1 About the Connector
Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide documents the connector that enables you to use an IBM AS400 system as a managed (target) resource of Oracle Identity Manager.
Note:
At some places in this guide, the term target system is used to refer to AS400, also known as OS/400, i5/OS, and IBM i.
In the account management (target resource) mode of the connector, data about users created or modified directly on the target system can be reconciled into Oracle Identity Manager. This data is used to provision (allocate) new resources or update resources already assigned to OIM users.
In addition, you can use Oracle Identity Manager to provision or update AS400 resources (that is, accounts) assigned to OIM users. These provisioning operations performed on Oracle Identity Manager translate into the creation of or updates to target system accounts.
This chapter contains the following sections:
1.1 Certified Components
Table 1-1 lists certified components for the AS400 connector.
Table 1-1 Certified Components
Component | Requirement |
---|---|
Oracle Identity Governance or Oracle Identity Manager |
You can use one of the following releases of Oracle Identity Governance or Oracle Identity Manager:
|
Target systems |
AS400 (also known as OS/400, i5/OS, and IBM i) v5r4, IBM i 6.1, IBM i 7.1, IBM i 7.2, IBM i 7.3, IBM i 7.4, and IBM i 7.5 |
Connector Server |
11.1.2.1.0 |
Connector Server JDK |
JDK 1.6 or later |
External code |
JTOpen library version 7.9 |
1.2 Usage Recommendation
Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:
-
If you are using an Oracle Identity Manager release 9.1.0.1 or later and earlier than Oracle Identity Manager 11g Release 1 (11.1.1.5.0), then you must use the 9.0.4 version of this connector.
-
If you are using Oracle Identity Manager 11g Release 1 (11.1.1.5.0) or later, Oracle Identity Manager 11g Release 2 BP04 (11.1.2.0.4) or later, or Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0), then use the latest 11.1.1.x version of this connector.
1.3 Certified Languages
The AS400 connector supports the following languages:
-
Arabic
-
Chinese (Simplified)
-
Chinese (Traditional)
-
Danish
-
English
-
French
-
German
-
Italian
-
Japanese
-
Korean
-
Portuguese (Brazilian)
-
Spanish
1.4 Connector Architecture
The following figure shows the architecture for the AS400 connector.
Managing accounts consists of the following processes:
-
Provisioning
Provisioning involves creating or updating users on the target system through Oracle Identity Manager. When you allocate (or provision) a AS400 resource to an OIM User, the operation results in the creation of an AS400 user profile for that user. In the Oracle Identity Manager context, the term provisioning also covers updates made to the target system account through Oracle Identity Manager.
-
Target resource reconciliation
In target resource reconciliation, data related to newly created and modified target system accounts can be reconciled and linked with existing OIM users and provisioned resources. A scheduled job is used for reconciliation.
AS400 is configured as a target, or a trusted resource of Oracle Identity Manager. Through provisioning operations performed on Oracle Identity Manager, accounts are created and updated on the target system for OIM users. Through reconciliation, account data that is created and updated directly on the target system is fetched into Oracle Identity Manager and stored against the corresponding OIM users.
The AS400 connector is implemented using the Identity Connector Framework (ICF). The ICF provides a container that separates the connector bundle from the application. The ICF also provides common features that developers would otherwise need to implement on their own, such as connection pooling, buffering, time outs, and filtering.
For more information about the ICF, see Understanding the Identity Connector Framework in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
1.5 Features of the Connector
The following are features of the AS400 connector:
1.5.1 User Attributes for Target Resource Reconciliation and Provisioning
You can create mappings for attributes that are not included in the list of default attribute mappings. These attributes can be part of the standard set of attributes provided by the target system or custom attributes that you add on the target system.
The following is the list of the "out-of-the-box" supported attributes for Oracle Identity Manager (the attribute names are from the User Form Label name):
-
User Id
-
Password
-
Owner
-
User Class
-
Password Expire
-
Group Profile
-
Initial Menu
-
Job Description
-
Limit Capabilities
-
Description Text
-
Initial Program
Table 1-2 describes the complete set of supported attributes, including the previously listed "out-of-the-box" attributes. To add these attributes and make them available, see the following sections:
Some attributes as indicated in the table are stored in an OS/400 Directory Entry object. See Policies for OS/400 Accounts Migration.
