4 Performing Postconfiguration Tasks for the SAP User Management Engine Connector

These are the tasks that you can perform after creating an application in Oracle Identity Governance.

• Configuring Oracle Identity Governance

• Harvesting Entitlements and Sync Catalog

• Configuring Password Changes for Newly Created Accounts

• Managing Logging

• Configuring SSL to Secure Communication Between the Target System and Oracle Identity Governance

• Configuring the IT Resource for the Connector Server

• Configuring the Access Request Management Feature of the Connector

• Configuring SoD (Segregation of Duties)

• Downloading WSDL files from SAP GRC

• Localizing Field Labels in UI Forms

• Synchronizing the SAPUME Process Form and SAP AC UME Process Form with Target System Field Lengths

4.1 Configuring Oracle Identity Governance

During application creation, if you did not choose to create a default form, then you must create a UI form for the application that you created by using the connector.

Note:

Perform the procedures described in this section only if you did not choose to create the default form during creating the application.

• Creating and Activating a Sandbox

• Creating a New UI Form

• Publishing a Sandbox

• Creating an Application Instance

• Updating an Existing Application Instance with a New Form

4.1.1 Creating and Activating a Sandbox

You must create and activate a sandbox to begin using the customization and form management features. You can then publish the sandbox to make the customizations available to other users.

See Creating a Sandbox and Activating a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

4.1.2 Creating a New UI Form

You can use Form Designer in Oracle Identity System Administration to create and manage application instance forms.

See Creating Forms By Using the Form Designer in Oracle Fusion Middleware Administering Oracle Identity Governance.

While creating the UI form, ensure that you select the resource object corresponding to the newly created application that you want to associate the form with. In addition, select the Generate Entitlement Forms check box.

4.1.3 Publishing a Sandbox

Before publishing a sandbox, perform this procedure as a best practice to validate all sandbox changes made till this stage as it is difficult to revert the changes after a sandbox is published.

1. In Identity System Administration, deactivate the sandbox.

2. Log out of Identity System Administration.

3. Log in to Identity Self Service using the xelsysadm user credentials and then activate the sandbox that you deactivated in Step 1.

4. In the Catalog, ensure that the application instance form for your resource appears with correct fields.

5. Publish the sandbox. See Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

4.1.4 Creating an Application Instance

Create an application instance as follows

1. In the left pane of the Identity System Administration, under Configuration, click Application Instances. The Application Instances page appears.
2. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Application Instance page appears.
3. Specify values for the following fields:

   • Name: The name of the application instance.

   • Display Name: The display name of the application instance.

   • Description: A description of the application instance.

   • Resource Object: The resource object name. Click the search icon next to this field to search for and select SAP UME Resource Object.

   • IT Resource Instance: The IT resource instance name. Click the search icon next to this field to search for and select SAP UME.ITResource.

   • Form: Select the form name (Creating a New UI Form).

4. Click Save.
   The application instance is created.
5. Publish the application instance to an organization to make the application instance available for requesting and subsequent provisioning to users. See Managing Organizations Associated With Application Instances in Oracle Fusion Middleware Administering Oracle Identity Governance for detailed instructions.

4.1.5 Updating an Existing Application Instance with a New Form

For any changes that you do in the schema of your application in Identity Self Service, you must create a new UI form and update the changes in an application instance.

To update an existing application instance with a new form:

1. Create and activate a sandbox.

2. Create a new UI form for the resource.

3. Open the existing application instance.

4. In the Form field, select the new UI form that you created.

5. Save the application instance.

6. Publish the sandbox.

See Also:

• Creating a Sandbox and Activating a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance

• Creating Forms By Using the Form Designer in Oracle Fusion Middleware Administering Oracle Identity Governance

• Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance

4.2 Harvesting Entitlements and Sync Catalog

To harvest entitlements and sync catalog:

1. Run the scheduled jobs for lookup field synchronization.
2. Run the Entitlement List scheduled job to populate Entitlement Assignment schema from child process form table.
3. Run the Catalog Synchronization Job scheduled job.

