5 Using the Google Apps Connector
You can use the Google Apps connector for performing reconciliation and provisioning operations after configuring the application to meet your requirements.
This chapter is divided into the following sections:
5.1 Configuring Reconciliation
You can configure the connector to specify the type of reconciliation and its schedule.
This section provides information on the following topics related to configuring reconciliation:
5.1.1 Performing Full Reconciliation
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Governance.
After you create the application, you must first perform full reconciliation. To perform a full reconciliation run, ensure that no value is specified for the Filter parameter of the job for reconciling users and groups.
5.1.2 Performing Limited Reconciliation
By default, all target system records are reconciled during the current reconciliation run. You can customize this process by specifying the subset of target system records that must be reconciled.
You can perform limited reconciliation by creating filters for the reconciliation module. This connector provides a Filter attribute (a scheduled task attribute) that allows you to use Google Apps resource attributes to filter the target system records.
Due to the limited functionality support of GoogleApps target system with respect to filtering query for string data type fields, the connector only supports startsWith and equalTo filters. Below are examples for both filters:
-
startsWith: startsWith('__NAME__','John')
In this example, all records whose email address begins with 'John' are reconciled.
-
equalTo: equalTo('givenName','John')
In this example, all records whose givenName is 'John' are reconciled.
For detailed information about ICF Filters, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
5.1.3 Performing Batched Reconciliation
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete. You can configure batched reconciliation to avoid such problems.
To configure batched reconciliation, specify a value for the Batch Size attribute of the reconciliation job for user and group reconciliation. You use the Batch Size attribute to specify the number of records that must be included in each batch fetched from the target system.
5.2 Configuring Reconciliation Jobs
Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.
You can apply this procedure to configure the reconciliation jobs for users and entitlements.
5.3 Configuring Provisioning
You can configure the provisioning operation for the Google Apps connector.
This section provides information on the following topics:
5.3.1 Guidelines on Performing Provisioning Operations
These are the guidelines that you must apply while performing provisioning operations.
-
For a Create User provisioning operation, you must specify a value for the Account Name field along with the domain name. For example,
jdoe@example.com.
-
During a group provisioning operation, if you select ANYONE_CAN_JOIN as the value of the Who Can Join field, then you must set the value of the Allow External Members field to True. Before you perform the group provisioning operation with the values discussed in this point, ensure you have performed the procedure described in Configuring the Target System.
5.3.2 Performing Provisioning Operations
You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.
To perform provisioning operations in Oracle Identity Governance:
- Log in to Identity Self Service.
- Create a user as follows:
- In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
- From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
- Enter details of the user in the Create User page.
- On the Account tab, click Request Accounts.
- In the Catalog page, search for and add to cart the application instance for the connector that you configured earlier, and then click Checkout.
- Specify value for fields in the application form and then click Ready to Submit.
- Click Submit.
See Also:
Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for details about the fields on the Create User page5.4 Connector Objects Used for Groups Management
Learn about the objects that are used by the connector to perform group management operations such as create, update, and delete.
5.4.1 Lookup Definitions for Groups Management
The lookup definitions for Groups are automatically created in Oracle Identity Governance after you create the application by using the connector.
5.4.1.1 Lookup.GoogleApps.GM.Configuration
The Lookup.GoogleApps.GM.Configuration lookup definition holds configuration entries that are specific to the group object type. This lookup definition is used during group management operations when your target system is configured as a target resource.
Table 5-1 lists the default entries in this lookup definition.
Table 5-1 Entries in the Lookup.GoogleApps.GM.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Provisioning Attribute Map |
Lookup.GoogleApps.GM.ProvAttrMap |
This entry holds the name of the lookup definition that stores attribute mappings between Oracle Identity Manager and the target system. This lookup definition is used during provisioning operations. |
Recon Attribute Map |
Lookup.GoogleApps.GM.ReconAttrMap |
This entry holds the name of the lookup definition that stores attribute mappings between Oracle Identity Manager and the target system. This lookup definition is used during reconciliation. |
5.4.1.2 Lookup.GoogleApps.GM.ProvAttrMap
The Lookup.GoogleApps.GM.ProvAttrMap lookup definition holds mappings between process form fields (Code Key values) and target system attributes (Decode). This lookup definition is preconfigured and is used during group provisioning operations. Table 5-2 lists the default entries.
