5 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP AC UM attributes. The table also lists whether a specific attribute is used during provisioning or reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit these attributes mappings by adding new attributes or deleting existing attributes on the Schema page as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-10 Default Attribute Mappings for the SAP AC UM User Account
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Provision Field? | Recon Field? | Key Field? | Case Insensitive? |
---|---|---|---|---|---|---|---|
User ID | _NAME_ |
String |
Yes |
Yes |
Yes |
Yes |
Yes |
Password | _PASSWORD_ |
String |
No |
Yes |
No |
No |
No |
First Name | fname;UserInfo |
String |
No |
Yes |
Yes |
No |
No |
Last Name | lname;UserInfo |
String |
No |
Yes |
Yes |
No |
No |
Title | title;UserInfo |
String |
No |
Yes |
Yes |
No |
No |
Alias | alias;UserInfo |
String |
No |
Yes |
Yes |
No |
No |
E Mail | email;UserInfo |
String |
No |
Yes |
Yes |
No |
No |
Telephone Number | telnumber;UserInfo |
String |
No |
Yes |
Yes |
No |
No |
Telephone Extension | TEL1_EXT;ADDRESS;TEL1_EXT;ADDRESSX |
String |
No |
Yes |
Yes |
No |
No |
Valid From | validFrom;UserInfo |
Date |
No |
Yes |
Yes |
No |
No |
Valid Through | validTo;UserInfo |
String |
No |
Yes |
Yes |
No |
No |
Fax Number | fax;UserInfo |
Date |
No |
Yes |
Yes |
No |
No |
Fax Extension | FAX_EXTENS;ADDRESS;FAX_EXTENS;ADDRESSX |
String |
No |
Yes |
Yes |
No |
No |
Building | BUILDING_P;ADDRESS |
String |
No |
Yes |
Yes |
No |
No |
Room Number | ROOM_NO_P;ADDRESS |
String |
No |
Yes |
Yes |
No |
No |
Floor | FLOOR_P;ADDRESS;FLOOR_P;ADDRESSX |
String |
No |
Yes |
Yes |
No |
No |
Function | FUNCTION;ADDRESS |
String |
No |
Yes |
Yes |
No |
No |
Group Name | CLASS;LOGONDATA |
String |
No |
Yes |
Yes |
No |
No |
Department | DEPARTMENT;ADDRESS |
String |
No |
Yes |
Yes |
No |
No |
Accounting Number | accno;UserInfo |
String |
No |
Yes |
Yes |
No |
No |
Cost Center | costcenter;UserInfo |
String |
No |
Yes |
Yes |
No |
No |
User Lock | userLock;None |
String |
No |
Yes |
Yes |
No |
No |
Logon Language | logonlang;UserInfo |
String |
No |
Yes |
Yes |
No |
No |
user Type | userType;UserInfo |
String |
No |
Yes |
Yes |
No |
No |
Date Format | dateFormat;UserInfo |
String |
No |
Yes |
Yes |
No |
No |
Decimal Notation | decNotation;UserInfo |
String |
No |
Yes |
Yes |
No |
No |
Time Zone | TZONE;LOGONDATA |
String |
No |
Yes |
Yes |
No |
No |
Start menu | startmenu;UserInfo |
String |
No |
Yes |
Yes |
No |
No |
Company | COMPANY;COMPANY |
String |
No |
Yes |
Yes |
No |
No |
Contractual User Type (Lookup) | LIC_TYPE;UCLASS|UCLASSSYS |
String |
No |
Yes |
Yes |
No |
No |
Communication Type (Lookup) | COMM_TYPE;ADDRESS |
String |
No |
Yes |
Yes |
No |
No |
Language Communication (Lookup) | LANGU_P;ADDRESS |
String |
No |
Yes |
Yes |
No |
No |
Unique ID | _UID_ |
String |
No |
Yes |
Yes |
No |
No |
Personnel Number | PERNR |
String |
No |
Yes |
No |
No |
No |
AC Request Id | RequestId |
String |
No |
Yes |
No |
No |
No |
AC Request Status | RequestStatus |
String |
No |
Yes |
No |
No |
No |
AC Request Type | RequestType |
String |
No |
Yes |
No |
No |
No |
AC Manager | manager;UserInfo |
String |
No |
Yes |
No |
No |
No |
AC Manager email | managerEmail;UserInfo |
String |
No |
Yes |
No |
No |
No |
AC Manager First Name | managerFirstname;UserInfo |
String |
No |
Yes |
No |
No |
No |
AC Manager Last Name | managerLastname;UserInfo |
String |
No |
Yes |
No |
No |
No |
AC Priority | priority;Header |
String |
No |
Yes |
No |
No |
No |
AC Request Reason | requestReason;Header |
String |
No |
Yes |
No |
No |
No |
AC Request Due Date(Date) | reqDueDate;Header |
String |
No |
Yes |
No |
No |
No |
AC Functional Area (Lookup) | funcarea;Header |
String |
No |
Yes |
No |
No |
No |
AC Business Process (Lookup) | bproc;Header |
String |
No |
Yes |
No |
No |
No |
AC Requestor ID | requestorId;Header |
String |
No |
Yes |
No |
No |
No |
AC Requestor email | email;Header |
String |
No |
Yes |
No |
No |
No |
Figure 3-6 shows the default User account attribute mappings.
