1. Configuring the Microsoft Active Directory User Management Application
  2. Using the Microsoft Active Directory User Management Connector

5 Using the Microsoft Active Directory User Management Connector

You can use the connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.

The following topics discuss information related to using the connector for performing reconciliation and provisioning operations:

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

5.1 Guidelines on Using the Microsoft Active Directory User Management Connector

These guidelines give information on what to do when using the connector.

You must apply the following guidelines while performing reconciliation and provisioning operations:

5.1.1 Guidelines on Configuring Reconciliation

The following are guidelines that you must apply while configuring reconciliation:

  • Before a target resource reconciliation run is performed, lookup definitions must be synchronized with the lookup fields of the target system. In other words, scheduled tasks for lookup field synchronization must be run before user reconciliation runs.

  • If you are using Oracle Identity Governance release 11.1.2.x or later, then before you perform a reconciliation run, create an application instance.

  • The scheduled job for user reconciliation must be run before the scheduled job for reconciliation of deleted user data.

  • In the identity reconciliation mode, if you want to configure group reconciliation, then note that group reconciliation does not cover reconciliation of updates to existing groups on the target system. If you modify the name of a group on the target system, then it is reconciled as a new group in Oracle Identity Governance.

  • In the identity reconciliation mode, if you want to configure organization reconciliation, then note that:

    • Organization reconciliation does not cover reconciliation of updates to existing organization names on the target system. If you modify the name of an organization on the target system, then it is reconciled as a new organization in Oracle Identity Governance.

    • Organization reconciliation events created by the scheduled job for organization reconciliation (Active Directory Organization Recon) must be successfully processed before the scheduled job for trusted source reconciliation (Active Directory User Trusted Recon) is run. In other words, organization reconciliation must be run and the organization records reconciled from the target system must be successfully linked in Oracle Identity Governance.

    • On the target system, users are created in specific organizations. During trusted source reconciliation of user data, if you want OIM Users to be created in the same organizations on Oracle Identity Governance, then you must set the MaintainHierarchy attribute of the trusted source reconciliation scheduled task to yes. In addition, you must configure organization reconciliation to run before trusted source reconciliation.

    • In Oracle Identity Governance, the organization namespace is a flat namespace although it allows parent-child hierarchical relationships between organizations. Therefore, two Microsoft Active Directory OUs with the same name cannot be created in Oracle Identity Governance, even if they have different parent OUs on the target system.

    • The name of an organization in Oracle Identity Governance cannot contain special characters, such as the equal sign (=) and comma (,). However, these special characters can be used in the name of an organization on the target system.

    • The synchronization of organization lookup fields is independent of whether or not you configure organization reconciliation.

  • If you are going to configure Microsoft AD LDS as the trusted source, then you must ensure that a value (either true or false) is set for the msDS-UserAccountDisabled field of each user record on the target system. In Microsoft ADAM, the msDS-UserAccountDisabled field does not have a default value.

  • The Filter attribute must contain only attributes that are present in the Decode column of the lookup definition that holds reconciliation attribute mapping.

5.1.2 Guidelines on Performing Provisioning Operations

The following are guidelines that you must apply while performing provisioning operations:

  • Before you perform provisioning operations, lookup definitions must be synchronized with the lookup fields of the target system. In other words, scheduled tasks for lookup field synchronization must be run before provisioning operations.

  • When both Microsoft Active Directory User Management and Microsoft Exchange connectors are deployed in your environment, do not specify a value for the Redirection Mail Id field.

    If you specify a value for the Redirection Mail Id field during a user provisioning operation, then a corresponding mail user account is created in Microsoft Exchange. When an Exchange mail user account is created through Active Directory, then some of the fields of an Exchange mail user account such as Maximum Receive Size cannot be updated. This also means that the Microsoft Exchange Connector cannot be used for further provisioning operations of this user. This is because the user is already created in Microsoft Exchange as a Mailuser.

    Note that the Microsoft Exchange connector cannot be used to convert Mailuser, mail user accounts created in the manner described in the preceding paragraph, to Mailbox as this is not allowed by the target. Therefore, it is recommended not to specify a value for the Redirection Mail Id field if both Microsoft Active Directory and Microsoft Exchange connector are deployed.

  • Passwords for user accounts provisioned from Oracle Identity Governance must adhere to the password policy set in Microsoft Active Directory.

    Note:

    If you install Microsoft ADAM in a domain controller then it acquires all the policies of Microsoft Active Directory installed in the same domain controller. If you install Microsoft ADAM in a workgroup, then the local system policies are applied.

    In Microsoft Active Directory, password policies are controlled through password complexity rules. These complexity rules are enforced when passwords are changed or created. While changing the password of a Microsoft Active Directory account by performing a provisioning operation on Oracle Identity Governance, you must ensure that the new password adheres to the password policies on the target system.

    See Also:

    For more information about password guidelines applicable on the target system, see the Microsoft Active Directory User Management documentation.

  • Some Asian languages use multibyte character sets. If the character limit for fields on the target system is specified in bytes, then the number of Asian-language characters that you can enter in a particular field may be less than the number of English-language characters that you can enter in the same field. The following example illustrates this point:

    Suppose you can enter 50 characters of English in the User Last Name field of the target system. If you have configured the target system for the Japanese language, then you would not be able to enter more than 25 characters in the same field.

  • The character length of target system fields must be taken into account when specifying values for the corresponding Oracle Identity Governance fields. For example, ensure that the value you specify for the User Login field in Oracle Identity Governance contains no more than 20 characters. This is because the sAMAccountName attribute in the target system (corresponding to the User Login field in Oracle Identity Governance) cannot contain more than 20 characters.

  • On the target system, the Manager Name field accepts only DN values. Therefore, when you set or modify the Manager Name field on Oracle Identity Governance, you must enter the DN value.

