3 Using the Connector

You can use the connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.

This chapter is divided into the following sections:

• Performing First-Time Reconciliation

• Scheduled Job for Lookup Field Synchronization

• Configuring Reconciliation

• Configuring Scheduled Jobs

• Action Scripts

• Configuring Provisioning in Oracle Identity Manager Release 11.1.2.x

• Guidelines for Performing Provisioning

• Performing Provisioning Operations on Oracle Identity Manager Release 11.1.1.x

• Switching Between Request-Based Provisioning and Direct Provisioning

• Guidelines for Performing Reconciliation

• Uninstalling the Connector

3.1 Performing First-Time Reconciliation

After deploying the connector, you must then reconcile all existing target system user records into Oracle Identity Manager.

If you are using the target system as a trusted source, then you must configure and run the Domino Connector Trusted User Reconciliation scheduled job to reconcile user records from the target system.

Note:

• See Scheduled Jobs for Reconciliation of User Records for information about the attributes for this scheduled job.

• See Configuring Scheduled Jobs for information about configuring scheduled jobs.

Reconciled user records are converted into OIM Users.

3.2 Scheduled Job for Lookup Field Synchronization

The Domino Connector Lookup Reconciliation scheduled job is used for lookup field synchronization.

Table 3-1 describes the attributes of this scheduled job. The procedure to configure scheduled jobs is described later in the guide.

Note:

Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

Table 3-1 Attributes of the Domino Connector Lookup Reconciliation Scheduled Job

Attribute	Description
IT Resource Name	Enter the name of the IT resource instance that the connector must use to reconcile data. Default value: None
Object Type	Enter the Object Type you want to reconcile. Default value: Group
Lookup Name	Enter the name of the lookup definition in Oracle Identity Manager that must be populated with values fetched from the target system. Default value: Lookup.Domino.Group
Code Key Attribute	Enter the name of the attribute to be saved into the Code Key lookup value. Default value: ListName
Decode Attribute	Enter the name of the attribute to be saved into the Decode lookup value. Default value: DisplayName
Filter	Enter a filter to filter out the records to be stored in the lookup. For more information and proper syntax, see "Performing Limited Reconciliation".

3.3 Configuring Reconciliation

As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

• Performing Full Reconciliation and Incremental Reconciliation

• Performing Limited Reconciliation

• Reconciliation Scheduled Jobs

3.3.1 Performing Full Reconciliation and Incremental Reconciliation

When you run the Domino Connector User Reconciliation scheduled job, only target system records that are added or modified after the last time the scheduled job was run are fetched into Oracle Identity Manager. This is incremental reconciliation.

You can perform a full reconciliation run to fetch all existing target system records into Oracle Identity Manager. To perform a full reconciliation run:

1. Ensure the Latest Token parameter is not set. You must leave this parameter empty.
2. Run the Domino Connector User Reconciliation job.

After a full reconciliation run, the time stamp at which the reconciliation run ends is stored in the time stamp parameter of the IT resource. From the next reconciliation run onward, only target system records added or modified after the last reconciliation run are fetched to Oracle Identity Manager. In other words, incremental reconciliation is automatically activated from the next run onward.

3.3.2 Performing Limited Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled.

The connector provides a Filter parameter that allows you to use any of the Domino resource attributes to filter the target system records. (The filter is no longer restricted to four attributes, as it was in earlier releases).

You can perform limited reconciliation by creating filters for the reconciliation module. This connector provides a Filter attribute (a scheduled task attribute) that allows you to use any of the Lotus Notes resource attributes to filter the target system records.

For detailed information about ICF Filters, see ICF Filter Syntax of Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.

While deploying the connector, follow the instructions in Configuring Scheduled Jobs to specify attribute values.

3.3.3 Reconciliation Scheduled Jobs

When you run the Connector Installer, reconciliation scheduled tasks are automatically created in Oracle Identity Manager.

You must specify values for the attributes of the following scheduled jobs:

Note:

See Configuring Scheduled Jobs for the procedure.