Table 5-2 Entries in the Lookup.GoogleApps.GM.ProvAttrMap Lookup Definition
Group Field on Oracle Identity Manager | Google Apps Field |
---|---|
Allow External Members |
allowExternalMembers |
Description |
description |
Email Address |
|
Group Name |
name |
Is Archived |
isArchived |
Unique Id |
__UID__ |
Who Can Join |
whoCanJoin |
Who Can View Group |
whoCanViewGroup |
Who Can View Membership |
whoCanViewMembership |
5.4.1.3 Lookup.GoogleApps.GM.ReconAttrMap
The Lookup.ActiveDirectory.GM.ReconAttrMap lookup definition holds mappings between resource object fields (Code Key values) and target system attributes (Decode). This lookup definition is preconfigured and is used during target resource group reconciliation runs. Table 5-3 lists the default entries.
Table 5-3 Entries in the Lookup.GoogleApps.GM.ReconAttrMap Lookup Definition
Group Field on Oracle Identity Manager | Google Apps Field |
---|---|
Allow External Members |
allowExternalMembers |
Description |
description |
Email Address |
|
Group Name |
name |
Is Archived |
isArchived |
OIM Org Name |
Organization Name Note: This is a connector attribute. The value of this attribute is used internally by the connector to specify the organization of the groups in Oracle Identity Manager. |
Unique Id |
__UID__ |
Who Can Join |
whoCanJoin |
Who Can View Group |
whoCanViewGroup |
Who Can View Membership |
whoCanViewMembership |
5.4.2 Reconciliation Rules and Action Rules for Groups Management
Reconciliation rules are used by the reconciliation engine to determine the identity to which Oracle Identity Governance must assign a newly discovered account on the target system. Reconciliation action rules define that actions the connector must perform based on the reconciliation rules.
5.4.2.1 Reconciliation Rule for Groups
The following is the process-matching rule for groups:
Rule name: GoogleApps Groups Recon Rule
Rule element: Organization Name Equals OIM Org Name
In this rule element:
-
Organization Name is the Organization Name field of the OIM User form.
-
OIM Org Name is the organization name of the groups in Oracle Identity Manager. OIM Org Name is the value specified in the Organization Name attribute of the GoogleApps Group Recon scheduled job.
5.4.2.2 Reconciliation Action Rules for Groups
Table 5-4 lists the action rules for groups reconciliation.
Table 5-4 Action Rules for Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Assign to Administrator With Least Load |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
5.4.3 Reconciliation Scheduled Jobs for Groups Management
After you create an application, reconciliation scheduled jobs are automatically created in Oracle Identity Governance. You must configure these scheduled jobs to suit your requirements by specifying values for its attributes.
You must specify values for the attributes of the following scheduled jobs:
5.4.3.1 GoogleApps Group Recon
You use the GoogleApps Group Recon scheduled job to reconcile group data from the target system.
Table 5-5 describes the attributes of this scheduled job.
Table 5-5 Attributes of the GoogleApps Group Recon Scheduled Job
Attribute | Description |
---|---|
Resource Object Name |
This attribute holds the name of the resource object used for reconciliation. Default value: Note: You must not change the default value. |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
Organization Name |
Enter the name of the Oracle Identity Manager organization in which reconciled groups must be created or updated. |
Filter |
This attribute holds the ICF Filter written using ICF-Common Groovy DSL. See Performing Limited Reconciliation for more information about this attribute. |
Batch Size |
Enter the number of records that must be included in each batch fetched from the target system. |
Scheduled Task Name |
Name of the scheduled task used for reconciliation. Default value: |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Do not change the default value. |
5.4.3.2 GoogleApps Group Delete Recon
You use the GoogleApps Group Delete Recon scheduled job to reconcile deleted groups from the target system.
Table 5-6 describes the attributes of this scheduled job.
Table 5-6 Attributes of the GoogleApps Group Delete Recon Scheduled Job
Attribute | Description |
---|---|
Resource Object Name |
This attribute holds the name of the resource object used for reconciliation. Default value: |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
Organization Name |
Enter the name of the Oracle Identity Manager organization from which reconciled groups must be deleted. |
Batch Size |
Enter the number of records that must be included in each batch fetched from the target system. |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Do not change the default value. |
5.5 Uninstalling the Connector
Uninstalling the connector deletes all the account-related data associated with its resource objects.
If you want to uninstall the connector for any reason, then run the Uninstall Connector utility. Before you run this utility, ensure that you set values for ObjectType
and ObjectValues
properties in the ConnectorUninstall.properties file. For example, if you want to delete resource objects, scheduled tasks, and scheduled jobs associated with the connector, then enter "ResourceObject", "ScheduleTask", "ScheduleJob" as the value of the ObjectType
property and a semicolon-separated list of object values corresponding to your connector (for example, GoogleApps User; GoogleApps Group) as the value of the ObjectValues
property.
Note:
If you set values for theConnectorName
and Release
properties along with the ObjectType
and ObjectValue
properties, then the deletion of objects listed in the ObjectValues
property is performed by the utility and the Connector information is skipped.
For more information, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Governance.