Table 1-2 User Attributes for Target Resource Reconciliation and Provisioning
OIM Process Form Attribute Name | AS400 Connector Attribute Name | Native OS/400 Attribute | Description |
---|---|---|---|
Status |
__ENABLE__ |
None |
Boolean. Indicates whether the account is enabled and logins are allowed. |
__LAST_LOGIN_DATE__ |
__LAST_LOGIN_DATE__ |
None |
Long. Read-only. Last login date. |
__LAST_PASSWORD_CHANGE_DATE__ |
__LAST_PASSWORD_CHANGE_DATE__ |
None |
Long. Read-only. Date and time the password was last updated. |
Account Name |
__NAME__ |
User profile name |
Required. Not updatable. OS/400 user profile name. The user profile name can be a maximum of 10 characters, including any letter (A-Z), a number (0-9), and the following special characters: pound (#), dollar ($), underscore (_), and at (@). The first character cannot be a number. |
Password |
__PASSWORD__ |
User password |
Required. Guarded string. OS/400 user password. Value is encrypted. |
PASSWORD_CHANGE_INTERVAL |
PASSWORD_CHANGE_INTERVAL |
None |
Integer. Number of days between the date when the password is changed and the date when the password expires. Values can be -1 - 366:-1 - The user's password does not expire (*NOMAX).0 - The system value QPWDEXPITV is used to determine the user's password expiration interval (*SYSVAL).1–366 days. |
Password Expire |
__PASSWORD_EXPIRED__ |
None |
Boolean. Indicates whether the password has expired. |
ACCOUNTING_CODE |
ACCOUNTING_CODE |
ACGCDE |
Accounting code associated with the user. Values can be a character value (15 characters, padded with blanks if fewer that 15 characters), *SAME, or *BLANK. |
ADDRESS1 |
ADDRESS1 |
Directory entry attribute |
First line of the user's address. |
ADDRESS2 |
ADDRESS2 |
Directory entry attribute |
Second line of the user's address. |
ASTLVL |
ASTLVL |
ASTLVL |
Assistance level. Sets which interface to use. |
ATNPGM |
ATNPGM |
ATNPGM |
Attention-key-handling program for this user |
BUILDING |
BUILDING |
Directory entry attribute |
Building name or number. |
CCSID |
CCSID |
CCSID |
Coded character set identifier. |
CNTRYID |
CNTRYID |
CNTRYID |
Country or region identifier. |
COMPANY |
COMPANY |
Directory entry attribute |
Company name. |
CURLIB |
CURLIB |
CURLIB |
Current library for jobs initiated by this user profile. |
DAYS_UNTIL_PASSWORD_EXPIRES |
DAYS_UNTIL_PASSWORD_EXPIRES |
None |
Integer. Read-only. Number of days until the password expires. |
DEPARTMENT |
DEPARTMENT |
Directory entry attribute |
Department name or code. |
DLVRY |
DLVRY |
DLVRY |
Delivery mode that specifies how messages sent to the message queue for this user are to be delivered. |
FAX |
FAX |
Directory entry attribute |
Fax telephone number. |
First Name |
FIRST_NAME |
Directory entry attribute |
User's first name. A maximum of 20 characters is allowed. |
FULL_NAME |
FULL_NAME |
Directory entry attribute |
User's full name. |
GID |
GID |
GID |
Long. Group identification number for this user profile. You can assign the GID to a user who does not have an associated group profile. |
GROUP_AUTHORITY |
GROUP_AUTHORITY |
GRPAUT |
Authority given to the group profile for newly created objects. Values can be *SAME, *NONE, *ALL, *CHANGE, *USE, or *EXCLUDE. |
Group Profile |
GROUP_PROFILE_NAME |
GRPPRF |
User's group profile name whose authority is used if no specific authority is given for the user or *NONE. |
HIGHEST_SCHEDULING_PRIORITY |
HIGHEST_SCHEDULING_PRIORITY |
PTYLMT |
Integer. highest scheduling priority the user is allowed to have for each job submitted to the system. Values can be 0 (highest) through 9 (lowest). |
HOMEDIR |
HOMEDIR |
HOMEDIR |
Pathname of the user's home directory. |
Initial Menu |
INLMNU |
INLMNU |
