1. Configuring the SAP User Management Engine Application
  2. Configuring the SAP User Management Engine Connector

3 Configuring the SAP User Management Engine Connector

While creating a target application, you must configure connection-related parameters that the connector uses to connect Oracle Identity Governance with your target system and perform connector operations. In addition, you can view and edit attribute mappings between the process form fields in Oracle Identity Governance and target system columns, predefined correlation rules, situations and responses, and reconciliation jobs.

3.1 Basic Configuration Parameters

These are the connection-related parameters that Oracle Identity Governance requires to connect to target applications.

Table 3-1 Parameters in the Basic Configuration Section for the SAP UME Connector with SoD

Parameters Mandatory? Description
Connector Server Name No If you created an IT resource of the type "Connector Server," then enter its name.

Note: Enter a value for this parameter only if you have deployed the SAP UME connector in the Connector Server.

changePwdFlag Yes For accounts created through Oracle Identity Governance, password management can be configured by using the changePwdFlag and dummyPassword parameters of the basic configuration parameters.

Default value: no

See Configuring Password Changes for Newly Created Accounts for more information about this parameter.

dummyPassword Yes Enter the dummy password that you want the connector to use during a Create User provisioning operation. The connector first sets the password as this value and then changes it to the password specified on the process form.
enableDate Yes Enter the date in the YYYY-MM-DD format to enable a user with end date as default value.

Default value: 2500–12–31
logSPMLRequst No Enter yes to specify that the SPML requests being sent to the target system be written to the log file. Otherwise, enter no.
logonNameInitialSubstring Yes Enter the set of characters to support full reconciliation for the English language. For other languages, enter all characters of that language.

Sample value: abcdefghijklmnopqrstuvwxyz1234567890
pwdHandlingSupport Yes If SAP User Management Engine is configured with an LDAP-based data source in writable mode, then SSL configuration between SAP User Management Engine and the LDAP-based data source is mandatory for password management. In such a scenario, if SSL is not configured between SAP User Management Engine and the LDAP-based data source and password need not be maintained from SAP User Management Engine, then set the value of this parameter to no. Otherwise, set the value of this parameter to yes.

Default value: yes
TopologyName No Name of the topology of the target system host computer.
umePassword Yes Enter the password of the target system user account that you create for connector operations.

See Creating a Target System User Account for Connector Operations for more information.

umeUrl Yes

  • If you configure SSL to secure communication between the target system and Oracle Identity Governance, then enter the URL for the SPML service in the following format:

    https://HOSTNAME:SSL_PORT/spml/spmlservice

  • If you do not configure SSL between the target system and Oracle Identity Governance, then enter the URL for the SPML service in the following format: http://HOSTNAME:PORT/spml/spmlservice

Sample value: http://myhost:50000/spml/spmlservice
umeUserId Yes Enter the user ID of the target system user account that you create for connector operations.

See Creating a Target System User Account for Connector Operations for more information.

Table 3-2 Parameters in the Basic Configuration Section for the SAP AC UME Connector

Parameters Mandatory? Description
Connector Server Name No If you created an IT resource of the type "Connector Server," then enter its name.

Note: Enter a value for this parameter only if you have deployed the SAP UME connector in the Connector Server.

changePwdFlag Yes For accounts created through Oracle Identity Governance, password management can be configured by using the changePwdFlag and dummyPassword parameters of the basic configuration parameters.

Default value: no

See Configuring Password Changes for Newly Created Accounts for more information about this parameter.

dummyPassword Yes Enter the dummy password that you want the connector to use during a Create User provisioning operation. The connector first sets the password as this value and then changes it to the password specified on the process form.
enableDate Yes Enter the date in the YYYY-MM-DD format to enable a user with end date as default value.

Default value: 2500–12–31
logSPMLRequst No Enter yes to specify that the SPML requests being sent to the target system be written to the log file. Otherwise, enter no.
logonNameInitialSubstring Yes Enter the set of characters to support full reconciliation for the English language. For other languages, enter all characters of that language.

Sample value: abcdefghijklmnopqrstuvwxyz1234567890
pwdHandlingSupport Yes If SAP User Management Engine is configured with an LDAP-based data source in writable mode, then SSL configuration between SAP User Management Engine and the LDAP-based data source is mandatory for password management. In such a scenario, if SSL is not configured between SAP User Management Engine and the LDAP-based data source and password need not be maintained from SAP User Management Engine, then set the value of this parameter to no. Otherwise, set the value of this parameter to yes.