Figure 3-6 Default Attribute Mappings for SAP AC UM User Account
![Description of Figure 3-6 follows Description of Figure 3-6 follows](img/schema_att_sapacum.gif)
Description of "Figure 3-6 Default Attribute Mappings for SAP AC UM User Account"
Group Attributes
Table 3-6 lists the group-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP AC UM attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit these attributes mappings by adding new attributes or deleting existing attributes on the Schema page as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-11 Default Attribute Mapping for Groups
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field | Key Field? | Case Insensitive? |
---|---|---|---|---|---|---|
User Group |
groups~GROUPS~USERGROUP |
String |
Yes |
Yes |
Yes |
No |
Figure 3-7 shows the group entitlement mappings.
Figure 3-7 Default Attribute Mapping for Groups
![Description of Figure 3-7 follows Description of Figure 3-7 follows](img/grps_ent_sapacum.gif)
Description of "Figure 3-7 Default Attribute Mapping for Groups"
Parameter Entitlements
Table 3-7 lists the parameter-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP AC UM attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit these attributes mappings by adding new attributes or deleting existing attributes on the Schema page as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-12 Default Attribute Mappings for Parameters
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field? | Key Field? | Case Insensitive? |
---|---|---|---|---|---|---|
Parameter Id |
parameters~PARAMETER1~PARID |
String |
No |
Yes |
Yes |
No |
Parameter Value |
parameters~PARAMETER1~PARVA |
String |
No |
Yes |
No |
No |
Figure 3-8 shows the role entitlement mappings.
Figure 3-8 Default Attribute Mappings for Parameters
![Description of Figure 3-8 follows Description of Figure 3-8 follows](img/parameter_ent_sapacum.gif)
Description of "Figure 3-8 Default Attribute Mappings for Parameters"
Profile Attributes
Table 3-9 lists the profile-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP AC UM attributes. The table lists whether a given profile is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
Table 3-13 Default Attribute Mappings for Profiles
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field? | Key Field? | Case Insensitive? |
---|---|---|---|---|---|---|
Profile System Name |
profiles~PROFILES~SUBSYSTEM |
String |
No |
Yes |
No |
No |
Profile Name |
profiles~PROFILES~PROFILE |
String |
Yes |
Yes |
Yes |
No |
Figure 3-9 Default Attribute Mappings for Profiles
![Description of Figure 3-9 follows Description of Figure 3-9 follows](img/profile_entlemnt_sapum.gif)
Description of "Figure 3-9 Default Attribute Mappings for Profiles"
Role Attributes
Table 3-8 lists the role-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP AC UM attributes. The table lists whether a given role is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
Table 3-14 Default Attribute Mappings for Roles
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field? | Key Field? | Case Insensitive? |
---|---|---|---|---|---|---|
Role System Name |
roles~ACTIVITYGROUPS~SUBSYSTEM |
String |
No |
Yes |
No |
No |
Role Name |
roles~ACTIVITYGROUPS~AGR_NAME |
String |
Yes |
Yes |
Yes |
No |
Start Date |
roles~ACTIVITYGROUPS~FROM_DAT |
Date |
No |
Yes |
No |
No |
End Date |
roles~ACTIVITYGROUPS~TO_DAT |
Date |
No |
Yes |
No |
No |
Figure 3-10 Default Attribute Mappings for Roles
![Description of Figure 3-10 follows Description of Figure 3-10 follows](img/role_entlemnt_sapum.gif)
Description of "Figure 3-10 Default Attribute Mappings for Roles "
3.4 Rules, Situations, and Responses for the Connector
Learn about the predefined rules, responses and situations for target and authoritative applications. The connector use these rules and responses for performing reconciliation.