Initial menu displayed when the user signs on the system if the user's routing program is the command processor. |
Initial Program |
INLPGM |
INLPGM |
Initial program to call when a user signs on. An initial program runs before the initial menu, if any, is displayed. |
Job Description |
JOBD |
JOBD |
Fully qualified integrated file-system path name of the job description used for jobs that start through subsystem work station entries. |
JOB_TITLE |
JOB_TITLE |
Directory entry attribute |
Job title for this user. |
KBDBUF |
KBDBUF |
KBDBUF |
Keyboard buffering used when a job is initiated for this user. |
LANGID |
LANGID |
LANGID |
Language identifier for the user. |
Last Name |
LAST_NAME |
Directory entry attribute |
User's last name. A maximum of 40 characters is allowed. |
Limit Capabilities |
LMTCPB |
LMTCPB |
Limit capabilities for this user. |
LMTDEVSSN |
LMTDEVSSN |
LMTDEVSSN |
Limit for number of device sessions for this user. |
LOCATION |
LOCATION |
Directory entry attribute |
Location for this user. |
MAXSTG |
MAXSTG |
MAXSTG |
Maximum amount of auxiliary storage (in kilobytes) assigned to store permanent objects owned by this user profile. Values can be: -1 – As much storage as is required is assigned to this profile (*NOMAX). Maximum amount of storage for the user, in kilobytes (1 kilobyte equals 1024 bytes). |
MIDDLE_NAME |
MIDDLE_NAME |
Directory entry attribute |
User's middle name. |
MSGQ |
MSGQ |
MSGQ |
Message queue where messages are sent for this user. |
OFFICE |
OFFICE |
Directory entry attribute |
Office name or number. |
OUTQ |
OUTQ |
OUTQ |
Output queue for this user profile. |
Owner |
OWNER |
OWNER |
Owner of new objects created by this user. |
PREFERRED_NAME |
PREFERRED_NAME |
Directory entry attribute |
User's preferred name. |
PRTDEV |
PRTDEV |
PRTDEV |
Default print device for this user. |
SIGN_ON_ATTEMPTS_NOT_VALID |
SIGN_ON_ATTEMPTS_NOT_VALID |
None |
Integer. Read-only. Number of invalid login attempts since the last successful login. |
Special Authority |
SPCAUT |
SPCAUT |
List of special authorities for this user. Can have multiple values. |
SPCENV |
SPCENV |
SPCENV |
Special environment for this user. |
SRTSEQ |
SRTSEQ |
SRTSEQ |
Sort sequence table used for string comparisons for this user. |
STORAGE_USED |
STORAGE_USED |
None |
Integer. Read-only. Amount of auxiliary storage in kilobytes occupied by this user's owned objects. Default is 12 kilobytes. |
Supplemental Group |
SUPGRPPRF |
SUPGRPPRF |
List of the user's supplemental group profiles. Can have multiple values. To update the Supplemental Group attribute, the Group Profile attribute must have a non-empty value. That is, to populate supplemental groups, a primary group (Group Profile) must already be defined. |
TELEPHONE |
TELEPHONE |
Directory entry attribute |
Use's telephone number. |
Description Text |
TEXT |
TEXT |
Text up to 40 characters describing the object (OS/400 account). |
UID |
UID |
UID |
Long. User identification number. Range is 1 to 4294967294. The UID must not already be assigned to another user profile. Note. The UID is read-only (that is, non-creatable and non-updatable). |
User Class |
USRCLS |
USRCLS |
Type of user associated with this user profile: security officer, security administrator, programmer, system operator, or user. |
USROPT |
USROPT |
USROPT |
Level of help information detail to be shown and the function of the Page Up and Page Down keys by default. Can have multiple values. |
1.5.2 Process Form Fields Used for Target Provisioning and Reconciliation
This section contains the following topics:
1.5.2.1 Process Form Fields For Target Provisioning and Reconciliation
The following table describes the process form fields that the AS400 connector uses for target provisioning and reconciliation.