Default value: yes
TopologyName No Name of the topology of the target system host computer.
umePassword Yes Enter the password of the target system user account that you create for connector operations.

See Creating a Target System User Account for Connector Operations for more information.

umeUrl Yes

  • If you configure SSL to secure communication between the target system and Oracle Identity Governance, then enter the URL for the SPML service in the following format:

    https://HOSTNAME:SSL_PORT/spml/spmlservice

  • If you do not configure SSL between the target system and Oracle Identity Governance, then enter the URL for the SPML service in the following format: http://HOSTNAME:PORT/spml/spmlservice

Sample value: http://myhost:50000/spml/spmlservice
umeUserId Yes Enter the user ID of the target system user account that you create for connector operations.

See Creating a Target System User Account for Connector Operations for more information.

grcLanguage

Yes

This parameter defines the language in which we are sending requests to SAP GRC system.

Value: en

Note: This parameter is applicable only to the SAP AC UME connector.

grcPassword

Yes

This parameter holds the password for accessing the SAP GRC system.

Note: This parameter is applicable only to the SAP AC UME connector.

grcUsername

Yes

This parameter holds the user name for accessing the SAP GRC system.

Note: This parameter is applicable only to the SAP AC UME connector.

3.2 Advanced Setting Parameters

These are the configuration-related entries that the connector uses during reconciliation and provisioning operations.

Table 3-3 Advanced Setting Parameters for the SAP UME Connector with SoD

Parameter Mandatory? Description
Bundle Name No This parameter holds the name of the connector bundle package.

Default Value: org.identityconnectors.sapume
Bundle Version No This parameter holds the version of the connector bundle class. Do not modify this parameter.

Default Value: 12.3.0
Connector Name No This parameter holds the name of the connector class. Do not modify this parameter.

Default Value: org.identityconnectors.sapume.SAPUMEConnector
ConnectorImplType No

Enter the value SAPUME to enable SOD for SAP UME roles.

Group attribute name No This parameter holds the name of the role duty type used in SIL.

Default Value: GROUPNAME
Group form names Yes This value is used to get the group child form names in SIL Layer. Do not modify this value.

Default Value: UD_UME_GROUP
Role attribute name No Name of the role duty type used in SIL.

Default Value: ROLENAME
Role form names Yes This value is used to get the role child form names from the SIL Layer. Do not modify this value.

Default Value: UD_UME_ROLE
RoleAttributeLabel No Label name of the role ID field in the child form.

Default Value: Role

entitlementRiskAnalysisAccessURL

No

This parameter holds the WSDL URL for the Entitlement Risk Analysis web service.

Default Value: None

Note: This parameter is applicable only to the SAP UME with SoD

wsdlFilePath

No

Enter the absolute path of the directory containing the following file:

GRAC_RISK_ANALYSIS_WOUT_NO_WS.WS D

entitlementRiskAnalysisWS

Yes

Web service client class to perform risk analysis without request number.

Default Value: oracle.iam.grc.sod.scomp.impl.grcsap.util.webservice.sap.ac10.RiskAnalysisWithoutNo

Note: This parameter is applicable only to the SAP UME with SoD

SODSystemKey

Yes

Name of the RFC destination/Connector used for connecting GRC with portal.

Default Value: None

Note: This parameter is applicable only to the SAP UME with SoD

Table 3-4 Advanced Setting Parameters for the SAP AC UME Connector

Parameter Mandatory? Description

appLookupAccessURL

No

WSDL URL for Application Lookup web service.

Default Value: None

appLookupWS

No

Web service client class to get all applications configured in SAP GRC.

Default Value: oracle.iam.ws.sap.ac10.SelectApplication

assignRoleReqType

No

This entry holds the name of the request type that is used for assign role request in SAP GRC. The format of the decode value is as follows:

Default Value: 002~Change Account~002~006

auditLogsAccessURL

No

WSDL URL for Audit Logs web service.

Default Value: None

auditLogsWS

No

Web service client class to get audit logs.

Default Value: oracle.iam.ws.sap.ac10.AuditLogs

Bundle Name

No

Name of the connector bundle package.

Default Value: org.identityconnectors.sapacume

Bundle Version

No

This parameter holds the version of the connector bundle class. Do not modify this parameter.