See Also:

• Reconciliation Jobs for a list of jobs for entitlements (lookup field synchronization)

• Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Governance for information about the Entitlement List and Catalog Synchronization Job scheduled jobs

4.3 Configuring Password Changes for Newly Created Accounts

When you log in to SAP by using a newly created account, you are prompted to change your password at first logon. For accounts created through Oracle Identity Governance, password management can be configured by using the changePwdFlag and dummyPassword parameters of the Advanced Settings section.

You can apply one of the following approaches:

• Configure the connector so that users with newly created accounts are prompted to change their passwords at first logon.

  To achieve this, set the changePwdFlag parameter of Basic Configuration section to no. With this setting, the password entered on the process form for a new user account is used to set the password for the new account on the target system. When the user logs in to the target system, the user is prompted to change the password.

• Configure the connector so that the password set while creating the account on Oracle Identity Governance is set as the new password on the target system. The user is not prompted to change the password at first logon.

  To achieve this, set the changePwdFlag parameter to yes and enter a string in the dummyPassword parameter of the Basic Configuration section. With these settings, when you create a user account through Oracle Identity Governance, the user is first created with the dummy password. Immediately after that, the connector changes the password of the user to the one entered on the process form. When the user logs in to the target system, the user is not prompted to change the password.

  Note:

  Security policies of a few target systems allow a user to change the password only once per day. In such a scenario, the target system allows the user to only reset the password and not to change it. The password update task throws an error message, such as Could not update user NEW_PASSWORD_INVALID.

  If the password feature is disabled for users on the target system, then set the changePwdFlag parameter to no.

4.4 Managing Logging

Oracle Identity Governance uses the Oracle Diagnostic Logging (ODL) logging service for recording all types of events pertaining to the connector.

The following topics provide detailed information about logging:

• Understanding Log Levels

• Enabling Logging

4.4.1 Understanding Log Levels

When you enable logging, Oracle Identity Governance automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations.

ODL is the principle logging service used by Oracle Identity Governance and is based on java.util.logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

• SEVERE.intValue()+100

  This level enables logging of information about fatal errors.

• SEVERE

  This level enables logging of information about errors that might allow Oracle Identity Governance to continue running.

• WARNING

  This level enables logging of information about potentially harmful situations.

• INFO

  This level enables logging of messages that highlight the progress of the application.

• CONFIG

  This level enables logging of information about fine-grained events that are useful for debugging.

• FINE, FINER, FINEST

  These levels enable logging of information about fine-grained events, where FINEST logs information about all events.

These message types are mapped to ODL message type and level combinations as shown in Table 4-1.

Table 4-1 Log Levels and ODL Message Type:Level Combinations

Java Level	ODL Message Type:Level
SEVERE.intValue()+100	INCIDENT_ERROR:1
SEVERE	ERROR:1
WARNING	WARNING:1
INFO	NOTIFICATION:1
CONFIG	NOTIFICATION:16
FINE	TRACE:1
FINER	TRACE:16
FINEST	TRACE:32

The configuration file for OJDL is logging.xml, which is located at the following path:

DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml

Here, DOMAIN_HOME and OIM_SERVER are the domain name and server name specified during the installation of Oracle Identity Governance.

4.4.2 Enabling Logging

To enable logging in Oracle WebLogic Server:

1. Edit the logging.xml file as follows:

   1. Add the following blocks in the file:

      <log_handler name='sap-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
      <property name='logreader:' value='off'/>
           <property name='path' value='[FILE_NAME]'/>
           <property name='format' value='ODL-Text'/>
           <property name='useThreadName' value='true'/>
           <property name='locale' value='en'/>
           <property name='maxFileSize' value='5242880'/>
           <property name='maxLogSize' value='52428800'/>
           <property name='encoding' value='UTF-8'/>
         </log_handler>

      <logger name="ORG.IDENTITYCONNECTORS.SAPUME" level="[LOG_LEVEL]" useParentHandlers="false">
           <handler name="sap-handler"/>
           <handler name="console-handler"/>
         </logger>
      

      If you are using SAP GRC, then add the following block:

      <logger name="ORG.IDENTITYCONNECTORS.SAPAC" level="[Log_LEVEL]" useParentHandlers="false">
           <handler name="sap-handler"/>
           <handler name="console-handler"/>
      </logger>
      

      If you are using Application Onboarding, then add the following block:

      <logger name='oracle.iam.application' level="[Log_LEVEL]" useParentHandlers='false'>
           <handler name='sap-handler'/>
           <handler name='console-handler'/>
      </logger>

   2. Replace both occurrences of [LOG_LEVEL] with the ODL message type and level combination that you require. Understanding Log Levels lists the supported message type and level combinations.