• Scheduled Jobs for Reconciliation of User Records

• Scheduled Jobs for Reconciliation of Deleted Users

3.3.3.1 Scheduled Jobs for Reconciliation of User Records

Depending on whether you want to implement trusted source or target resource reconciliation, you must specify values for the attributes of one of the following user reconciliation scheduled jobs:

• Domino Connector User Reconciliation (scheduled job for target resource reconciliation)

• Domino Connector Trusted User Reconciliation (scheduled job for trusted source reconciliation)

Table 3-2 describes the attributes of both scheduled jobs.

Table 3-2 Attributes of the Scheduled Jobs for Reconciliation of User Records

Attribute	Description
IT Resource Name	Name of the IT resource instance that the connector must use to reconcile data. Default is: None
Resource Object Name	Name of the resource object. Default is: Lotus User for target resource reconciliation or Lotus Trusted User for trusted source reconciliation.
Object Type	Object Type to be reconciled. Default is: User
Filter	Expression for filtering records. Use the following syntax: syntax = expression ( operator expression )* operator = 'and' | 'or' expression = ( 'not' )? filter filter = ('equalTo' | 'contains' | 'containsAllValues' | 'startsWith' | 'endsWith' | 'greaterThan' | 'greaterThanOrEqualTo' | 'lessThan' | 'lessThanOrEqualTo' ) '(' 'attributeName' ',' attributeValue ')' attributeValue = singleValue | multipleValues singleValue = 'value' multipleValues = '[' 'value_1' (',' 'value_n')* ']' Default is: None
Latest Token	Latest Date the reconciliation was run. Default is: None
Incremental Recon Date Attribute	Domino Attribute used to get the object's modification date. Default is: LastModified

3.3.3.2 Scheduled Jobs for Reconciliation of Deleted Users

Table 3-3 describes the attributes of the Domino Connector Delete Reconciliation scheduled job for reconciliation of deleted users.

Table 3-3 Attributes of the Domino Connector Delete Reconciliation Scheduled Job

Attribute	Description
IT Resource Name	Name of the IT resource instance that the connector must use to reconcile data. Default is: None
Resource Object Name	Name of the resource object. Default is: Lotus User
Object Type	Object Type to be reconciled. Default is: User
Filter	Expression for filtering records. Use the following syntax: syntax = expression ( operator expression )* operator = 'and' | 'or' expression = ( 'not' )? filter filter = ('equalTo' | 'contains' | 'containsAllValues' | 'startsWith' | 'endsWith' | 'greaterThan' | 'greaterThanOrEqualTo' | 'lessThan' | 'lessThanOrEqualTo' ) '(' 'attributeName' ',' attributeValue ')' attributeValue = singleValue | multipleValues singleValue = 'value' multipleValues = '[' 'value_1' (',' 'value_n')* ']' Default is: None

Table 3-4 describes the attributes of the Domino Connector Trusted Delete Reconciliation scheduled job for the trusted reconciliation of deleted users.

Table 3-4 Attributes of the Domino Connector Trusted Delete Reconciliation Scheduled Job Attribute

Attribute	Description
Trusted IT Resource Name	Name of the trusted IT resource instance that the connector must use to reconcile data. Default is: None
Resource Object Name	Name of the resource object. Default is: Lotus Trusted User
Object Type	Object Type to be reconciled. Default is: User
Filter	Expression for filtering records. Use the following syntax: syntax = expression ( operator expression )* operator = 'and' | 'or' expression = ( 'not' )? filter filter = ('equalTo' | 'contains' | 'containsAllValues' | 'startsWith' | 'endsWith' | 'greaterThan' | 'greaterThanOrEqualTo' | 'lessThan' | 'lessThanOrEqualTo' ) '(' 'attributeName' ',' attributeValue ')' attributeValue = singleValue | multipleValues singleValue = 'value' multipleValues = '[' 'value_1' (',' 'value_n')* ']' Default is: None

3.4 Scheduled Jobs for Lookup Field Synchronization and Reconciliation

Table 3-5 lists the scheduled jobs shipped as part of the connector.

Table 3-5 Scheduled Jobs for Lookup Field Synchronization and Reconciliation

Scheduled Job	Description
Domino Connector Lookup Reconciliation	This scheduled job is used for lookup field synchronization.
Domino Connector User Reconciliation	This scheduled job is used for user reconciliation in target resource mode.
Domino Connector Trusted User Reconciliation	This scheduled job is used for user reconciliation in trusted source mode.
Domino Connector Delete Reconciliation	This scheduled job is used for reconciliation of deleted user records.
Domino Connector Trusted Delete Reconciliation	This scheduled job is used for reconciliation of deleted user records in trusted source mode.