Default Value: 12.3.0

Connector Name

No

This parameter holds the name of the connector class. Do not modify this parameter. 

Default Value: org.identityconnectors.sapacume.SAPACUMEConnector

ConnectorImplType

No

Enter the value SAPUME to enable SAP UME roles in SOD.

Default Value: SAPUME

createUserReqType

No

Name of the request type that the connector must use for the create user request in SAP GRC.

Default Value: 001~New Account~001

deleteUserReqType

No

Name of the request type that the connector must use for the delete user request in SAP GRC. 

Default Value: 003~Delete Account~003

ignoreOpenStatus

No

Specify whether the connector must send the new request for a particular user even if the last request for the user is in the Open status. 

Default Value: No

lockUserReqType

No

This parameter holds the name of the request type to use to lock user request in SAP GRC.

Default Value: 004~Lock Account~004

logAuditTrial

No

Specify whether the connector must log complete audit trails whenever status request web service is invoked.

Default Value: No

modifyUserReqType

No

This parameter holds the name of the request type to use for modify user request in SAP GRC.

Default Value: 002~Change Account~002

otherLookupAccessURL

No

URL for other lookup web service areas such as Business Process, Funcational Area.

Default Value: none

otherLookupWS

No

Web service client class to get other lookup field details such as Business Process, Function Area, and so on.

Default Value: oracle.iam.ws.sap.ac10.SearchLookup

provActionAttrName

No

Name of the attribute in the target system that contains the details required for performing provisioning operations to a specific backend system.

Default Value: provAction;ReqLineItem

provItemActionAttrName

No

Name of the attribute in the target system that contains the details required for performing provisioning roles.

Default Value: provItemAction;ReqLineItem

removeRoleReqType

No

Name of the request type to use for remove user request in SAP GRC.

Default Value: 002~Change Account~002~009

requestStatusAccessURL

No

WSDL URL for Status Request web service.

Default Value: None

requestStatusValue

No

The value that get updated in the AC Request Status field on the process form.

Default Value: OK

requestStatusWS

No

Web service client class to get status of provisioning request.

Default Value: oracle.iam.ws.sap.ac10.RequestStatus

requestTypeAttrName

No

Name of the request type parameter used to differentiate request flows from the SAPUMCREATE adapter.

Default Value: Reqtype;Header

riskLevel

No

In SAP GRC, each business risk is assigned a criticality level. You can control the risk analysis data returned by SAP GRC by specifying a risk level.

Default Value: High

Role form names

No

This value is used to get the role child form names in SIL Layer. Do not modify this value.

Default Value: UD_UME_ROLE

roleLookupAccessURL

No

WSDL URL for Role Lookup web services. 

Default Value: None

roleLookupWS

No

Web service client class to get all roles.

Default Value: oracle.iam.ws.sap.ac10.SearchRoles

unlockUserReqType

No

Name of the request type to use for unlock user request in SAP GRC.

Default Value: 005~unlock user~005

userAccessAccessURL

No

WSDL URL for User Access web service.

Default Value: None

userAccessWS

No

Web service client class to get status of user access.

Default Value: oracle.iam.ws.sap.ac10.UserAccess

wsdlFilePath

No

File path where the WSDL files are available in local machine.

Default Value: None

Note: If you are using a Connector Server, copy the WSDL File on the system running the Connector Server. Location of the WSDL files is available in the local machine that is running the Connector Server.

3.3 Attribute Mappings

The attribute mappings on the Schema page vary depending on whether you are using the SAP UME or SAP AC UME connector.

3.3.1 Attribute Mappings for the SAP UME Connector

The Schema page for an SAP UME target application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system attributes. The connector uses these mappings during reconciliation and provisioning operations.

SAP UME User Account Attributes

Table 3-5 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP UME attributes. The table also lists whether a specific attribute is used during provisioning or reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit these attribute mappings by adding new attributes or deleting existing attributes on the Schema page as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-5 Default Attribute Mappings for the SAP UME User Account

Display Name Target Attribute Data Type Mandatory Provisioning Property? Provision Field? Recon Field? Key Field? Case Insensitive?