      Similarly, replace [FILE_NAME] with the full path and name of the log file in which you want log messages to be recorded.

      The following blocks show sample values for [LOG_LEVEL] and [FILE_NAME]:

      <log_handler name='sap-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
      <property name='logreader:' value='off'/>
           <property name='path' value='F:\MyMachine\middleware\user_projects\domains\base_domain1\servers\oim_server1\logs\oim_server1-diagnostic-1.log'/>
           <property name='format' value='ODL-Text'/>
           <property name='useThreadName' value='true'/>
           <property name='locale' value='en'/>
           <property name='maxFileSize' value='5242880'/>
           <property name='maxLogSize' value='52428800'/>
           <property name='encoding' value='UTF-8'/>
         </log_handler>
      

      <logger name="ORG.IDENTITYCONNECTORS.SAPUME" level="NOTIFICATION:1" useParentHandlers="false">
           <handler name="sap-handler"/>
           <handler name="console-handler"/>
         </logger>
      

      If you are using SAP GRC, then add the following block:

      <logger name="ORG.IDENTITYCONNECTORS.SAPAC" level="NOTIFICATION:1" useParentHandlers="false">
           <handler name="sap-handler"/>
           <handler name="console-handler"/>
      </logger>
      

      If you are using Application Onboarding, then add the following block:

      <logger name='oracle.iam.application' level="NOTIFICATION:1" useParentHandlers='false'>
           <handler name='sap-handler'/>
           <handler name='console-handler'/>
      </logger>
      </logger>

      With these sample values, when you use Oracle Identity Governance, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1 level are recorded in the specified file.

2. Save and close the file.

3. Set the following environment variable to redirect the server logs to a file:

   For Microsoft Windows:

   set WLS_REDIRECT_LOG=FILENAME
   

   For UNIX:

   export WLS_REDIRECT_LOG=FILENAME
   

   Replace FILENAME with the location and name of the file to which you want to redirect the output.

4. Restart the application server.

4.5 Configuring SSL to Secure Communication Between the Target System and Oracle Identity Governance

You configure SSL to secure data communication between Oracle Identity Governance and the target system.

To configure SSL between the target system and Oracle Identity Governance:

1. Generate the certificate on the target system.

   See the target system documentation for detailed instructions.

2. To import the certificate on Oracle Identity Governance:

   1. Copy the target system certificate to the Oracle Identity Governance host computer.

   2. In a command window, change to the directory where you copy the certificate file and then enter a command similar to the following:

      keytool -import -alias ALIAS -file CER_FILE -keystore MY_CACERTS -storepass PASSWORD
      

      In this command:

      ALIAS is the alias for the certificate (for example, the server name).

      CER_FILE is the full path and name of the certificate (.cer) file.

      Table 4-2 shows the location of the certificate store of the supported application server.

      The following is a sample command:

      keytool -import -alias ibm1-cert140 -file C:\syaug24\Middleware\ibm1-cert.cer -keystore C:\syaug24\Middleware\jrockit_160_24_D1.1.2-4\jre\lib\security\cacerts -storepass changeit
      

      Table 4-2 Certificate Store Locations

      Application Server	Certificate Store Location
      Oracle WebLogic Server	If you are using Oracle jrockit_R27.3.1-jdk, then copy the certificate into the following directory: JROCKIT_HOME/jre/lib/security/cacerts If you are using the default Oracle WebLogic Server JDK, then copy the certificate into the following directory: WEBLOGIC_HOME/java/jre/lib/security/cacerts

   3. To confirm whether or not the certificate has been imported successfully, enter a command similar to the following:

      keytool -list -alias ALIAS -keystore MY_CACERTS -storepass PASSWORD
      

      For example:

      keytool -list -alias MyAlias -keystore C:\mydir\java\jre\lib\security\cacerts -storepass changeit
      

4.6 Configuring the IT Resource for the Connector Server

If you have used the Connector Server, then you must configure values for the parameters of the Connector Server IT resource.