Table 1-3 Process Form Fields Used for Target Provisioning and Reconciliation
Process Form Field Label | Field Type | Description |
---|---|---|
Account Name |
TextField |
OS/400 user profile name. The user profile name can be a maximum of 10 characters, including any letter (A-Z), a number (0-9), and the following special characters: pound (#), dollar ($), underscore (_), and at (@). The first character cannot be a number. |
Description Text |
TextField |
Text up to 40 characters describing the object (OS/400 account). |
First Name |
TextField |
User's first name. A maximum of 20 characters is allowed. |
Group Profile |
LookupField |
User's group profile name whose authority is used if no specific authority is given for the user or *NONE. |
Initial Menu |
TextField |
Initial menu displayed when the user signs on the system if the user's routing program is the command processor. |
Initial Program |
TextField |
Initial program to call when a user signs on. An initial program runs before the initial menu, if any, is displayed. |
Job Description |
TextField |
Fully qualified integrated file-system path name of the job description used for jobs that start through subsystem work station entries. |
Last Name |
TextField |
User's last name. A maximum of 40 characters is allowed. |
Limit Capabilities |
TextField |
Limit capabilities for this user. |
Owner |
TextField |
Owner of new objects created by this user. |
Password |
PasswordField |
OS/400 user password. Value is encrypted. |
Password Expire |
CheckBox |
Boolean. Indicates whether the password has expired. |
Server |
ITResourceLookupField |
Name of the IT Resource instance. |
Special Authority |
TextField |
List of special authorities for this user. Can have multiple values. |
Supplemental Group |
TextField |
List of the user's supplemental group profiles. Can have multiple values. |
User Class |
TextField |
Type of user associated with this user profile: security officer, security administrator, programmer, system operator, or user. |
User Id |
TextField |
OS/400 user profile name. |
1.5.2.2 Mapping Form Fields to User Attributes for Target Resource Provisioning and Reconciliation
The following table describes the AS400 connector mapping of form fields to user attributes for target resource provisioning and reconciliation.
Table 1-4 Mapping Form Fields to User Attributes for Target Resource Provisioning and Reconciliation
Process Form Field Label | OS/400 Attribute |
---|---|
Account Name |
__NAME__ |
Description Text |
TEXT |
First Name |
FIRST_NAME |
Group Profile |
GROUP_PROFILE_NAME |
Initial Menu |
INLMNU |
Initial Program |
INLPGM |
Job Description |
JOBD |
Last Name |
LAST_NAME |
Limit Capabilities |
LMTCPB |
Owner |
OWNER |
Password |
__PASSWORD__ |
Password Expire |
__PASSWORD_EXPIRED__ |
Special Authority |
SPCAUT |
Status |
__ENABLE__ |
Supplemental Group |
SUPGRPPRF |
User Class |
USRCLS |
User Id |
__UID__ |
1.5.2.3 Mapping Form Fields to User Attributes for Trusted Source Reconciliation
The following table describes the AS400 connector mapping of form fields to user attributes for trusted source reconciliation.
Table 1-5 Mapping Form Fields to User Attributes for Trusted Source Reconciliation
OIM User Form Field | OS/400 Attribute |
---|---|
First Name |
FIRST_NAME |
Last Name |
LAST_NAME |
Status |
__ENABLE__ |
User Id |
__UID__ |
User Login |
__NAME__ |
1.5.3 Reconciliation
Reconciliation involves pulling identities from the target resource (OS/400) to the destination (Oracle Identity Manager). Reconciliation is based on following criteria:
-
Destination type: trusted and target reconciliation
-
Scope: full or incremental reconciliation
The scheduled task name includes the keywords trusted or target to determine the type of destination. By choosing the scheduled task, it is determined whether trusted or target reconciliation is launched.
This section describes the following subsections:
Caution:
Make sure that you use the right IT Resource type (trusted or target) with the respective scheduled task. The type of IT resource is determined by the value for the Configuration Lookup IT resource parameter:
-
If Configuration Lookup is Lookup.AS400.Configuration, then it is target mode.
-
If Configuration Lookup is Lookup.AS400.Configuration.Trusted, then it is trusted mode.
1.5.3.1 Common Reconciliation Parameters
Common reconciliation parameters for the AS400 connector are:
-
Filter - optional filter to limit the number of reconciled accounts or to select specific set of users.