Logon Name

_NAME_

String

Yes

Yes

Yes

Yes

Yes

Password

_PASSWORD_

String

No

Yes

No

No

No

First Name

firstname

String

No

Yes

Yes

No

No

Last Name

lastname

String

Yes

Yes

Yes

No

No

E Mail Address

email

String

No

Yes

Yes

No

No

Fax

fax

String

No

Yes

Yes

No

No

Mobile

mobile

String

No

Yes

Yes

No

No

Telephone

telephone

String

No

Yes

Yes

No

No

Department

department

String

No

Yes

Yes

No

No

Name

displayname

String

No

Yes

Yes

No

No

Title

title

String

No

Yes

Yes

No

No

Form of Address

salutation

String

No

Yes

Yes

No

No

Postion

jobtitle

String

No

Yes

Yes

No

No

Start Date of Account Validity (date)

validfrom

String

No

Yes

Yes

No

No

End Date of Account Validity (date)

validto

String

No

Yes

Yes

No

No

Street

streetaddress

String

No

Yes

Yes

No

No

Language

locale

String

No

Yes

Yes

No

No

Timezone

timezone

String

No

Yes

Yes

No

No

State

state

String

No

Yes

Yes

No

No

City

city

String

No

Yes

Yes

No

No

Zip

zip

String

No

Yes

Yes

No

No

User Account Locked

islocked

String

No

Yes

Yes

No

No

Security Policy

securitypolicy

String

No

Yes

Yes

No

No

Unique ID

_UID_

String

No

Yes

Yes

No

No

Country

country

String

No

Yes

Yes

No

No

SoDCheckStatus

  

String

No

Yes

Yes

No

No

SoDCheckResult

  

String

No

Yes

Yes

No

No

SoDCheckEntitlement

  

String

No

Yes

Yes

No

No

SoDCheckTimestamp

  

String

No

Yes

Yes

No

No

Status

_Enable_

String

No

Yes

Yes

No

No

Figure 3-1 shows the default User account attribute mappings.

Figure 3-1 Default Attribute Mappings for the SAP UME User Account

Description of Figure 3-1 follows
Description of "Figure 3-1 Default Attribute Mappings for the SAP UME User Account"

Group Entitlement Attributes

Table 3-6 lists the group-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP UME attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit these attributes mappings by adding new attributes or deleting existing attributes on the Schema page as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-6 Default Attribute Mappings for Group Entitlement

Display Name Target Attribute Data Type Mandatory Provisioning Property? Recon Field? Key Field? Case Insensitive?

Datasource

Datasource

String

No

No

No

No

Group

assignedgroups

String

Yes

Yes

Yes

No

Figure 3-2 shows the group entitlement mappings.

Figure 3-2 Default Attribute Mappings for Group Entitlement

Description of Figure 3-2 follows
Description of "Figure 3-2 Default Attribute Mappings for Group Entitlement"

Role Entitlement Attributes

Table 3-7 lists the role-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP UME attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit these attribute mappings by adding new attributes or deleting existing attributes on the Schema page as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-7 Default Attribute Mappings for a Role Entitlement

Display Name Target Attribute Data Type Mandatory Provisioning Property? Recon Field? Key Field? Case Insensitive?

Datasource

Datasource

String

No

No

No

No

role

assignedroles

String

Yes

Yes

Yes

No
Figure 3-3 shows the default role entitlement mapping.

Figure 3-3 Default Attribute Mappings for a Role Entitlement

Description of Figure 3-3 follows
Description of "Figure 3-3 Default Attribute Mappings for a Role Entitlement"

3.3.2 Attribute Mapping for the SAP AC UME Connector

The Schema page for an SAP AC UME target application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system attributes. The connector uses these mappings during reconciliation and provisioning operations.

SAP AC UME User Account Attributes

Table 3-8 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP AC UME attributes. The table also lists whether a specific attribute is used during provisioning or reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit these attribute mappings by adding new attributes or deleting existing attributes on the Schema page as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-8 Default Attribute Mappings for the SAP AC UME User Account