    For example:

    cn=abc,ou=lmn,dc=corp,dc=com

  • If the value that you specify for the Manager Name field contains special characters, then you must prefix each special character with a backslash (\). For example, if you want to specify CN=John Doe #2,OU=sales,DC=example,DC=com as the value of the Manager Name field, then you must specify the following as the value:

    CN=John Doe \#2,OU=sales,DC=example,DC=com

    The following is the list of special characters that must be prefixed with a backslash (\):

    • Number sign (#)

    • Backslash (\)

    • Plus sign (+)

    • Equal sign (=)

    • Comma (,)

    • Semicolon (;)

    • Less than symbol (<)

    • Greater than symbol (>)

    • Quotation mark (")

  • While specifying a value for the Home Directory field, follow these guidelines:

    • The value must always begin with two backslashes (\\).

    • The value must contain at least one backslash (\), but not at the end.

    Correct sample values:

    \\SOME_MACHINE\SOME_SHARE\SOME_DIRECTORY

    \\SOME_MACHINE\SOME_SHARE\SOME_DIRECTORY\SOME_OTHER_DIRECTORY

    Incorrect sample values:

    \\SOME_MACHINE\SOME_SHARE\

    \\SOME_MACHINE

  • If you want to provision users and groups under the Users container, then include the following entry in the Lookup.ActiveDirectory.OrganizationalUnits lookup definition:

    Code Key:

    IT_RESOURCE_KEY~CN=Users,DC=childtest,DC=test,DC=idm,DC=central,DC=example,DC=com

    Decode:

    IT_RESOURCE_NAME~CN=Users,DC=childtest,DC=test,DC=idm,DC=central,DC=example,DC=com

    In the Code Key and Decode values, replace:

    • IT_RESOURCE_KEY with the numeric code assigned to each IT resource in Oracle Identity Governance. You can determine the value of the IT resource key by performing lookup field synchronization of organizational units and then finding the IT resource key from the code key value of the Lookup.ActiveDirectory.OrganizationalUnits lookup definition.

    • IT_RESOURCE_NAME with the name of the IT resource in Oracle Identity Governance.

5.2 Configuring Reconciliation

You can configure the connector to specify the type of reconciliation and its schedule.

This section discusses the following topics related to configuring reconciliation:

5.2.1 Performing Full Reconciliation and Incremental Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Governance. After you create the application, you must first perform full reconciliation.

In addition, you can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Governance.

For performing a full reconciliation run, values for the following parameters of the jobs for reconciling user records must not be present:

  • Batch Start

  • Filter

  • Latest Token

At the end of the reconciliation run, the Latest Token parameter of the job for user record reconciliation is automatically set to the highest value of the uSNChanged attribute of a domain controller that is used for reconciliation. From the next run onward, only records created or modified after the value in the latest token attribute are considered for reconciliation. This is incremental reconciliation.

5.2.2 Performing Limited Reconciliation

These topics help you understand limited reconciliation and the ways in which it can be achieved.

5.2.2.1 About Limited Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled.

You can perform limited reconciliation the first time you perform a reconciliation run. In other words, by using filters or by specifying a search base while configuring a scheduled job for full reconciliation, you can perform limited reconciliation.

5.2.2.2 Performing Limited Reconciliation By Using Filters

You can perform limited reconciliation by creating filters for the reconciliation module.

This connector provides a Filter attribute (a scheduled task attribute) that allows you to use any of the Microsoft Active Directory resource attributes to filter the target system records. Table 5-1 lists the filter syntax that you can use and the corresponding description and sample values.

Note:

Filters with wildcard characters are not supported.

Table 5-1 Keywords and Syntax for the Filter Attribute

Filter Syntax Description

String Filters

startsWith('ATTRIBUTE_NAME','PREFIX')

Records whose attribute value starts with the specified prefix are reconciled.

Example: startsWith('userPrincipalName','John')

In this example, all records whose userPrincipalName begins with 'John' are reconciled.

endsWith('ATTRIBUTE_NAME','SUFFIX')

Records whose attribute value ends with the specified suffix are reconciled.

Example: endsWith('sn','Doe')

In this example, all records whose last name ends with 'Doe' are reconciled.

contains('ATTRIBUTE_NAME','STRING')

Records where the specified string is contained in the attribute's value are reconciled.

Example: contains('displayName','Smith')

In this example, all records whose display name contains 'Smith' are reconciled.

containsAllValues('ATTRIBUTE_NAME',['STRING1','STRING2', . . . ,'STRINGn'])

Records that contain all the specified strings for a given attribute are reconciled.

Example: containsAllValues('objectClass',['person','top'])

In this example, all records whose objectClass contains both "top" and "person" are reconciled.

Equality and Inequality Filters

equalTo('ATTRIBUTE_NAME','VALUE')

Records whose attribute value is equal to the value specified in the syntax are reconciled.

Example: equalTo('sAMAccountName','Sales Organization')

In this example, all records whose sAMAccountName is Sales Organization are reconciled.

greaterThan('ATTRIBUTE_NAME','VALUE')

Records whose attribute value (string or numeric) is greater than (in lexicographical or numerical order) the value specified in the syntax are reconciled.

Example 1: greaterThan('cn','bob')

In this example, all records whose common name is present after the common name 'bob' in the lexicographical order (or alphabetical order) are reconciled.

Example 2: greaterThan('employeeNumber','1000')

In this example, all records whose employee number is greater than 1000 are reconciled.

greaterThanOrEqualTo('ATTRIBUTE_NAME','VALUE')

Records whose attribute value (string or number) is lexographically or numerically greater than or equal to the value specified in the syntax are reconciled.

Example 1: greaterThanOrEqualTo('sAMAccountName','S')

In this example, all records whose sAMAccountName is equal to 'S' or greater than 'S' in lexicographical order are reconciled.

Example 2: greaterThanOrEqualTo('employeeNumber','1000')

In this example, all records whose employee number is greater than or equal to 1000 are reconciled.

lessThan('ATTRIBUTE_NAME','VALUE')

Records whose attribute value (string or numeric) is less than (in lexicographical or numerical order) the value specified in the syntax are reconciled.

Example 1: lessThan('sn','Smith')

In this example, all records whose last name is present after the last name 'Smith' in the lexicographical order (or alphabetical order) are reconciled.