-
IT Resource Name - required parameter specifying the name of IT Resource instance to recon.
-
Object Type (constant) – User object class.
-
Resource Object Name – constant parameter determining what OIM Resource Object to use for reconciliation.
1.5.3.2 Full and Incremental Reconciliation Modes
When the reconciliation scheduled task is launched for the first time, it is run in full reconciliation mode. Subsequent runs are automatically in incremental mode.It is possible to switch manually between full and incremental modes by emptying the Latest Token field on the scheduled task.
The following scheduled tasks provide for optional incremental reconciliation: AS400Connector Target User Reconciliation and AS400Connector Trusted User Reconciliation.
Advanced Incremental Reconciliation
The format of Latest Token is altered by setting the Recon Date Format scheduled task parameter. The formatting string needs to follow the standard pattern used in Java. For information, see the Javadoc for java.text.SimpleDateFormat class:
http://download.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html
By default, the Latest Token is a long value that specifies the Unix/POSIX time.
1.5.3.3 Delete Reconciliation
AS400 supports both trusted and target reconciliation of deleted accounts. Target reconciliation evaluate which OIM users have lost their account on OS/400 resource, and unassign this resource in OIM. Trusted delete recon goes further, and deletes the OIM User.
1.5.3.4 Group Lookup Reconciliation
Before the first use of provisioning with the AS400 connector, it is recommended that you launch Lookup Reconciliation. This Lookup Reconciliation populates the Lookup.AS400.Groups table with the groups available on the IT Resource that is being reconciled.
Lookup Reconciliation must be launched on the target mode IT Resource (that is, the value of the "Configuration Lookup" property on the IT Resource equals "Lookup.Configuration.AS400").
The reconciliation is performed by the AS400Connector Lookup Reconciliation scheduled task. The target IT Resource Name is used for the Lookup Reconciliation of the groups.
These parameters are constants:
-
Code key attribute – connector attribute that will be used as key of lookup
-
Decode key attribute – connector attribute specifying the value of lookup
-
Object type – Group
For more information, see Scheduled Job for Lookup Field Synchronization.
1.5.4 Full or Incremental Reconciliation
In full reconciliation, all records are fetched from the target system to Oracle Identity Manager during the first reconciliation run performed on the target system. From the second reconciliation run onward, incremental reconciliation meaning accounts that have been added, modified, or deleted after the recorded timestamp are fetched for reconciliation.
The following scheduled jobs are used to automate full reconciliation:
-
AS400Connector Target User Reconciliation
-
AS400Connector Trusted User Reconciliation
1.5.4.1 Delete Reconciliation
The following scheduled jobs are used for delete reconciliation:
-
AS400Connector Trusted User Delete Reconciliation
-
AS400Connector Target User Delete Reconciliation
1.5.5 Support for Reconciliation of Account Status
During a reconciliation run, the connector can fetch status information along with the rest of the account data.
1.5.6 Features Provided by the Identity Connector Framework
The Identity Connector Framework (ICF) is a component that provides basic provisioning, reconciliation, and other functions that all Oracle Identity Manager and Oracle Waveset connectors require. The ICF also uses classpath isolation, which allows the AS400 connector to co-exist with legacy versions of the connector.
For more information, see Understanding the Identity Connector Framework in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
1.5.7 Support for Scheduled Tasks
Table 1-6 shows an overview of the AS400 connector scheduled task capabilities. For more information, see Configuring Scheduled Jobs.
Table 1-6 Overview of AS400 Connector Scheduled Task Capabilities
Scheduled Task | Capability |
---|---|
AS400Connector Target User Reconciliation |
Trusted: Not available Target: Available Full: Empty "Latest Token" scheduled task parameter controls reconciliation. Incremental: Populated "Latest Token" scheduled task parameter controls incremental reconciliation. Delete: Not available |
AS400Connector Trusted User Reconciliation |
Trusted: Available Target: Not available Full: Empty "Latest Token" scheduled task parameter controls reconciliation. Incremental: Populated "Latest Token" scheduled task parameter controls incremental reconciliation. Delete: Not available |
AS400Connector Target User Delete Reconciliation |
Trusted: Not available Target: Available Full: Not available Incremental: Not available Delete: Available |
AS400Connector Trusted User Delete Reconciliation |
Trusted: Available Target: Not available Full: Not available Incremental: Not available Delete: Available |
1.5.8 Connection Pooling
A connection pool is a cache of objects that represent physical connections to the target system. Oracle Identity Manager connectors can use these connections to communicate with target systems. At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads like network latency, memory allocation, and authentication.