Display Name Target Attribute Data Type Mandatory Provisioning Property? Provision Field? Recon Field? Key Field? Case Insensitive?
logon Name UserId;UserInfo String Yes Yes Yes Yes Yes
Password _PASSWORD_ String No No No No No
First Name fname;UserInfo String No No Yes No No
Last Name Iname;UserInfo String No No Yes No No
E Mail Address email;Userinfo String No No Yes No No
Fax fax;UserInfo String No No Yes No No
Mobile personnelno;UserInfo String No No Yes No No
Telephone telnumber;UserInfo String No No Yes No No
Department department;UserInfo String No No Yes No No
Name displayname String No No Yes No No
Form of Address personnelarea;UserInfo String No No Yes No No
Position empposition;UserInfo String No No Yes No No
Start Date of Account Validity (date) validFrom;UserInfo Date No No Yes No No
End Date of Account Validity (date) validTo;UserInfo Date No No Yes No No
Street streetaddress String No No Yes No No
Language logonLang;Userinfo String No No Yes No No
Time Zone timezone String No No Yes No No
State state String No No Yes No No
City city String No No Yes No No
Zip zip String No No Yes No No
User Account Locked userLocak;None String No No Yes No No
Security Policy securitypolicy String No No Yes No No
Unique ID _UID_ String No No Yes No No
Country country String No No Yes No No
AC Request Id RequestId String No No Yes No No
AC Request Status RequestStatus String No No Yes No No
AC Request Type RequestType String No No Yes No No
AC Manager manager;UserInfo String No No No No No
AC Manager email manager;UserInfo String No No No No No
AC Manager First Name managerFirstname;Userinfo String No No No No No
AC Manager Last Name managerLastname;Userinfo String No No No No No
AC Priority priority;Header String No No No No No
AC Request Reason requestreason;Header String No No No No No
AC Request Due Date (Date) reqDueDate;Header Date No No No No No
AC System reqInitSystem;Header String No No No No No
AC Functional Area (Lookup) funcarea;Header String No No No No No
AC Business Process (Lookup) bproc;Header String No No No No No
AC Requestor ID requestorId:Header String No No No No No
AC Requestor email email;Header String No No No No No
Status _ENABLE_ String No No Yes No No

Figure 3-4 shows the default User account attribute mappings.

Figure 3-4 Default Attribute Mappings for an SAP AC UME Account

Description of Figure 3-4 follows
Description of "Figure 3-4 Default Attribute Mappings for an SAP AC UME Account"

Group Entitlement Attributes

Table 3-9 lists the group-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP AC UME attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit these attribute mappings by adding new attributes or deleting existing attributes on the Schema page as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-9 Default Attribute Mappings for a Group Entitlement

Display Name Target Attribute Data Type Mandatory Provisioning Property? Recon Field? Key Field? Case Insensitive?

Datasource

String

No

No

No

No

Group

umegroup;itemnameReqLineItem

String

Yes

Yes

Yes

No

Figure 3-5 shows the default group entitlement mapping.

Figure 3-5 Default Attribute Mapping for a Group Entitlement

Description of Figure 3-5 follows
Description of "Figure 3-5 Default Attribute Mapping for a Group Entitlement"

Role Entitlement Attributes

Table 3-10 lists the role-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP AC UME attributes. The table lists whether a given role is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit these attribute mappings by adding new attributes or deleting existing attributes on the Schema page as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-10 Default Attribute Mappings for a Role Entitlement

Display Name Target Attribute Data Type Mandatory Provisioning Property? Recon Field? Key Field? Case Insensitive?
Datasource   String No No No No
role umerole;itemnameReqLineItem String Yes Yes Yes No
Figure 3-6 shows the default role entitlement mapping.

Figure 3-6 Default Attribute Mappings for a Role Entitlement

Description of Figure 3-6 follows
Description of "Figure 3-6 Default Attribute Mappings for a Role Entitlement"

3.4 Correlation Rules

Learn about the predefined rules, responses and situations for target and authoritative applications. The connector uses these rules and responses for performing reconciliation.

3.4.1 Rules, Situations, and Responses for the SAP UME Connector

The connector uses correlation rules to determine the identity to which Oracle Identity Governance must assign a resource.

Predefined Identity Correlation Rules

By default, the SAP UME connector provides a simple correlation rule when you create a Target application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.

Table 3-11 lists the default simple correlation rule for the SAP UME connector. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Updating Identity Correlation Rule of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-11 Predefined Identity Correlation Rule for the SAP UME Connector

Target Attribute Element Operator Identity Attribute Case Sensitive?

__NAME__

Equals

User Login

No
In this identity rule:

  • __NAME__ is a single-valued attribute on the target system that identifies the user account.

  • User Login is the field on the OIG User form.

Figure 3-7 shows the simple correlation rule for the SAP UME Connector.