Predefined Identity Correlation Rules
By default, the SAP UM and SAP AC UM connectors provide a simple correlation rule when you create a Target application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.
Table 3-15 lists the default simple correlation rule for the SAP UM and SAP AC UM connectors. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Updating Identity Correlation Rule in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-15 Predefined Identity Correlation Rule for the SAP UM and SAP AC UM Connectors
Target Attribute | Element Operator | Identity Attribute | Case Sensitive? |
---|---|---|---|
__NAME__ |
Equals |
User Login |
No |
-
__NAME__ is a single-valued attribute on the target system that identifies the user account.
-
User Login is the field on the OIG User form.
Figure 3-11 shows the simple correlation rule for the SAP UM and SAP AC UM Connectors.
Figure 3-11 Simple Correlation Rule for the SAP UM and SAP AC UM Connectors
![Description of Figure 3-11 follows Description of Figure 3-11 follows](img/corr_rule_sapum.gif)
Description of "Figure 3-11 Simple Correlation Rule for the SAP UM and SAP AC UM Connectors"
Predefined Situations and Responses
The SAP UM and SAP AC UM connectors provide a default set of situations and responses when you create a Target application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.
Table 3-16 lists the default situations and responses for the SAP UM and SAP AC UM connectors. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Updating Situations and Responses in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance
Table 3-16 Predefined Situations and Responses for the SAP UM and SAP AC UM Connectors
Situation | Response |
---|---|
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
Figure 3-12 shows the situations and responses that the connector provides by default.
Figure 3-12 Predefined Situations and Responses for the SAP UM and SAP AC UM Connectors
![Description of Figure 3-12 follows Description of Figure 3-12 follows](img/situatio_resp_sapacum.gif)
Description of "Figure 3-12 Predefined Situations and Responses for the SAP UM and SAP AC UM Connectors"
3.5 Reconciliation Jobs
These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create the application for your target system.
3.5.1 Reconciliation Jobs for the SAP UM Connector
These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create the application for your target system.
Note:
All of the jobs are prefixed with an application name when you create an application. For example, SAPUM SAPUM UM CommType Lookup Reconciliation where the first SAPUM is the application name.Full User Reconciliation Job
The SAP UM Target User Reconciliation job is used to fetch all user records from the target system.
Table 3-17 Parameters of the SAP UM Target User Reconciliation Job
Parameter | Description |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Filter |
Enter the expression for filtering records that the scheduled job must reconcile. Sample value: Default value: For information about the filters expressions that you can create and use, see ICF Filter Syntax in Developing and Customizing Applications for Oracle Identity Governance. |
Incremental Recon Attribute |
Time stamp at which the last reconciliation run started Default value: Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value for this attribute. |
Object Type |
Type of object you want to reconcile. Default value: |
Latest Token |
This attribute holds the time stamp (in YYYYMMDDHHMMSS format) at which the last reconciliation run ended. For the next reconciliation run, only target system records that have been added or modified after this time stamp are considered for reconciliation. For consecutive reconciliation runs, the connector automatically enters a value for this attribute. However, you can use this attribute to switch from incremental reconciliation to full reconciliation. Note: The reconciliation engine automatically enters a value in this attribute. Sample value: |
Scheduled Task Name |
Name of the scheduled task used for reconciliation. Default value: |
Incremental User Reconciliation Job
The SAP UM Target Incremental User Reconciliation job is used to fetch the records that are added or modified after the last reconciliation run.
Table 3-18 Parameters of the SAP UM Target Incremental User Reconciliation Job
Parameter | Description |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Sync Token |
Enter the expression for filtering records that the scheduled job must reconcile. Sample value: For information about the filters expressions that you can create and use, see ICF Filter Syntax in Developing and Customizing Applications for Oracle Identity Governance. |
Object Type |
Type of object you want to reconcile. Default value: |
Scheduled Task Name |
Name of the scheduled task used for reconciliation. Note: For the scheduled job included with this connector, you must not change the value of this attribute. However, if you create a new job or create a copy of the job, then enter the unique name for that scheduled job as the value of this attribute. |
Delete User Reconciliation Job
The SAP UM Target User Delete Reconciliation job is used to reconcile user data when for target application.