One connection pool is created for each IT resource type. For example, if you have three IT resources for three installations of the target system, then three connection pools are created, one for each target system installation.
The AS400 connector uses Identity Connector Framework (ICF) connection pooling. For more information, see Configuring Connection Pooling.
1.5.9 Support for the Connector Server
If required by your deployment, you can deploy the AS400 connector in the Connector Server. For more information, see AS400 Connector Deployment Architecture With the Connector Server.
1.6 Lookup Definitions Used During Connector Operations
This section describes the following AS400 connector Lookup definitions:
1.6.1 AS400 Connector Lookup Definitions Overview
The AS400 connector Lookup definitions provide various information to the Oracle Identity Manager engine. These Lookup definitions are either prepopulated with values, or values must be manually entered in a definition after the connector is deployed:
-
Configuration of the AS400 connector (for example, Lookup.Configuration.AS400): Top-level Lookup element that contains the connector version. The configuration references the following user management (UM) configuration Lookup.
-
User management (UM) configuration (for example, Lookup.AS400.UM.Configuration): Hub that points to subordinate lookups that contain information about attribute mapping for reconciliation and provisioning.
-
Provisioning attribute map (for example, Lookup.AS400.UM.ProvAttrMap): Mapping of OIM user attributes (key) to connector attributes (value) for provisioning.
-
Reconciliation attribute map (for example, Lookup.AS400.UM.ReconAttrMap): Mapping of OIM user attributes (key) to connector attributes (value) for reconciliation.
-
Holder of lookup reconciliation values (Lookup.AS400.Groups): Whenever group reconciliation is performed, this lookup is populated with group names.
1.6.2 Lookup.Configuration.AS400 Definition
The Lookup.Configuration.AS400 definition contains the entries shown in Table 1-7.
Table 1-7 Lookup.Configuration.AS400 Entries
Key Code | Decode | Description |
---|---|---|
Connector Name |
org.identityconnectors.as400.AS400Connector |
This entry holds the name of the connector class. Do not modify this entry. |
Bundle Name |
org.identityconnectors.as400 |
This entry holds the name of the connector bundle class. Do not modify this entry. |
Bundle Version |
1.0.0 |
This entry holds the version of the connector bundle class. Do not modify this entry. |
User Configuration Lookup |
Lookup.AS400.UM.Configuration |
This entry holds the name of the lookup definition that stores configuration information used during user management operations. Do not modify this entry. |
1.6.3 Lookup.AS400.UM.Configuration Definition
The Lookup.AS400.UM.Configuration definition contains the entries shown in Table 1-8.
Table 1-8 Lookup.AS400.UM.Configuration Entries
Key Code | Decode | Description |
---|---|---|
Provisioning Attribute Map |
Lookup.AS400.UM.ProvAttrMap |
This entry holds the name of the lookup definition that stores attribute mappings between Oracle Identity Manager and the target system. This lookup definition is used during provisioning operations. |
Recon Attribute Map |
Lookup.AS400.UM.ReconAttrMap |
This entry holds the name of the lookup definition that stores attribute mappings between Oracle Identity Manager and the target system. This lookup definition is used during reconciliation. |
Unique Id Form Field |
UD_AS400CON_UID |
This entry holds the name of the process form field (column) that stores Unique ID values. If you create a copy of the process form, then enter the name of the field (column) in the new process form that stores Unique ID values. |
1.6.4 Lookup.AS400.UM.ProvAttrMap Definition
The Lookup.AS400.UM.ProvAttrMap definition holds mappings between process form fields and target system attributes. These Lookup definitions are used during provisioning. These lookup definitions are preconfigured.
The Lookup.AS400.UM.ProvAttrMap definition contains the entries shown in Table 1-9.