Figure 3-7 Simple Correlation Rule for the SAP UME Connector

Description of Figure 3-7 follows
Description of "Figure 3-7 Simple Correlation Rule for the SAP UME Connector"

Predefined Situations and Responses

The SAP UME connector provides a default set of situations and responses when you create a Target application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.

Table 3-12 lists the default situations and responses for the SAP UME connector. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Updating Situations and Responses of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-12 Predefined Situations and Responses for the SAP UME Connector

Situation Response

One Entity Match Found

Establish Link

One Process Match Found

Establish Link
Figure 3-8 shows the situations and responses that the connector provides by default.

Figure 3-8 Predefined Situations and Responses for the SAP UME Connector

Description of Figure 3-8 follows
Description of "Figure 3-8 Predefined Situations and Responses for the SAP UME Connector"

3.4.2 Rules, Situations, and Responses for the SAP AC UME Connector

The connector uses correlation rules to determine the identity to which Oracle Identity Governance must assign a resource.

Predefined Identity Correlation Rules

By default, the SAP AC UME connector provides a simple correlation rule when you create a Target application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.

Table 3-13 lists the default simple correlation rule for the SAP AC UME connector. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Updating Identity Correlation Rule of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-13 Predefined Identity Correlation Rule for the SAP AC UME Connector

Target Attribute Element Operator Identity Attribute Case Sensitive?

userId;UserInfo

Equals

User Login

No
In this identity rule:

  • userId;UserInfo is a single-valued attribute on the target system that identifies the user ID of the user account.

  • User Login is the field on the OIG User form.

Figure 3-9 shows the simple correlation rule for the SAP AC UME Connector.

Figure 3-9 Simple Correlation Rule for the SAP AC UME Connector

Description of Figure 3-9 follows
Description of "Figure 3-9 Simple Correlation Rule for the SAP AC UME Connector"

Predefined Situations and Responses

The SAP AC UME connector provides a default set of situations and responses when you create a Target application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.

lists the default situations and responses for the SAP AC UME connector. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Updating Situations and Responses of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-14 Predefined Situations and Responses for the SAP AC UME Connector

Situation Response

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

Figure 3-10 shows the situations and responses that the connector provides by default.

Figure 3-10 Predefined Situations and Responses for the SAP AC UME Connector

Description of Figure 3-10 follows
Description of "Figure 3-10 Predefined Situations and Responses for the SAP AC UME Connector"

3.5 Reconciliation Jobs

These are the reconciliation jobs that the connector creates after you create your application.

3.5.1 Reconciliation Jobs for the SAP UME Connector

These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create the application for your target system.

You can either use these predefined jobs or edit them to meet your requirements. Alternatively, you can create custom reconciliation jobs. For information about editing these predefined jobs or creating new ones, see Updating Reconciliation Jobs in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Note:

All of the jobs are prefixed with an application name when you create an application. For example, For SAPUMEAPP SAP UME Group Lookup Reconciliation where SAPUMEAPP is the application name.

Full User Reconciliation Job

The SAP UME Target User Reconciliation job is used to fetch all user records from the target system.

Table 3-15 Parameters of the SAP UME Target User Reconciliation Job

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Sample value: SAPUMEAPP

Filter

Enter the expression for filtering records that the scheduled job must reconcile.

Sample value: equalTo('__UID__','SEPT12USER1')

Default value: None

For information about the filters expressions that you can create and use, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

Object Type

Enter the type of object you want to reconcile.

Default value: User

User Delete Reconciliation Job

The SAP UME Target User Delete Reconciliation job is used to reconcile data about deleted user accounts from a target application.

Table 3-16 Parameters of the SAP UME Target User Delete Reconciliation Job

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Sample value: SAPUMEAPP
Object Type Enter the type of object you want to reconcile.

Sample Value: User

Reconciliation Jobs for Entitlements

The following jobs are available for reconciling entitlements:

  • SAP UME Group Lookup Reconciliation: This reconciliation job is used to synchronize group lookup fields in Oracle Identity Governance with group-related data in the target system.

  • SAP UME Role Lookup Reconciliation: This reconciliation job is used to synchronize role lookup fields in Oracle Identity Governance with role-related data in the target system.

The parameters for both the reconciliation jobs are the same.

Table 3-17 Parameters of the Reconciliation Jobs for Entitlements of the SAP UME Connector

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Default value: SAPUMEAPP

Lookup Name

This parameter holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched.