After you create the application for your target system, you must create an IT resource for the Connector Server as described in Creating IT Resources of Oracle Fusion Middleware Administering Oracle Identity Governance. While creating the IT resource, ensure to select Connector Server from the IT Resource Type list. In addition, specify values for the parameters of IT resource for the Connector Server listed in Table 4-3. For more information about searching for IT resources and updating its parameters, see Managing IT Resources in Oracle Fusion Middleware Administering Oracle Identity Governance.

Table 4-3 Parameters of the IT Resource for the Connector Server

Parameter	Description
Host	Enter the host name or IP address of the computer hosting the connector server. Sample value: RManager
Key	Enter the key for the Java connector server.
Port	Enter the number of the port at which the connector server is listening. Default value: 8759
Timeout	Enter an integer value which specifies the number of milliseconds after which the connection between the connector server and Oracle Identity Governance times out. Sample value: 300
UseSSL	Enter true to specify that you will configure SSL between Oracle Identity Governance and the Connector Server. Otherwise, enter false. Default value: false Note: If you configure the connector to communicate with the Connector Server using SSL, including setting the connectorserver.usessl property to true and importing the target system certificate into the Connector Server JDK keystore, an attempt to access the target system or run the Connector Server returns an error.

4.7 Configuring the Access Request Management Feature of the Connector

You can configure Oracle Identity Governance as the medium for sending provisioning requests to SAP GRC Access Request Management. A request from Oracle Identity Governance is sent to Access Request Management, which forwards the provisioning data contained within the request to the target system (SAP NetWeaver Java Application Server). The outcome is the creation of or modification to the user's account on the target system.

Note:

Before you configure the Access Request Management feature, it is recommended that you read the guidelines described in Guidelines on Using an Application Configuration.

You must create and configure request types and workflows on SAP GRC Access Request Management for provisioning operations.

1. Create a request type in SAP GRC Access Request Management.

   A request type In SAP GRC Access Request Management defines the action that is performed when a request is processed. Oracle Identity Governance is a requester. It works with request types defined in SAP GRC Access Request Management. The application advanced configuration maps request types to provisioning operations submitted through Oracle Identity Governance.

2. Create an access request workflow using the MSMP (Multi Step Multi process) Workflow engine.

4.8 Configuring SoD (Segregation of Duties)

SoD is a process that ensures that an individual is given access to only one module of a business process and will not be able to access other modules to reduce risk of fraud and error.

This section discusses the following procedures:

• Specifying Values for the GRC UME-ITRes IT Resource

• Configuring SAP GRC to Act As the SoD Engine

• Specifying a Value for the TopologyName Basic Configuration Parameter

• Disabling and Enabling SoD

Note:

The ALL USERS group has INSERT, UPDATE, and DELETE permissions on the UD_SAPUME and UD_UME_ROLE process forms. During SoD validation of an entitlement request, data first moves from a dummy object form to a dummy process form. From there, data is sent to the SoD engine for validation. If the request clears the SoD validation, then data is moved from the dummy process form to the actual process form. Because the data is moved to the actual process forms through APIs, the ALL USERS group must have INSERT, UPDATE, and DELETE permissions on the three process forms.

4.8.1 Specifying Values for the GRC UME-ITRes IT Resource

The GRC UME-ITRes IT resource holds information that is used during communication with SAP GRC Access Request Management. To set values for the parameters of this IT resource:

1. For Oracle Identity Governance 12.2.1.3.0, log in to Oracle Identity System Administration.

2. In the left pane under Configuration, click IT Resource.

3. In the IT Resource Name field on the Manage IT Resource page, enter GRC UME-ITRes and then click Search.

4. Click the edit icon for the IT resource.

5. From the list at the top of the page, select Details and Parameters.

6. Specify values for the parameters of the IT resource.

   Table 4-4 lists the parameters of the GRC UME-ITRes IT resource.