Example 2: lessThan('employeeNumber','1000')

In this example, all records whose employee number is less than 1000 are reconciled.

lessThanOrEqualTo('ATTRIBUTE_NAME','VALUE')

Records whose attribute value (string or numeric) is lexographically or numerically less than or equal to the value specified in the syntax are reconciled.

Example 1: lessThanOrEqualTo('sAMAccountName','A')

In this example, all records whose sAMAccountName is equal to 'A' or less than 'A' in lexicographical order are reconciled.

Example 2: lessThanOrEqualTo('employeeNumber','1000')

In this example, all records whose employee number is less than or equal to 1000 are reconciled.

Complex Filters

<FILTER1> & <FILTER2>

Records that satisfy conditions in both filter1 and filter2 are reconciled. In this syntax, the logical operator & (ampersand symbol) is used to combine both filters.

Example: startsWith('cn', 'John') & endsWith('sn', 'Doe')

In this example, all records whose common name starts with John and last name ends with Doe are reconciled.

<FILTER1> | <FILTER2>

Records that satisfy either the condition in filter1 or filter2 are reconciled. In this syntax, the logical operator | (vertical bar) is used to combine both filters.

Example: contains('sAMAccountName', 'Andy') | contains('sn', 'Brown')

In this example, all records that contain 'Andy' in the sAMAccount Name attribute or records that contain 'Brown' in the last name are reconciled.

not(<FILTER>)

Records that do not satisfy the given filter condition are reconciled.

Example: not(contains('cn', 'Mark'))

In this example, all records that does not contain the common name 'Mark' are reconciled.
5.2.2.3 Performing Limited Reconciliation By Using the Search Base Attribute

You can perform limited reconciliation by using the Search Base parameter of the reconciliation job.

By specifying a value for the Search Base parameter, you can limit the container from which the user, group, or organization records must be reconciled. This is the starting point for the search in the hierarchial structure for objects in Microsoft Active Directory.

5.2.3 Performing Batched Reconciliation

You can perform batched reconciliation to reconcile a specific number of records from the target system into Oracle Identity Governance.

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete. You can configure batched reconciliation to avoid such problems.

To configure batched reconciliation, specify values for the following parameter of the reconciliation jobs:

  • Batch Size: Use this parameter to specify the number of records that must be included in each batch.

  • Batch Start: Use this parameter to specify the record number from which batched reconciliation must begin.

  • Number of Batches: Use this parameter to specify the total number of batches that must be reconciled. The default value of this parameter is All. If you do not want to implement batched reconciliation, then accept the default value. When you accept the default value, the values of the Batch Size, Batch Start, Sort By, and Sort Direction parameters are ignored.

  • Sort By: Use this parameter to specify the name of the target system field by which the records in a batch must be sorted.

  • Sort Direction: Use this parameter to specify the whether records being fetched must be sorted in ascending or descending order. The value of this parameter can be either asc or desc.

If batched reconciliation fails, then you only need to rerun the reconciliation job without changing the values of the job parameters.

After completing batched reconciliation, if you want to perform incremental reconciliation, then specify the value of the highestCommittedUSN attribute (see Step 3 of Preupgrade Steps) as the value of the Latest Token parameter. From the next reconciliation run onward, the reconciliation engine automatically enters a value for the Latest Token parameter.

Note:

Sorting large number of records on the target system fails during batched reconciliation. Therefore, it is recommended that you use the PageSize parameter of Advanced Settings Parameters to fetch records from the target system.

5.3 Scheduled Jobs for Lookup Field Synchronization

Scheduled jobs for lookup field synchronization fetch the most recent values from specific fields in the target system to lookup definitions in Oracle Identity Governance. These lookup definitions are used as an input source for lookup fields in Oracle Identity Governance.

The following are the scheduled jobs for lookup field synchronization:

Note:

The procedure to configure these scheduled tasks is described later in the guide.

  • Active Directory Group Lookup Recon

    This scheduled task is used to synchronize group lookup fields in Oracle Identity Governance with group-related data in the target system.

  • Active Directory Organization Lookup Recon

    This scheduled task is used to synchronize organization lookup fields in Oracle Identity Governance with organization-related data in the target system.

Table 5-2 describes the attributes of both scheduled jobs.

Table 5-2 Attributes of the Scheduled Tasks for Lookup Field Synchronization

Attribute Description

Code Key Attribute

Name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute).

Depending on the scheduled job you are using, the default values are as follows:

  • For Active Directory Group Lookup Recon:

    distinguishedName

  • For Active Directory Organization Lookup Recon:

    distinguishedName

Note: You must not change the value of this attribute.

Decode Attribute

Enter the name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute).

Depending on the scheduled job you are using, the default values are as follows:

  • For Active Directory Group Lookup Recon:

    distinguishedName

  • For Active Directory Organization Lookup Recon:

    distinguishedName

Filter

Enter a filter to filter out records to be stored in the lookup definition.

For more information about the Filter attribute, see Performing Limited Reconciliation.

IT Resource Name

Enter the name of the IT resource for the target system installation from which you want to reconcile records.

Sample value: Active Directory

Lookup Name

Enter the name of the lookup definition in Oracle Identity Governance that must be populated with values fetched from the target system.

Note: If the lookup name that you specify as the value of this attribute is not present in Oracle Identity Governance, then this lookup definition is created while the scheduled job is run.

Depending on the scheduled job you are using, the default values are as follows:

  • For Active Directory Group Lookup Recon:

    Lookup.ActiveDirectory.Groups

  • For Active Directory Organization Lookup Recon:

    Lookup.ActiveDirectory.OrganizationalUnits

Object Type

This attribute holds the name of the type of object you want to reconcile.

Depending on the scheduled job you are using, the default values are as follows:

  • For Active Directory Group Lookup Recon:

    Group

  • For Active Directory Organization Lookup Recon:

    OrganizationalUnit

5.4 Configuring and Running Group Reconciliation

There are two scenarios in which group reconciliation can be performed.