Table 3-19 Parameters of the SAP UM Target User Delete Reconciliation Job
Parameter | Description |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Object Type |
Type of object you want to reconcile. Default value: |
Disable User |
Enter Default value: |
Scheduled Task Name |
Name of the scheduled task used for reconciliation. Default value: |
Sync Token |
Time stamp at which the last reconciliation run ended in YYYYMMDDHHMMSS format (for example, 20120417123006). For the next reconciliation run, only target system records that have been deleted after this time stamp are considered for reconciliation. If you set this attribute to an empty value, then incremental reconciliation operations fetch all the records (perform full reconciliation). Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute. |
Lookup Definitions Synchronized with the Target System
Lookup field synchronization involves copying additions or changes made to specific fields in the target system to lookup definitions in Oracle Identity Manager.
During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Date Format lookup field to select a date format from the list of supported date formats. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are automatically created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.
The following lookup definitions are populated with values fetched from the target system by the scheduled jobs for lookup field synchronization for the SAP UM connector:
-
SAPUM UM CommType Lookup Reconciliation
-
SAPUM UM Company Lookup Reconciliation
-
SAPUM UM ContractUserType Lookup Reconciliation
-
SAPUM UM DateFormat Lookup Reconciliation
-
SAPUM UM DecimalNot Lookup Reconciliation
-
SAPUM UM LangComm Lookup Reconciliation
-
SAPUM UM Parameter Lookup Reconciliation
-
SAPUM UM Profile Lookup Reconciliation
-
SAPUM UM Role Lookup Reconciliation
-
SAPUM UM Systems Lookup Reconciliation
-
SAPUM UM TimeZoneLookup Reconciliation
-
SAPUM UM Title Lookup Reconciliation
-
SAPUM UM UserGroup Lookup Reconciliation
-
SAPUM UM UserType Lookup Reconciliation
The parameters for all the reconciliation jobs are the same.
Table 3-20 Parameters of SAP UM Reconciliation Jobs
Parameter | Description |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Lookup Name |
This parameter holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched. Depending on the reconciliation job you are using, the default values are as follows:
|
Object Type |
Enter the type of object whose values must be synchronized. Depending on the scheduled job you are using, the default values are as follows:
|
Code Key Attribute |
Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job you are using, the default values are as follows:
|
Decode Attribute |
Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job you are using, the default values are as follows:
|
While performing a provisioning operation on Oracle Identity System Administration,you select the IT resource for the target system on which you want to perform the operation. When you perform this action, the lookup definitions on the page are automatically populated with values corresponding to the IT resource (target system installation) that you select.
During lookup field synchronization, new entries are appended to the existing set of entries in the lookup definitions. You can switch from an SAP R/3 target to a SAP CUA target, or you can switch between multiple installations of the same target system. Because the IT resource key is part of each entry created in each lookup definition, only lookup field entries that are specific to the IT resource you select during a provisioning operation are displayed.
3.5.2 Reconciliation Jobs for the SAP AC UM Connector
These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create the application for your target system.
Note:
All of the jobs are prefixed with an application name when you create an application. For example, SAPACUMAPP SAP AC UM BusinessProcess Lookup Reconciliation where SAPACUMAPP is the application name.Full User Reconciliation Job
The SAP AC UM Target User Reconciliation job is used to fetch all user records from the target system.
Table 3-21 Parameters of the SAP AC UM Target User Reconciliation Job
Parameter | Description |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Filter |
Enter the expression for filtering records that the scheduled job must reconcile. Sample value: Default value: For information about the filters expressions that you can create and use, see ICF Filter Syntax in Developing and Customizing Applications for Oracle Identity Governance. |
Object Type |
Type of object you want to reconcile. Default value: |
Latest Token |
This attribute holds the time stamp (in YYYYMMDDHHMMSS format) at which the last reconciliation run ended. For the next reconciliation run, only target system records that have been added or modified after this time stamp are considered for reconciliation. For consecutive reconciliation runs, the connector automatically enters a value for this attribute. However, you can use this attribute to switch from incremental reconciliation to full reconciliation. Note: The reconciliation engine automatically enters a value in this attribute. Sample value: |
Scheduled Task Name |
Name of the scheduled task used for reconciliation. Default value: |
Incremental Recon Attribute |
Time stamp at which the last reconciliation run started Default value: Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value for this attribute. |
Delete User Reconciliation Job
The SAP AC UM Target User Delete Reconciliation job is used to reconcile user data when for target application.