3.5 Configuring Scheduled Jobs

This section describes the procedure to configure scheduled jobs. You can apply this procedure to configure the scheduled jobs for lookup field synchronization and reconciliation.

To configure a scheduled job:

1. If you are using Oracle Identity Manager release 11.1.1:

   1. Log in to the Administrative and User Console.

   2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.

   3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.

2. If you are using Oracle Identity Manager release 11.1.2.x:

   1. Log in to Oracle Identity System Administration.

   2. In the left pane, under System Management, click Scheduler.

3. Search for and open the scheduled job as follows:

   1. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.

   2. On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.

   3. In the search results table on the left pane, click the scheduled job in the Job Name column.

4. On the Job Details tab, you can modify the following parameters:

   • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

   • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

   Note:

   See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about schedule types.

   In addition to modifying the job details, you can enable or disable a job.

5. Specify values for the attributes of the scheduled job. To do so:

   Note:

   • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

   • Values (either default or user-defined) can be left empty.

   • Attributes of the scheduled job are discussed in Reconciliation Scheduled Jobs.

   On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled job.

6. After specifying the attributes, click Apply to save the changes.

   Note:

   The Stop Execution option is available in the Administrative and User Console. You can use the Scheduler Status page to either start, stop, or reinitialize the scheduler.

3.6 Action Scripts

Note:

Action Scripts on 11gR2 works only on OIM version 11.1.1.5.8 or later.

Actions are scripts that you can configure to run before or after create, update, and delete provisioning operations. For example, you could configure a script to run before every user creation.

The following sections provide information related to actio scripts:

• Understanding Action Scripts

• Configuration Examples

• Accessing Variables from Script

• Configuring Action Scripts

Note:

• Script on connector is supported on windows machines only.

• To configure a before or after action, your connector must support running scripts. An exception is Groovy (with target set to Connector), which the Identity Connector Framework (ICF) supports by default for all converged connectors.

3.6.1 Understanding Action Scripts

The IBM Lotus Notes and Domino connector supports

• CMD: windows batch script and target: Connector

• lotusscript: Lotus Script and target: Resource

The target means where the script is executed.

• If the target is Connector, then the script is executed on the same computer where the connector is deployed. For example, if you deploy the connector on the connector server, the script will be executed on that computer.

• If the target is Resource, then the script is executed on the computer where the target resource is running (on Lotus Domino Server in this case).

Both the scripts when executed have access to form fields via variables, CMD can use environment variables and LOTUSSCRIPT can use DocumentContext to get the variable value. The variables have WSUSER_ prefix for every variable which was provided as part of the script execution.

In addition, Oracle Identity Manager can be configured to provide script options. Script options can be configured in two way: Operation Options Mapping, which is form field mapping common for all scripts per object type and Action Options which is static string settings per action. These script options are available to scripts, the same as the form fields (via variables).

Note:

To execute lotusscript with Domino Connector, the following two options need to be provided either as part of Operation Options Mapping or Action Mappings (recommended way):

• agentName – with value specifies the name of the agent created on Domino Server, for example, oim-script.

• agentCreate – this value specifies if an agent should be created (if doesn't exist) on Domino Server, the recommended value is "true"

The actions (script execution) can be configured in Oracle Identity Manager before or after the following provisioning events:

• create

• update

• delete

Table 3-6 shows here what is provided by ICF-INTG to the connector when executing an action:

Table 3-6 Output by ICF-INTG

Operation	Form fields	Operation Options Mapping	Action Options
Create	All form fields provided to create operation	All mapped fields configured	All action options configured
Update	Form fields which were updated Note: no uid	All mapped fields configured	All action options configured
Delete	Uid only	All mapped fields configured	All action options configured

3.6.2 Configuration Examples

This section provides example configurations for configuring action scripts.