Depending on the scenario in which you want to perform group reconciliation, perform one of the following procedures:

5.4.1 Reconciling Target System Groups into Individual Organizations

Create an organizational unit in Oracle Identity Governance with the name of the group (available in the target system), and then reconcile groups to this newly created organizational unit. In other words, suppose a scenario in which you want every target system group to be reconciled into an organization of its own.

To perform group reconciliation in this scenario:

  1. Ensure that the value of the Configuration Lookup parameter of the IT resource is set to Lookup.Configuration.ActiveDirectory.
  2. Search for and open the Active Directory Group Recon scheduled job.
  3. Set the value of the Resource Object Name attribute of the scheduled job to Xellerate Organization. Note that you need not specify a value for the Organization Name attribute. If you specify a value for the Organization Name attribute, then the value is ignored.
  4. Run the Active Directory Group Recon scheduled job.
  5. After completion of the reconciliation run:

    • Clear the value in the Latest Token attribute of the scheduled job.

    • Specify AD Group as value of the Resource Object Name attribute of the scheduled job.

  6. Run the Active Directory Group Recon scheduled job again.
  7. In the Administrative and User Console, verify whether an organizational unit with the name of the group is created , and then the organizational unit has the AD Group resource object in the 'Provisioned' state.

5.4.2 Reconciling Target System Groups a Single Organization

This procedure describes how to perform group reconciliation when all groups available on the target system must be reconciled under the same organizational unit in Oracle Identity Governance. In other words, suppose a scenario in which you want all target system groups to be reconciled into a single organization.

To perform group reconciliation in this scenario:

  1. Log in to the Design Console.
  2. Expand Administration, and then double-click Lookup Definition.
  3. Search for and open the Lookup.ActiveDirectory.GM.ReconAttrMap lookup definition.
  4. Change the Decode value of the OIM Org Name entry from sAMAccountName to Organization Name.
  5. Save and close the lookup definition.
  6. Log in to the Administrative and User Console.
  7. Search for and open the Active Directory Group Recon scheduled job, and then:

    • Clear the value in the Latest Token attribute.

    • In the Resource Object Name attribute field, specify AD Group as the value.

    • In the Organization Name attribute field, specify the name of an organizational unit under which all groups from the target system must be reconciled.

  8. Run the Active Directory Group Recon scheduled job.

5.5 Configuring and Running Organization Reconciliation

You can configure and run the scheduled job for organization reconciliation.

The following is the procedure to run the scheduled job for organization reconciliation:

  1. Ensure that the value of the Configuration Lookup parameter of the IT resource is set to Lookup.Configuration.ActiveDirectory.Trusted.
  2. Search for and open the Active Directory Organization Recon scheduled job.
  3. Set the value of the Resource Object Name attribute of the scheduled job to Xellerate Organization. This creates organizations in Oracle Identity Governance after the scheduled job is run.
  4. Run the Active Directory Organization Recon scheduled job.
  5. After completion of the reconciliation run:

    • Clear the value in the Latest Token attribute of the scheduled job.

    • Specify AD Organizational Unit as value of the Resource Object Name attribute of the scheduled job.

  6. Set the value of the Configuration Lookup parameter of the IT resource to Lookup.Configuration.ActiveDirectory.
  7. Run the Active Directory Organization Recon scheduled job again.
  8. In the Administrative and User Console, verify whether the AD Organizational Unit Resource is provisioned to the organizations created in Step 3 of this section.

Note:

OIM created Organizations do not relate to the OU objects on the Directory Resources of Microsoft Active Directory. The connector does not support the creation of any OU objects in OIM which can then be provisioned to Microsoft Active Directory. Instead, OUs can be created directly on the Directory Services of Microsoft Active Directory.

In addition, as a best practice, ensure that all newly created OUs and other objects are fetched into OIM from the target system by performing a trusted resource reconciliation run.

5.6 Configuring Reconciliation Jobs

Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.

You can apply this procedure to configure the reconciliation jobs for users and entitlements.

To configure a reconciliation job:
  1. Log in to Identity System Administration.
  2. In the left pane, under System Management, click Scheduler.
  3. Search for and open the scheduled job as follows:
    1. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
    2. In the search results table on the left pane, click the scheduled job in the Job Name column.
  4. On the Job Details tab, you can modify the parameters of the scheduled task:
    • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
    • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type. See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Governance.

    In addition to modifying the job details, you can enable or disable a job.

  5. On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.

    Note:

    Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

  6. Click Apply to save the changes.

    Note:

    You can use the Scheduler Status page in Identity System Administration to either start, stop, or reinitialize the scheduler.

5.7 Performing Provisioning Operations

You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.

To perform provisioning operations in Oracle Identity Governance:

  1. Log in to Identity Self Service.
  2. Create a user as follows:
    1. In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
    2. From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
    3. Enter details of the user in the Create User page.
  3. On the Account tab, click Request Accounts.
  4. In the Catalog page, search for and add to cart the application instance for the connector that you configured earlier, and then click Checkout.
  5. Specify value for fields in the application form and then click Ready to Submit.
  6. Click Submit.

See Also:

Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for details about the fields on the Create User page

5.8 Connector Objects Used for Groups Management

Learn about the objects that are used by the connector to perform group management operations such as create, update, and delete.

5.8.1 Preconfigured Lookup Definitions for Group Operations

The lookup definitions for Groups are automatically created in Oracle Identity Governance after you create the application by using the connector.

5.8.1.1 Lookup.ActiveDirectory.GM.Configuration

The Lookup.ActiveDirectory.GM.Configuration lookup definition holds configuration entries that are specific to the group object type. This lookup definition is used during group management operations when your target system is configured as a target resource.

Table 5-3 lists the default entries in this lookup definition.

Table 5-3 Entries in the Lookup.ActiveDirectory.GM.Configuration Lookup Definition

Code Key Decode Description

Provisioning Attribute Map

Lookup.ActiveDirectory.GM.ProvAttrMap

This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.ActiveDirectory.GM.ProvAttrMap for more information about this lookup definition.

Provisioning Validation Lookup

Lookup.ActiveDirectory.GM.ProvValidation

This entry holds the name of the lookup definition that is used to configure validation of attribute values entered on the process form during provisioning operations. See Configuring Validation of Data During Reconciliation and Provisioning for Groups and Organizational Units for more information about adding entries in this lookup definition.