   Table 4-4 Parameters of the GRC UME-ITRes IT Resource

   Parameter	Description
   Configuration Lookup	Enter the name of the configuration lookup definition. Value for Lookup Lookup.SAPUME.Configuration
   Connector Server Name	Name of the IT resource of the type "Connector Server."
   language	Enter the two-letter code for the language set on the target system. Sample value: EN
   password	Enter the password of the account created on Access Request Management system.
   port	Enter the number of the port at which Access Request Management system is listening. Sample value: 8090
   server	Enter the IP address of the host computer on which Access Request Management system is listening. Sample value: 10.231.231.231
   username	Enter the user name of an account created on Access Request Management system. This account is used to call Access Request Management system APIs that are used during request validation. Sample value: jdoe

7. To save the values, click Update.

4.8.2 Configuring SAP GRC to Act As the SoD Engine

To configure the SAP GRC to act as the SoD engine, see Using Segregation of Duties (SoD) in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for 11g Release 1 (11.1.2).

4.8.3 Specifying a Value for the TopologyName Basic Configuration Parameter

The TopologyName IT resource parameter holds the name of the combination of the following elements that you want to use for SoD validation:

• Oracle Identity Governance installation

• SAP GRC installation

• SAP ERP installation

By default, the GRC-ITRes IT resource is registered. However, you must manually register the GRC UME-ITRes IT resource and enter the new topology name as the value of the TopologyName IT resource parameter.

To register the GRC UME-ITRes IT resource:

1. Run the following command and add instance names for SAP and GRC.

   On Microsoft Windows: OIM_HOME\server\bin>registration.bat

   On a UNIX-based computer: OIM_HOME/server/bin/./registration.sh

   After running this command, enter options as shown in the following sample output:

   Do you want to proceed with registration? (y/n) y
   Register System Instance for type OIM ?(y/n) n
   Register System Instance for type EBS ?(y/n) n
   Register System Instance for type PSFT ?(y/n) n
   Register System Instance for type OAACG ?(y/n) n
   Register System Instance for type SAP ?(y/n) y
   Provide instance name sap1
   Register System Instance for type GRC ?(y/n) y
   Provide instance name grc1
   GRC ITResource Instance Name: GRC UME-ITRes
   Register System Instance for type OIM SDS ?(y/n) n
   Register System Instance for type OIA ?(y/n) n
   

2. Run the following command and find the registration IDs for the above instance names:

   OIM_HOME\server\bin>registration printRegistrationIDs

3. Import the metadata/iam-features-sil/db/SILConfig.xml file from MDS and add the <Topology> element with IDs found in Step 2.

   Here is a sample element:

   <Topology>
       <name>sodgrcume</name>
       <IdmId>1</IdmId>
       <SodId>24</SodId>
       <SDSId>23</SDSId>
   </Topology>
   

4. Export the metadata/iam-features-sil/db/SILConfig.xml file to MDS and restart the server.

See Basic Configuration Parameters for information about specifying values for Basic Configuration Parameters.

4.8.4 Disabling and Enabling SoD

This section describes the procedure to disable and enable SoD on Oracle Identity Governance.

• Disabling SoD on Oracle Identity Governance

• Enabling SoD on Oracle Identity Governance

4.8.4.1 Disabling SoD on Oracle Identity Governance

To disable SoD:

1. For Oracle Identity Governance release 12.2.1.3.0, log in to Oracle Identity System Administration.

2. In the left pane, under System Management, click System Configuration.

3. In the Search System Configuration box, enter XL.SoDCheckRequired and then click Search.

   A list that matches your search criteria is displayed in the search results table.

4. Click the XL.SoDCheckRequired property name.

   System properties for SoD are displayed on the right pane.

5. In the Value box, enter FALSE to disable SoD.

6. Click Save.

7. Restart Oracle Identity Governance.

4.8.4.2 Enabling SoD on Oracle Identity Governance

To enable SoD:

1. For Oracle Identity Governance release 12.2.1.3.0, log in to Oracle Identity System Administration.

2. In the left pane, under System Management, click System Configuration.

3. In the Search System Configuration box, enter XL.SoDCheckRequired and then click Search.

   A list that matches your search criteria is displayed in the search results table.