Table 1-9 Lookup.AS400.UM.ProvAttrMap Entries
Key | Value |
---|---|
Last Name |
LAST_NAME |
UD_AS400CSP~Special Authority |
SPCAUT |
User Id |
__UID__ |
User Class |
USRCLS |
Password |
__PASSWORD__ |
Account Name |
__NAME__ |
Initial Menu |
INLMNU |
Owner |
OWNER |
Job Description |
JOBD |
Password Expire |
__PASSWORD_EXPIRED__ |
Description Text |
TEXT |
First Name |
FIRST_NAME |
Initial Program |
INLPGM |
UD_AS400CSG~Supplemental Group[Lookup] |
SUPGRPPRF |
Limit Capabilities |
LMTCPB |
Group Profile[Lookup] |
GROUP_PROFILE_NAME |
You can add entries in this Lookup definition if you want to map new target system attributes for provisioning. See Adding Target System Attributes for Provisioning.
1.6.5 Lookup.AS400.UM.ReconAttrMap Definition
The Lookup.AS400.UM.ReconAttrMap definition holds mappings between process form fields and target system attributes. These Lookup definitions are used during reconciliation. These Lookup definitions are preconfigured.
The Lookup.AS400.UM.ReconAttrMap definition contains the entries shown in Table 1-10.
Table 1-10 Lookup.AS400.UM.ReconAttrMap Entries
Key | Value |
---|---|
Status |
__ENABLE__ |
Description Text |
TEXT |
Special Authorities~Special Authority |
SPCAUT |
Owner |
OWNER |
Account Name |
__NAME__ |
User Id |
__UID__ |
Initial Program |
INLPGM |
User Class |
USRCLS |
Job Description |
JOBD |
Limit Capabilities |
LMTCPB |
Password Expire |
__PASSWORD_EXPIRED__ |
Initial Menu |
INLMNU |
Supplemental Groups~Supplemental Group[Lookup] |
SUPGRPPRF |
Group Profile[Lookup] |
GROUP_PROFILE_NAME |
Last Name |
LAST_NAME |
First Name |
FIRST_NAME |
You can add entries in this Lookup definition if you want to map new target system attributes for reconciliation. See Adding Target System Attributes for Target Reconciliation and Adding Target System Attributes for Trusted Reconciliation.
1.6.6 Lookup.Configuration.AS400.Trusted Definition
The Lookup.Configuration.AS400.Trusted definition contains the entries shown in Table 1-11.
Table 1-11 Lookup.Configuration.AS400.Trusted Entries
Key | Value |
---|---|
Bundle Name |
org.identityconnectors.as400 |
Connector Name |
org.identityconnectors.as400.AS400Connector |
User Configuration Lookup |
Lookup.AS400.UM.Configuration.Trusted |
Bundle Version |
1.0.0 |
1.6.7 Lookup.AS400.UM.ReconAttrMap.Trusted Definition
The Lookup.AS400.UM.ReconAttrMap.Trusted definition contains the entries shown in Table 1-12.
Table 1-12 Lookup.AS400.UM.ReconAttrMap.Trusted Entries
Key | Value |
---|---|
Status |
__ENABLE__ |
Last Name |
LAST_NAME |
User Login |
__NAME__ |
First Name |
FIRST_NAME |
User Id |
__UID__ |
1.6.8 Lookup.AS400.UM.Configuration.Trusted Definition
The Lookup.AS400.UM.Configuration.Trusted definition contains the entries shown in Table 1-13.
Table 1-13 Lookup.AS400.UM.Configuration.Trusted Entries
Key | Value |
---|---|
Unique Id Form Field |
UD_AS400CON_UID |
Recon Attribute Defaults |
Lookup.AS400.UM.TrustedDefaults |
Recon Attribute Map |
Lookup.AS400.UM.ReconAttrMap.Trusted |
1.6.9 Lookup.AS400.UM.TrustedDefaults Definition
The Lookup.AS400.UM.TrustedDefaults definition contains the entries shown in Table 1-14.
Table 1-14 Lookup.AS400.UM.TrustedDefaults Entries
Key | Value |
---|---|
Organization |
Xellerate Users |
Employee Type |
Full-Time |
User Type |
End-User |
1.6.10 Lookup.AS400.Groups Definition for Reconciliation for Groups
The Lookup.AS400.Groups is populated with the groups from the OS/400 target resource when Lookup Reconciliation is performed.