Recon Attribute Defaults

Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults

This entry holds the name of the lookup definition that maps fields on the group form and their default values. See Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults for more information about this lookup definition.

Recon Attribute Map

Lookup.ActiveDirectory.GM.ReconAttrMap

This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.ActiveDirectory.GM.ReconAttrMap for more information about this lookup definition.

Recon Transformation Lookup

Lookup.ActiveDirectory.GM.ReconTransformation

This entry holds the name of the lookup definition that is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Configuring Transformation of Data During Reconciliation for Groups and Organizational Units for more information about adding entries in this lookup definition.

Recon Validation Lookup

Lookup.ActiveDirectory.GM.ReconValidation

This entry holds the name of the lookup definition that is used to configure validation of attribute values that are fetched from the target system during reconciliation. See Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults for more information about adding entries in this lookup definition.

5.8.1.2 Lookup.ActiveDirectory.GM.ProvAttrMap

The Lookup.ActiveDirectory.GM.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is preconfigured and is used during group provisioning operations.

You can add entries in this lookup definitions if you want to map new target system attributes for provisioning.

Table 5-4 Default Entries in the Lookup.ActiveDirectory.GM.ProvAttrMap

Group Field on Oracle Identity Governance (Code Key) Target System Field (Decode) Description

__NAME__

__NAME__="CN=${Group_Name},${Organization_Name}"

Group name with full DN

Display Name

displayName

Display name for a group

Group Name

sAMAccountName

Group name

Group Type

groupType

Group type

Organization Name[LOOKUP,IGNORE]

IGNORED

Name of the organization to which the group belongs

Unique Id

__UID__

Object GUID of the group
5.8.1.3 Lookup.ActiveDirectory.GM.ReconAttrMap

The Lookup.ActiveDirectory.GM.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes. This lookup definition is preconfigured and used for performing target resource group reconciliation runs.

Table 5-5 lists the group fields of the target system from which values are fetched during reconciliation. The Active Directory Group Recon scheduled job is used to reconcile group data.

You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation.

Table 5-5 Entries in the Lookup.ActiveDirectory.GM.ReconAttrMap

Group Field on Oracle Identity Governance (Code Key) Microsoft Active Directory Field (Decode) Description

Display Name

displayName

Display name for a group

Group name

sAMAccountName

Group name

Group Type

groupType

Group type

OIM Org Name

sAMAccountName

OIM organization name

Note that this value does not contain the DN.

Organization Name[LOOKUP]

ad_container

Organization name with DN format

For example, OU=Org1,DC=example,dc=com

Org Name

sAMAccountName

Organization name without DN format

Org Type

OIM Organization Type

Organization type

Unique Id

__UID__

Object GUID of the group
5.8.1.4 Lookup.ActiveDirectory.GM.ProvValidation

The Lookup.ActiveDirectory.GM.ProvValidation lookup definition is used to configure validation of attribute values entered on the process form during group provisioning operations. See Configuring Validation of Data During Reconciliation and Provisioning for Groups and Organizational Units or more information about adding entries in this lookup definition.

5.8.1.5 Lookup.ActiveDirectory.GM.ReconTransformation

The Lookup.ActiveDirectory.GM.ReconTransformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Configuring Transformation of Data During Reconciliation for Groups and Organizational Units for more information about adding entries in this lookup definition.

5.8.1.6 Lookup.ActiveDirectory.GM.ReconValidation

The Lookup.ActiveDirectory.GM.ReconValidation lookup definition is used to configure validation of attribute values that are fetched from the target system during group reconciliation. See Configuring Validation of Data During Reconciliation and Provisioning for Groups and Organizational Units for more information about adding entries in this lookup definition.

5.8.1.7 Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults

The Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults lookup definition holds mappings between reconciliation fields (for group) and their default values. This lookup definition is used when there is a mandatory field on the group form, but no corresponding field in the target system from which values can be fetched during group reconciliation.

This lookup definition is empty by default. If you add entries to this lookup definition, then the Code Key and Decode values must be in the following format:

Code Key: Name of the reconciliation field of the AD Group resource object

Decode: Corresponding default value to be displayed

For example, assume a field named Group ID is a mandatory field on the group form. Suppose the target system contains no field that stores information about the group ID for an account. During reconciliation, no value for the Group ID field is fetched from the target system. However, as the Group ID field cannot be left empty, you must specify a value for this field. Therefore, create an entry in this lookup definition with the Code Key value set to Group ID and Decode value set to GRP1223. This implies that the value of the Group ID field on the group form displays GRP1223 for all accounts reconciled from the target system.

5.8.1.8 Lookup.ActiveDirectory.GroupTypes

The Lookup.ActiveDirectory.GroupTypes lookup definition holds information about group types that you can select for the group that you create through Oracle Identity Governance. The following is the format of the Code Key and Decode values in this lookup definition:

Code Key: Group type code on the target system

Decode: Corresponding group type to be displayed in the Group Type lookup field of the OIM User form

5.8.2 Reconciliation Scheduled Jobs for Groups Management

After you create an application, reconciliation scheduled jobs are automatically created in Oracle Identity Governance. You must configure these scheduled jobs to suit your requirements by specifying values for its attributes.

You must specify values for the attributes of the following scheduled jobs:

5.8.2.1 Active Directory Group Recon

Use the Active Directory Group Recon scheduled job to reconcile group data from the target system.

Table 5-6 Attributes of the Active Directory Group Recon Scheduled Job

Attribute Description

Filter

Expression for filtering records. See Performing Limited Reconciliation By Using Filters for more information.

Default value: None

Note: While creating filters, ensure to use attributes specific to Groups.

Incremental Recon Attribute

Enter the name of the target system attribute that holds last update-related number, non-decreasing value. For example, numeric or strings.

The value in this attribute is used during incremental reconciliation to determine the newest or most youngest record reconciled from the target system.

Default value: uSNChanged

Note: Do not change the value of this attribute.