4. Click the XL.SoDCheckRequired property name.

   System properties for SoD are displayed on the right pane.

5. In the Value box, enter TRUE to enable SoD.

6. Click Save.

7. Restart Oracle Identity Governance.

4.9 Downloading WSDL files from SAP GRC

You need to download the WSDL files from SAP GRC before configuring the web services in SAP GRC. WSDL is required for connector to connect SAP web services.

Since the connector supports only basic authentication, select the User ID/Password check box for the following web services supported from OIG:

WSDL	Description
GRAC_AUDIT_LOGS_WS	Audit log web service
GRAC_LOOKUP_WS	Look Up Service
GRAC_REQUEST_STATUS_WS	Request status web service
GRAC_SELECT_APPL_WS	Select Application web service
GRAC_USER_ACCESS_WS	User Access Request Service
GRAC_SEARCH_ROLES_WS	Search role web service

When you download the WSDL file, ensure to save it with the same name as mentioned in the SOA Management page. In addition, ensure that the folder containing WSDL files have read permission.

4.10 Localizing Field Labels in UI Forms

You can localize UI form field labels by using the resource bundle corresponding to the language you want to use. The resource bundles are available in the connector installation media.

Note:

Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.2.x or later and you want to localize UI form field labels.

To localize field label that you add to in UI forms:

1. Log in to Oracle Enterprise Manager.

2. In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.

3. In the right pane, from the Application Deployment list, select MDS Configuration.

4. On the MDS Configuration page, click Export and save the archive (oracle.iam.console.identity.sysadmin.ear_V2.0_metadata.zip) to the local computer.

5. Extract the contents of the archive, and open the SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle_en.xlf file in a text editor:

   Note:

    You will not be able to view the BizEditorBundle.xlf unless you complete creating the application for your target system or perform any customization such as creating a UDF.

6. Edit the BizEditorBundle.xlf file in the following manner:

   1. Search for the following text:

      <file source-language="en"  
      original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
      datatype="x-oracle-adf">
      

   2. Replace with the following text:

      <file source-language="en" target-language="LANG_CODE"
      original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
      datatype="x-oracle-adf">
      

      In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:

      <file source-language="en" target-language="ja"
      original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
      datatype="x-oracle-adf">
      

   3. Search for the application instance code. This procedure shows a sample edit for SAP User Management Engine application instance. The original code is:

      <trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_SAPUME_DEPARTMENT__c_description']}">
      <source>Department</source>
      </target>
      </trans-unit>
      <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.SAPUMEFORM.entity.SAPUMEFORMEO.UD_SAPUME_DEPARTMENT__c_LABEL">
      <source>Department</source>
      </target>
      </trans-unit>
      

   4. Open the resource file from the connector package, for example SAPUME_ja.properties, and get the value of the attribute from the file, for example, global.udf.UD_SAPUME_DEPARTMENT=\u90E8\u9580.

   5. Replace the original code shown in Step 6.b with the following:

      <trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_SAPUME_DEPARTMENT__c_description']}">
      <source>Department</source>
      <target>\u90E8\u9580</target>
      </trans-unit>
      <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.SAPUMEFORM.entity.SAPUMEFORMEO.UD_SAPUME_DEPARTMENT__c_LABEL">
      <source>Department</source>
      <target>\u90E8\u9580</target>
      </trans-unit>
      

   6. Repeat Steps 6.a through 6.d for all attributes of the process form.

   7. Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.

      Sample file name: BizEditorBundle_ja.xlf.

7. Repackage the ZIP file and import it into MDS.

   See Also:

   Deploying and Undeploying Customizations in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance for more information about exporting and importing metadata files

8. Log out of and log in to Oracle Identity Governance.

4.11 Synchronizing the SAPUME Process Form and SAP AC UME Process Form with Target System Field Lengths

Ensure that the field length of attribute values in the target system must be the same as the field length of values in the SAPUME process form and SAP AC UME Process Form fields.