During a provisioning operation, you use the Group lookup field on the process form to specify a group for the user for whom the provisioning operation is being performed. The Group lookup field is populated with values from the Lookup.AS400.Groups
lookup definition, which is automatically created on Oracle Identity Manager when you deploy the connector. However, to get it populated, an initial reconciliation should be explicitly launched.
The Code Key column contains the following format: <IT Resource key~groupName>
. The Decode column has the format: <IT Resource key~groupName>
.
The source of group names is the connector __NAME__
attribute of the Group objectClass.
When you perform lookup field synchronization, entries in the Group lookup field on the target system are fetched to Oracle Identity Manager and populated in the Lookup.AS400.Groups
lookup definition.
1.7 Resource Objects Used for Provisioning and Reconciliation
The AS400 connector uses the following Resource Objects:
-
AS400 User
-
AS400 Trusted User
See Also:
-
See Managing Reconciliation in Oracle Fusion Middleware Administering Oracle Identity Manager for conceptural information about reconciliation.
-
See Managing Provisioning Tasks in Oracle Fusion Middleware Performing Self Service Tasks with the Oracle Identity Manager for conceptual information about provisioning.
This section discusses the following topics:
1.7.1 User Provisioning Functions
Provisioning involves creating or modifying account data on the target system through Oracle Identity Manager.
Table 1-15 lists the supported user provisioning functions and the adapters that perform these functions. The functions listed in the table correspond to either a single or multiple process tasks.
See Also:
See Types of Adapters in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for generic information about process tasks adapters
Table 1-15 User Provisioning Functions
Function | Adapter |
---|---|
Create user |
CREATEUSER |
Update user |
UPDATEATTRIBUTEVALUE For multivalued attributes: UPDATECHILDTABLEVALUES |
Delete user |
DELETEUSER |
Enable or disable user |
ENABLEUSER, DISABLEUSER |
Change or reset password |
UPDATEATTRIBUTEVALUE |
Add or remove user from group |
UPDATEATTRIBUTEVALUE |
1.7.2 Reconciliation Rules
See Also:
See the following sections in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for generic information about reconciliation matching and action rules:
-
Creating Reconciliation Metadata (Developing Identity Connectors Using Java)
-
Creating Reconciliation Metadata (Developing Identity Connectors Using .NET)
The following sections provide information about the reconciliation rules for this connector.
1.7.2.1 About Reconciliation Action Rules
There are different reconciliation rules used for trusted and target reconciliation:
-
AS400 Trusted User Recon Rule: User Login equals UserId, Resource Object: AS400 Trusted User
-
AS400 User Recon Rule: User Login equals UserId, Resource Object: AS400 User
1.7.2.2 Viewing Reconciliation Rules in the Design Console
After you deploy the connector, you can view the reconciliation rule for reconciliation by performing the following steps:
- Log in to the Oracle Identity Manager Design Console.
- Expand Development Tools.
- Double-click Reconciliation Rules.
- Search for and openAS400 User Recon Rule or AS400 Trusted User Recon Rule.
1.7.3 Reconciliation Action Rules
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See the following sections in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about setting or modifying a reconciliation action rule:
The following sections provide information about the reconciliation rules for this connector:
You can configure the Reconciliation Action Rules in the Design Console under the Resource Object tab, Object Reconciliation tab, and then Reconciliation Action Rules.
1.7.3.1 Reconciliation Action Rules for Reconciliation
Table 1-16 lists the action rules for reconciliation.
Table 1-16 Action Rules for Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Assign to Administrator With Least Load |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
1.8 Roadmap for Deploying and Using the Connector
The following is the organization of information in the rest of this guide:
-
Deploying the Connector describes procedures that you must perform on Oracle Identity Manager and the target system during each stage of connector deployment.
-
Using the Connector describes guidelines on using the connector and the procedure to configure reconciliation runs and perform provisioning operations.
-
Extending the Functionality of the Connector describes the procedures to perform if you want to extend the functionality of the connector.
-
Known Issues lists known issues associated with this release of the connector.
-
Policies for OS/400 Accounts Migration describes the policies OS/400 account migration.