IT Resource Name

Enter the name of the IT resource for the target system installation from which you want to reconcile group or organization data.

Default value: Active Directory

Latest Token

This attribute holds the value of the uSNChanged attribute of a domain controller that is used for reconciliation.

Sample value: 0

Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only groups or organizational units whose uSNChanged value is greater than the Latest Token attribute value are reconciled.

Object Type

Type of object to be reconciled.

Default value: Group

Organization Name

Enter the name of the organization to which all groups fetched from the target system is linked.

See Configuring and Running Group Reconciliation for more information on the usage of this attribute.

Organization Type

Type of organization to be created in Oracle Identity Governance.

Default value: Company

Resource Object Name

Name of the resource object that is used for reconciliation.

Default value: AD Group

Scheduled Task Name

Name of the scheduled task used for reconciliation.

Default value: Active Directory Group Recon

Search Base

Enter the container in which the search for group records must be performed during reconciliation.

Sample Value: ou=org1,dc=corp,dc=com

Note: If you do not specify a value for this attribute, then the value specified as the value of the Container parameter of the IT resource is used as the value of this attribute.

Search Scope

Enter subtree if you want the scope of the search for records to be reconciled to include the container specified by the Search Base attribute and all of its child containers. For example, if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover the abc OU and all of its child OUs.

Enter onelevel if you want the scope of the search for records to be restricted to only the container specified by the Search Base attribute. Child containers of the specified container are not included in the search. For example if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover only the abc OU.

Note: If you want to enter onelevel, then ensure that you do not include a space between "one" and "level."

Default value: subtree
5.8.2.2 Active Directory Group Delete Recon

Use the Active Directory Group Delete Recon scheduled job to reconcile data about deleted groups.

Table 5-7 Attributes of the Active Directory Group Delete Recon Scheduled Job

Attribute Description

Delete Recon

Specifies whether delete reconciliation must be performed.

Default value: yes

Note: Do not change the value of this attribute.

IT Resource Name

Name of the IT resource instance that the connector must use to reconcile group data.

Default value: Active Directory

Object Type

This attribute holds the type of object you want to reconcile.

Default value: Group

Resource Object Name

Enter the name of the resource object against which reconciliation runs must be performed.

Default value: AD Group

Scheduled Task Name

This attribute holds the name of the scheduled task.

Default value: Active Directory Group Delete Recon

Sync Token

This attribute must be left blank when you run delete reconciliation for the first time. This ensures that data about all records that are deleted from the target system are fetched into Oracle Identity Governance.

After the first delete reconciliation run, the connector automatically enters a value for this attribute in an XML serialized format. From the next reconciliation run onward, only data about records that are deleted since the last reconciliation run ended are fetched into Oracle Identity Governance.

This attribute stores values in the following format:

<String>0|{uSNChanged}|{True/False}|{DOMAIN_CONTROLLER}</String>

A value of True in the preceding format specifies that the Global Catalog Server is used during delete reconciliation runs. In addition, DOMAIN_CONTROLLER is replaced with the name of the domain controller on which the Global Catalog Server is running.

A value of False specifies that the Global Catalog Server is not used during delete reconciliation runs. In addition, DOMAIN_CONTROLLER is replaced with the name of the domain controller from which data about deleted records is fetched.

Organization Name

Enter the name of the organization to which data about all deleted groups fetched from the target system is linked.

There are two scenarios in which group reconciliation is performed. These scenarios are described in Configuring and Running Group Reconciliation.

If you have configured the connector to perform group reconciliation in scenario 1, then you need not specify a value for this attribute. In case you specify a value, it is ignored by the connector.

If you have configured the connector to perform group reconciliation in scenario 2, then enter the same organization name specified for the Organization Name attribute of the Active Directory Group Recon scheduled job.

5.8.3 Reconciliation Rules and Action Rules for Groups Management

Reconciliation rules are used by the reconciliation engine to determine the identity to which Oracle Identity Governance must assign a newly discovered account on the target system. Reconciliation action rules define that actions the connector must perform based on the reconciliation rules.

5.8.3.1 Reconciliation Rule for Groups

The following is the process-matching rule for groups:

Rule name: AD Group

Rule element: Organization Name Equals OIM Org Name

In this rule element:

  • Organization Name is the Organization Name field of the OIM User form.

  • OIM Org Name is the name of the group in Oracle Identity Governance. OIM Org Name is the value specified in the Organization Name attribute of the ActiveDirectory Group Recon scheduled job.

5.8.3.2 Reconciliation Action Rules for Groups

Table 5-8 lists the action rules for groups reconciliation.

Table 5-8 Action Rules for Reconciliation

Rule Condition Action

No Matches Found

Assign to Authorizer With Least Load

One Entity Match Found

Establish Link

One Process Match Found

Establish Link
5.8.3.3 Viewing Reconciliation Rules

After you create the application by using the connector, you can view the reconciliation rule by performing the following steps:

  1. Log in to the Oracle Identity Governance Design Console.
  2. Expand Development Tools.
  3. Double-click Reconciliation Rules.
  4. Search for the AD Group rule. Figure 5-1 shows the reconciliation rule for groups.

    Figure 5-1 Reconciliation Rule for Groups

    Description of Figure 5-1 follows
    Description of "Figure 5-1 Reconciliation Rule for Groups"
5.8.3.4 Viewing Reconciliation Action Rules

After you create the application by using connector, you can view the reconciliation action rules for groups by performing the following steps:

  1. Log in to the Design Console.
  2. Expand Resource Management, and double-click Resource Objects.
  3. Search for and open the AD Group resource object.
  4. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 5-2 shows the reconciliation action rules for groups.

    Figure 5-2 Reconciliation Action Rules for Groups

    Description of Figure 5-2 follows
    Description of "Figure 5-2 Reconciliation Action Rules for Groups"

5.9 Connector Objects Used for Organizational Units Management

Learn about the objects that are used by the connector to perform organizational units management operations such as create, update, and delete.

5.9.1 Preconfigured Lookup Definitions for Organizational Unit Operations

The lookup definitions for Organizational Units are automatically created in Oracle Identity Governance after you create the application by using the connector.

