1.6 Features of the Connector

The following are features of the connector:

• Support for Reconciliation and Provisioning of RSA Authentication Manager User Accounts and Tokens

• Full and Incremental Reconciliation

• Batched Reconciliation

• Limited (Filtered) Reconciliation

• Enable and Disable User Accounts and Tokens

• Reconciliation of Deleted User Accounts and Unassigned Tokens

• EJB-Based Communication with the Target System

• Standard and Custom Attribute Mapping for Reconciliation and Provisioning.

• Transformation and Validation of Account Data

• Support for Setting a PIN and the Token Lost Attribute

• Connection Pooling

1.6.1 Support for Reconciliation and Provisioning of RSA Authentication Manager User Accounts and Tokens

You can use the connector to reconcile and provision RSA Authentication Manager user accounts and tokens. The connector provides separate process forms and resource objects for user accounts and token operations.

1.6.2 Full and Incremental Reconciliation

In full reconciliation, all records are fetched from the target system to Oracle Identity Manager. In incremental reconciliation, only records that are added or modified after the last reconciliation run are fetched into Oracle Identity Manager.

You can switch from incremental to full reconciliation at any time after you deploy the connector.

See Full Reconciliation.

1.6.3 Batched Reconciliation

You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.

See Batched Reconciliation.

1.6.4 Limited (Filtered) Reconciliation

To limit or filter the records that are fetched into Oracle Identity Manager during a reconciliation run, you can specify the subset of added or modified target system records that must be reconciled.

See Limited Reconciliation.

1.6.5 Enable and Disable User Accounts and Tokens

Account Start and Account Expire are two user attributes on the target system. For a particular user on the target system, if the Account Expire date is less than the current date, then the account is in the Disabled state. Otherwise, the account is in the Enabled state. When the record of this user is reconciled into Oracle Identity Manager, the user's state (RSA resource) in Oracle Identity Manager matches the user's state on the target system. In addition, through a provisioning operation, you can set the value of the Account Expire date to the current date or a date in the past.

Alternatively, you can search for and open the Accounts page on Oracle Identity Manager. Click Enable/Disable to enable or disable user accounts or tokens.

Note:

The Enabled or Disabled state of a user account or a token is not related to the Locked or Unlocked state of the account.

1.6.6 Reconciliation of Deleted User Accounts and Unassigned Tokens

You can configure the connector for reconciliation of deleted user accounts and unassigned tokens. In target resource mode, if a user record is deleted or a token is unassigned on the target system, then the corresponding RSA resource is revoked from the OIM User.

See Scheduled Jobs for Reconciliation of Deleted Token and User Records.

1.6.7 EJB-Based Communication with the Target System

The connector supports EJB-based communication between Oracle Identity Manager and the target system. This is a secure connection. By using the connectionType parameter of the IT Resource, you can specify the type of communication (EJB) to be established with the target system.

1.6.8 Standard and Custom Attribute Mapping for Reconciliation and Provisioning

You can create mappings for attributes that are not included in the list of default attribute mappings. These attributes can be custom attributes that you add on the target system.

See Extending the Functionality of the RSA Authentication Manager Connector.

1.6.9 Transformation and Validation of Account Data

You can configure validation of account data that is brought into or sent from Oracle Identity Manager during reconciliation and provisioning. In addition, you can configure transformation of account data that is brought into Oracle Identity Manager during reconciliation.

The following sections provide more information:

• Configuring Transformation of Data During Reconciliation

• Configuring Validation of Data During Reconciliation and Provisioning

1.6.10 Support for Setting a PIN and the Token Lost Attribute

You can use the connector to set the following:

• A PIN for the token that is assigned to a user.

  Note:

  You are compulsorily required to assign a value for the PIN attribute of each token in order to ensure that provisioning takes place as expected.

• The Token Lost attribute when the token device is lost.

1.6.11 Connection Pooling

A connection pool is a cache of objects that represent physical connections to the target. Oracle Identity Manager connectors can use these connections to communicate with target systems. At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads like network latency, memory allocation, and authentication.

One connection pool is created for each IT resource. For example, if you have three IT resources for three installations of the target system, then three connection pools will be created, one for each target system installation.

See Setting up the Lookup Definition for Connection Pooling.