Depending on the reconciliation job you are using, the default values are as follows:

  • For SAPUMEAPP SAP UME Group Lookup Reconciliation: Lookup.SAPUME.UM.Group

  • For SAPUMEAPP SAP UME Role Lookup Reconciliation: Lookup.SAPUME.UM.Role

Object Type

Enter the type of object whose values must be synchronized.

Depending on the scheduled job you are using, the default values are as follows:

  • For SAPUMEAPP SAP UME Group Lookup Reconciliation: GROUP

  • For SAPUMEAPP SAP UME Role Lookup Reconciliation: Role

Code Key Attribute

Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute).

Depending on the scheduled job you are using, the default values of Code Key Attribute is as follows:

  • For SAPUMEAPP SAP UME Group Lookup Reconciliation: id

  • For SAPUMEAPP SAP UME Role Lookup Reconciliation: id

Decode Attribute

Enter the name of the connector or target system attribute that is used to populate the Decode Attribute column of the lookup definition (specified as the value of the Lookup Name attribute).

Depending on the scheduled job you are using, the default values of Decode Attribute is as follows:

  • For SAPUMEAPP SAP UME Group Lookup Reconciliation: description

  • For SAPUMEAPP SAP UME Role Lookup Reconciliation: description

3.5.2 Reconciliation Jobs for the SAP AC UME Connector

These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create the application for the SAP AC UME target system.

You can either use these predefined jobs or edit them to meet your requirements. Alternatively, you can create custom reconciliation jobs. For information about editing these predefined jobs or creating new ones, see Updating Reconciliation Jobs in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Note:

All of the jobs are prefixed with an application name when you create an application. For example, For SAPACUMEAPP SAP AC UME BusinessProcess Lookup Reconciliation where SAPACUMEAPP is the application name.

Full User Reconciliation Job

The SAP AC UME Target User Reconciliation job is used to fetch all user records from the target system.

Table 3-18 Parameters of the SAP AC UME Target User Reconciliation Job

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Sample value: SAPACUMEAPP

Filter

Enter the expression for filtering records that the scheduled job must reconcile.

For information about the filters expressions that you can create and use, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

Object Type

Type of object you want to reconcile.

Default value: User

User Delete Reconciliation Job

The SAP AC UME Target User Delete Reconciliation job is used to reconcile data about deleted user accounts from a target application.

Table 3-19 Parameters of the SAP AC UME Target User Delete Reconciliation Job

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Sample value: SAPACUMEAPP

Object Type

Type of object you want to reconcile.

Default value: User

SAP AC UME User Delete Recon

 You can use the SAP AC UME Target User Delete Reconciliation scheduled job to reconcile data about deleted users from the target system. During a reconciliation run, for each deleted user account on the target system, the SAP AC UME resource is revoked for the corresponding OIG User.

Default value: Application Name

SAP AC UME Request Status Job

SAP AC UME Request Status Reconciliation job is used to reconcile request status from SAP BusinessObjects AC target system.

Table 3-20 Parameters of the SAP AC UME Request Status Reconciliation Job

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Object Type

Type of object you want to reconcile.

Default value: Status

Custom Lookup Name

Name of the lookup definition.

Default value: Lookup.SAPACUME.Status.ReconAttrMap

Resource Object Name

Name of the resource object against which reconciliation runs must be performed.

Default value: SAP AC UME Resource Object

IT Resource Name

Name of the IT resource instance that the connector must use to reconcile data.

Default value: SAP AC UME IT Resource

Scheduled Task Name

Name of the scheduled task.

Default value: SAP AC UME Request Status

Note:

To run the SAP AC UME Request Status reconciliation job, you must update Application Name and IT Resource Name parameters based on the name created while configuring the connector. For example, if the name of the connector is SAPACUME, then ensure to update the Application name as SAPACUME and the IT Resource Name as SAPACUME.

Reconciliation Jobs for Entitlements

The following jobs are available for lookup field synchonizations. You can configure these scheduled jobs for lookup field synchronization and reconciliation:

  • SAP AC UME BusinessProcess Lookup Reconciliation

  • SAP AC UME FunctionalArea Lookup Reconciliation

  • SAP AC UME Group Lookup Reconciliation

  • SAP AC UME ItemProvAction Lookup Reconciliation

  • SAP AC UME Priority Lookup Reconciliation

  • SAP AC UME ReqInitSystem Lookup Reconciliation

  • SAP AC UME Request Type Lookup Reconciliation

  • SAP AC UME Role Lookup Reconciliation

The parameters for all the reconciliation jobs are the same.