5.9.1.1 Lookup.ActiveDirectory.OM.Configuration

The Lookup.ActiveDirectory.OM.Configuration lookup definition holds configuration entries that are specific to the organizational unit object type. This lookup definition is used during organizational unit management operations when your target system is configured as a target resource.

Table 5-9 lists the default entries in this lookup definition.

Table 5-9 Entries in the Lookup.ActiveDirectory.OM.Configuration Lookup Definition

Code Key Decode Description

Provisioning Attribute Map

Lookup.ActiveDirectory.OM.ProvAttrMap

This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.ActiveDirectory.OM.ProvAttrMap for more information about this lookup definition.

Provisioning Validation Lookup

Lookup.ActiveDirectory.OM.ProvValidation

This entry holds the name of the lookup definition that is used to configure validation of attribute values entered on the process form during provisioning operations. See Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults for more information about adding entries in this lookup definition.

Recon Attribute Defaults

Lookup.ActiveDirectory.OM.ReconAttrMap.Defaults

This entry holds the name of the lookup definition that maps fields on the organizational unit form and their default values.

See Lookup.ActiveDirectory.OM.ReconAttrMap.Defaults for more information about this lookup definition.

Recon Attribute Map

Lookup.ActiveDirectory.OM.ReconAttrMap

This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.ActiveDirectory.OM.ReconAttrMap for more information about this lookup definition.

Recon Transformation Lookup

Lookup.ActiveDirectory.OM.ReconTransformation

This entry holds the name of the lookup definition that is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults for more information about adding entries in this lookup definition.

Recon Validation Lookup

Lookup.ActiveDirectory.OM.ReconValidation

This entry holds the name of the lookup definition that is used to configure validation of attribute values that are fetched from the target system during reconciliation. See Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults for more information about adding entries in this lookup definition.

5.9.1.2 Lookup.ActiveDirectory.OM.Configuration.Trusted

The Lookup.ActiveDirectory.OM.Configuration.Trusted lookup definition holds configuration entries that are specific to the organizational unit object type. This lookup definition is used during trusted source reconciliation runs for organizational units.

Table 5-10 lists the default entries in this lookup definition.

Table 5-10 Entries in the Lookup.ActiveDirectory.OM.Configuration.Trusted Lookup Definition

Code Key Decode Description

Recon Attribute Defaults

Lookup.ActiveDirectory.OM.ReconAttrMap.Defaults

This entry holds the name of the lookup definition that maps fields on the organizational unit form and their default values.

See Lookup.ActiveDirectory.OM.ReconAttrMap.Defaults for more information about this lookup definition.

Recon Attribute Map

Lookup.ActiveDirectory.OM.ReconAttrMap.Trusted

This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.ActiveDirectory.OM.ReconAttrMap.Trusted for more information about this lookup definition.

5.9.1.3 Lookup.ActiveDirectory.OM.ProvAttrMap

The Lookup.ActiveDirectory.OM.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is preconfigured and used during provisioning.

You can add entries in this lookup definitions if you want to map new target system attributes for provisioning.

Table 5-11 Entries in the Lookup.ActiveDirectory.OM.ProvAttrMap

Organizational Unit Field on Oracle Identity Governance (Code Key) Target System Field (Decode) Description

__NAME__

__NAME__="OU=$(Display_Name),$(Container)

Organizational unit name with full DN

Container[LOOKUP,IGNORE]

IGNORED

Organization name with DN formatFor example, OU=org1,dc=example,dc=com

Display Name[IGNORE]

IGNORED

Display name for an organizational unit

Unique Id

__UID__

Object GUID of the organizational unit
5.9.1.4 Lookup.ActiveDirectory.OM.ReconAttrMap

The Lookup.ActiveDirectory.OM.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes. This lookup definition is preconfigured and used for performing target resource reconciliation runs for organizational units.

You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation.

Table 5-12 Default Entries in the Lookup.ActiveDIrectory.OM.ReconAttrMap

Organization Field on Oracle Identity Governance (Code Key) Microsoft Active Directory Field (Decode) Description

Container[LOOKUP]

ad_container

Organization name with DN format.For example, OU=org1,dc=example,dc=com

Display Name

ou

Display name for an organizational unit

Unique Id

__UID__

Object GUID of the organizational unit
5.9.1.5 Lookup.ActiveDirectory.OM.ProvValidation

The Lookup.ActiveDirectory.OM.ProvValidation lookup definition is used to configure validation of attribute values entered on the process form during provisioning operations for organizational units. See Configuring Validation of Data During Reconciliation and Provisioning for Groups and Organizational Units for more information about adding entries in this lookup definition.

5.9.1.6 Lookup.ActiveDirectory.OM.ReconTransformation

The Lookup.ActiveDirectory.OM.ReconTransformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during reconciliation of organizational units. See Configuring Transformation of Data During Reconciliation for Groups and Organizational Units for more information about adding entries in this lookup definition.

5.9.1.7 Lookup.ActiveDirectory.OM.ReconValidation

The Lookup.ActiveDirectory.OM.ReconValidation lookup definition is used to configure validation of attribute values that are fetched from the target system during reconciliation. See Configuring Validation of Data During Reconciliation and Provisioning for Groups and Organizational Units for more information about adding entries in this lookup definition.

5.9.1.8 Lookup.ActiveDirectory.OM.ReconAttrMap.Trusted

The Lookup.ActiveDirectory.OM.ReconAttrMap.Trusted lookup definition holds mappings between resource object fields and target system attributes. This lookup definitions is preconfigured and used during trusted source reconciliation runs for organizational units. Table 5-13 lists the default entries.

You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation.

Table 5-13 Default Entries in the Lookup.ActiveDirectory.OM.ReconAttrMap.Trusted Lookup Definition

OIM User Form Field (Code Key) Target System Field (Decode)

Org Name

ou
5.9.1.9 Lookup.ActiveDirectory.OM.ReconAttrMap.Defaults

The Lookup.ActiveDirectory.OM.ReconAttrMap.Defaults lookup definition holds mappings between fields on the organizational unit form and their default values. This lookup definition is used when there is a mandatory field on the organizational unit form, but no corresponding field in the target system from which values can be fetched during organizational unit reconciliation.