Table 3-22 Parameters of the SAP AC UM Target User Delete Reconciliation Job
Parameter | Description |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Object Type |
Type of object you want to reconcile. Default value: |
Disable User |
Enter Default value: |
Scheduled Task Name |
Name of the scheduled task used for reconciliation. Default value: |
Sync Token |
Default value is blank. Last modified timestamp of the user account |
SAP AC UM Request Status Job
SAP AC UM Request Status Reconciliation job is used to reconcile request status from SAP BusinessObjects AC target system.
Table 3-23 Parameters of the SAP AC UM Request Status Reconciliation Job
Parameter | Description |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Object Type |
Type of object you want to reconcile. Default value: |
Custom Lookup Name |
Name of the lookup definition. Default value:
|
Resource Object Name |
Name of the resource object against which reconciliation runs must be performed. Default value: |
IT Resource Name |
Name of the IT resource instance that the connector must use to reconcile data. Default value: |
Scheduled Task Name |
Name of the scheduled task. Default value: |
Note:
To run the SAP AC UM Request Status reconciliation job, you must update Application Name and IT Resource Name parameters based on the name created while configuring the connector.For example, if the name of the connector is SAPACUM,
then ensure to update the Application name as SAPACUM
and the
IT Resource Name as SAPACUM
.
Lookup Definitions Synchronized with the Target System
Lookup field synchronization involves copying additions or changes made to specific fields in the target system to lookup definitions in Oracle Identity Manager.
During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Date Format lookup field to select a date format from the list of supported date formats. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are automatically created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.
The following lookup definitions are populated with values fetched from the targetsystem by the scheduled jobs for lookup field synchronization, for the SAP AC UM connector:
-
SAP AC UM BusinessProcess Lookup Reconciliation
-
SAP AC UM CommType Lookup Reconciliation
-
SAP AC UM Company Lookup Reconciliation
-
SAP AC UM ContractUserType Lookup Reconciliation
-
SAP AC UM DateFormat Lookup Reconciliation
-
SAP AC UM Functional Area Lookup Reconciliation
-
SAP AC UM ItemProvAction Lookup Reconciliation
-
SAP AC UM LangComm Lookup Reconciliation
-
SAP AC UM Parameter Lookup Reconciliation
-
SAP AC UM DecimalNot Lookup Reconciliation
-
SAP AC UM Priority Lookup Reconciliation
-
SAP AC UM Profile Lookup Reconciliation
-
SAP AC UM ReqInitSystem Lookup Reconciliation
-
SAP AC UM RequestType Lookup Reconciliation
-
SAP AC UM Role Lookup Reconciliation
-
SAP AC UM Systems Lookup Reconciliation
-
SAP AC UM TimeZoneLookup Reconciliation
-
SAP AC UM Title Lookup Reconciliation
-
SAP AC UM UserGroup Lookup Reconciliation
-
SAP AC UM UserType Lookup Reconciliation
The parameters for all the reconciliation jobs are the same.
Table 3-24 Parameters of the SAP AC UM Reconciliation Jobs
Parameter | Description |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Code Key Attribute |
Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job you are using, the default values are as follows:
|
Decode Attribute |
Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job you are using, the default values are as follows:
|
Lookup Name |
This parameter holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched. Depending on the reconciliation job you are using, the default values are as follows:
|
Object Class |
Enter the class of object whose values must be synchronized. Depending on the scheduled job you are using, the default values are as follows:
|
Object Type |
Enter the type of object whose values must be synchronized. Depending on the scheduled job you are using, the default values are as follows:
|
While performing a provisioning operation on Oracle Identity System Administration, you select the IT resource for the target system on which you want to perform the operation. When you perform this action, the lookup definitions on the page are automatically populated with values corresponding to the IT resource (target system installation) that you select.
During lookup field synchronization, new entries are appended to the existing set of entries in the lookup definitions. You can switch from an SAP R/3 target to a SAP CUA target, or you can switch between multiple installations of the same target system. Because the IT resource key is part of each entry created in each lookup definition, only lookup field entries that are specific to the IT resource you select during a provisioning operation are displayed.