Table 3-21 Parameters of the Reconciliation Jobs for Entitlements of the SAP AC UME Connector

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Sample Value: SAPACUMEAPP

Code Key Attribute

`

Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute).

Depending on the scheduled job you are using, the default values are as follows:

  • For SAP AC UME BusinessProcess Lookup Reconciliation: LCODE

  • For SAP AC UME FunctionalArea Lookup Reconciliation: LCODE

  • For SAP AC UME Group Lookup Reconciliation: uniquename

  • For SAP AC UME ItemProvAction Lookup Reconciliation: LCODE

  • For SAP AC UME Priority Lookup Reconciliation: LCODE

  • For SAP AC UME ReqInitSystem Lookup Reconciliation: REQSYSCODE

  • For SAP AC UME Request Type Lookup Reconciliation: LCODE

  • For SAP AC UME Role Lookup Reconciliation: uniquename

Decode Attribute

Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute).

Depending on the scheduled job you are using, the default values are as follows:

  • For SAP AC UME BusinessProcess Lookup Reconciliation: LDECODE

  • For SAP AC UME FunctionalArea Lookup Reconciliation: LDECODE

  • For SAP AC UME Group Lookup Reconciliation: description

  • For SAP AC UME ItemProvAction Lookup Reconciliation: LDECODE

  • For SAP AC UME Priority Lookup Reconciliation: LDECODE

  • For SAP AC UME ReqInitSystem Lookup Reconciliation: REQSYSDECODE

  • For SAP AC UME Request Type Lookup Reconciliation: LDECODE

  • For SAP AC UME Role Lookup Reconciliation: description

Lookup Name

This parameter holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched.

Depending on the reconciliation job you are using, the default values are as follows:

  • For SAP AC UME BusinessProcess Lookup Reconciliation: Lookup.SAPACUME.Bproc

  • For SAP AC UME FunctionalArea Lookup Reconciliation: Lookup.SAPACUME.Funcarea

  • For SAP AC UME Group Lookup Reconciliation: Lookup.SAPACUME.Group

  • For SAP AC UME ItemProvAction Lookup Reconciliation: Lookup.SAPAC10UME.ItemProvAction

  • For SAP AC UME Priority Lookup Reconciliation: Lookup.SAPACUME.Priority

  • For SAP AC UME ReqInitSystem Lookup Reconciliation: Lookup.SAPACUME.ReqInitSystem

  • For SAP AC UME Request Type Lookup Reconciliation: Lookup.SAPAC10UME.RequestType

  • For SAP AC UME Role Lookup Reconciliation: Lookup.SAPACUME.Role

Object Class

Enter the class of object whose values must be synchronized.

Depending on the scheduled job you are using, the default values are as follows:

  • For SAP AC UME BusinessProcess Lookup Reconciliation: BusProc

  • For SAP AC UME FunctionalArea Lookup Reconciliation: FunctionArea

  • For SAP AC UME Group Lookup Reconciliation: _GROUP_

  • For SAP AC UME ItemProvAction Lookup Reconciliation: ItemProvActionType

  • For SAP AC UME Priority Lookup Reconciliation: PriorityType

  • For SAP AC UME ReqInitSystem Lookup Reconciliation: SYSTEM

  • For SAP AC UME Request Type Lookup Reconciliation: RequestType

  • For SAP AC UME Role Lookup Reconciliation: _ROLE_

Object Type

Enter the type of object whose values must be synchronized.

Depending on the scheduled job you are using, the default values are as follows:

  • For SAP AC UME BusinessProcess Lookup Reconciliation: BusProc

  • For SAP AC UME FunctionalArea Lookup Reconciliation: FunctionArea

  • For SAP AC UME Group Lookup Reconciliation: Group

  • For SAP AC UME ItemProvAction Lookup Reconciliation: ItemProvActionType

  • For SAP AC UME Priority Lookup Reconciliation: Priority Type

  • For SAP AC UME ReqInitSystem Lookup Reconciliation: SYSTEM

  • For SAP AC UME Request Type Lookup Reconciliation: RequestType

  • For SAP AC UME Role Lookup Reconciliation: Role