This lookup definition is empty by default. If you add entries to this lookup definition, then the Code Key and Decode values must be in the following format:

Code Key: Name of the reconciliation field of the AD Organizational Unit resource object

Decode: Corresponding default value to be displayed

For example, assume a field named Organization ID is a mandatory field on the organizational unit form. Suppose the target system contains no field that stores information about the organization ID for an account. During reconciliation, no value for the Organization ID field is fetched from the target system. However, as the Organization ID field cannot be left empty, you must specify a value for this field. Therefore, create an entry in this lookup definition with the Code Key value set to Organization ID and Decode value set to ORG1332. This implies that the value of the Organization ID field on the organizational unit form displays ORG1332 for all accounts reconciled from the target system.

5.9.2 Reconciliation Scheduled Job for Organization Unit Management

You use the Active Directory Organization Recon scheduled job to reconcile organization unit data from the target system. This scheduled job is automatically created in Oracle Identity Governance after you create an application. You must configure this scheduled job to suit your requirements by specifying values for its attributes.

Table 5-14 Attributes of the Active Directory Organization Recon Scheduled Job

Attribute Description

Filter

Expression for filtering records. See Performing Limited Reconciliation By Using Filters for more information.

Default value: None

Note: While creating filters, ensure to use attributes specific to Organizational Units.

Incremental Recon Attribute

Enter the name of the target system attribute that holds last update-related number, non-decreasing value. For example, numeric or strings.

The value in this attribute is used during incremental reconciliation to determine the newest or most youngest record reconciled from the target system.

Default value: uSNChanged

Note: Do not change the value of this attribute.

IT Resource Name

Enter the name of the IT resource for the target system installation from which you want to reconcile organization data.

Default value: Active Directory

Latest Token

This attribute holds the value of the uSNChanged attribute of a domain controller that is used for reconciliation.

Sample value: 0

Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only groups or organizational units whose uSNChanged value is greater than the Latest Token attribute value are reconciled.

Object Type

Type of object to be reconciled.

Default value: organizationalUnit

Resource Object Name

Name of the resource object that is used for reconciliation.

Default value: Xellerate Organization

Scheduled Task Name

Name of the scheduled task used for reconciliation.

Default value: Active Directory Organization Recon

Search Base

Enter the container in which the search for organization records must be performed during reconciliation.

Sample Value: ou=org1,dc=corp,dc=com

Note: If you do not specify a value for this attribute, then the value specified as the value of the Container parameter of the IT resource is used as the value of this attribute.

Search Scope

Enter subtree if you want the scope of the search for records to be reconciled to include the container specified by the Search Base attribute and all of its child containers. For example, if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover the abc OU and all of its child OUs.

Enter onelevel if you want the scope of the search for records to be restricted to only the container specified by the Search Base attribute. Child containers of the specified container are not included in the search. For example if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover only the abc OU.

Note: If you want to enter onelevel, then ensure that you do not include a space between "one" and "level."

Default value: subtree

5.9.3 Reconciliation Rules and Action Rules for Organizational Units Management

Reconciliation rules are used by the reconciliation engine to determine the identity to which Oracle Identity Governance must assign a newly discovered account on the target system. Reconciliation action rules define that actions the connector must perform based on the reconciliation rules.

5.9.3.1 Reconciliation Rule for Organizational Units

The following is the process-matching rule for organizational units:

Rule name: AD Organizational Unit

Rule element: Organization Name Equals Display Name

In this rule element:

  • Organization Name is the Organization Name field of the OIM User form.

  • Display Name is the name of an organizational unit in Oracle Identity Governance.

5.9.3.2 Reconciliation Action Rules for Organizational Units

Table 5-15 lists the action rules for groups reconciliation.

Table 5-15 Action Rules for Reconciliation

Rule Condition Action

No Matches Found

Assign to Authorizer With Least Load

One Entity Match Found

Establish Link

One Process Match Found

Establish Link
5.9.3.3 Viewing Reconciliation Rules

After you create the application by using the connector, you can view the reconciliation rule by performing the following steps:

  1. Log in to the Oracle Identity Governance Design Console.
  2. Expand Development Tools.
  3. Double-click Reconciliation Rules.
  4. Search for the AD Organizational Unit Recon Rule rule. Figure 5-4 shows the reconciliation rule for organizational units.

    Figure 5-3 Reconciliation Rule for Organizational Unit

    Description of Figure 5-3 follows
    Description of "Figure 5-3 Reconciliation Rule for Organizational Unit"
5.9.3.4 Viewing Reconciliation Action Rules

After you create the application by using connector, you can view the reconciliation action rules for groups by performing the following steps:

  1. Log in to the Design Console.
  2. Expand Resource Management, and double-click Resource Objects.
  3. Search for and open the AD Organizational Unit resource object.
  4. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. shows the reconciliation action rules for organizational units. Figure 5-4 shows the reconciliation action rules for organizational units.

    Figure 5-4 Reconciliation Action Rules for Organizational Unit

    Description of Figure 5-4 follows
    Description of "Figure 5-4 Reconciliation Action Rules for Organizational Unit"

5.10 Uninstalling the Connector

Uninstalling the connector deletes all the account-related data associated with its resource objects.

If you want to uninstall the connector for any reason, then run the Uninstall Connector utility. Before you run this utility, ensure that you set values for ObjectType and ObjectValues properties in the ConnectorUninstall.properties file. For example, if you want to delete resource objects, scheduled tasks, and scheduled jobs associated with the connector, then enter "ResourceObject", "ScheduleTask", "ScheduleJob" as the value of the ObjectType property and a semicolon-separated list of object values corresponding to your connector (for example, ActiveDirectory User; ActiveDirectory Group) as the value of the ObjectValues property.

Note:

If you set values for the ConnectorName and Release properties along with the ObjectTypeand ObjectValue properties, then the deletion of objects listed in the ObjectValues property is performed by the utility and the Connector information is skipped.

For more information, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Governance.