Example 1 of Configuration

In this example, Oracle Identity Manager is configured to run script.bat for every (create/update/delete) domino provisioning operation as shown in Figure 3-1:

Figure 3-1 Lookup Domino Configuration

Description of "Figure 3-1 Lookup Domino Configuration"

Script.bat file:

set >c:\script.out

When a provisioning operation is performed then the action is executed and script.out will have the following content:

Create Operation:

WSUSER_accountId=test  otest03191
WSUSER_Comment="some comment"
WSUSER_EndDate=0
WSUSER_FirstName=test
WSUSER_idFile=f:\otest03191.id
WSUSER_LastName=otest03191
WSUSER_MailFile=mail/otest03191.nsf
WSUSER_MoveCertifier=false
WSUSER_NorthAmerican=false
WSUSER_Recertify=false
WSUSER_ShortName=otest03191
WSUSER___PASSWORD__=org.identityconnectors.common.security.GuardedString@e3259c99

Update Operation (update of one field):

WSUSER_Comment="some comment updated"

Update Operation (update of multiple fields):

WSUSER_Comment="comment updated"
WSUSER_Location="location updated"
WSUSER___CURRENT_ATTRIBUTES__="{Attributes=[Attribute: {Name=Recertify, Value=[false]}, Attribute: {Name=idFile, Value=[f:\otest03191.id]}, Attribute: {Name=NorthAmerican, Value=[false]}, Attribute: {Name=MailFile, Value=[mail/otest03191.nsf]}, Attribute: {Name=FirstName, Value=[test]}, Attribute: {Name=MoveCertifier, Value=[false]}, Attribute: {Name=Comment, Value=[some comment updated]}, Attribute: {Name=__NAME__, Value=[test  otest03191]}, Attribute: {Name=ShortName, Value=[otest03191]}, Attribute: {Name=__PASSWORD__, Value=[org.identityconnectors.common.security.GuardedString@e3259c99]}, Attribute: {Name=LastName, Value=[otest03191]}, Attribute: {Name=EndDate, Value=[0]}], ObjectClass=ObjectClass: __ACCOUNT__}"

Delete Operation:

WSUSER_UNID=A3F0AE57AD341B0D80257B3300766FCF

Example 2 of Configuration:

You can configure the operations options mapping to provide, for example, First Name, Last Name, and Universal Id by the following steps:

1. Create a lookup with value as shown in Figure 3-2:

   Figure 3-2 Creating Lookup

   
   Description of "Figure 3-2 Creating Lookup"

2. Link this lookup to the original object type configuration as shown in Figure 3-3:

   Figure 3-3 Linking Lookup

   
   Description of "Figure 3-3 Linking Lookup"

3. Leave script.bat unchanged.

4. When a provisioning operation is performed then the action is executed and script.out will have the following content:

Create Operation:

SUSER_accountId=test  otest03192
WSUSER_Comment="some comment"
WSUSER_EndDate=0
WSUSER_FirstName=test
WSUSER_idFile=f:/otest03192.id
WSUSER_LastName=otest03192
WSUSER_MailFile=mail/otest03192.nsf
WSUSER_MoveCertifier=false
WSUSER_NorthAmerican=false
WSUSER_Recertify=false
WSUSER_ShortName=otest03192
WSUSER___PASSWORD__=org.identityconnectors.common.security.GuardedString@e3259c99

Update Operation (update of one field):

WSUSER_Comment="some comment updated"
WSUSER_FirstName=test
WSUSER_LastName=otest03192
WSUSER_UNID=3B97A9C002AF3B2580257B330079E757

Update Operation (update of multiple field):

WSUSER_Comment="comment updated"
WSUSER_FirstName=test
WSUSER_LastName=otest03192
WSUSER_Location="location updated"
WSUSER_UNID=3B97A9C002AF3B2580257B330079E757
WSUSER___CURRENT_ATTRIBUTES__="{Attributes=[Attribute: {Name=Recertify, Value=[false]}, Attribute: {Name=idFile, Value=[f:/otest03192.id]}, Attribute: {Name=NorthAmerican, Value=[false]}, Attribute: {Name=MailFile, Value=[mail/otest03192.nsf]}, Attribute: {Name=FirstName, Value=[test]}, Attribute: {Name=MoveCertifier, Value=[false]}, Attribute: {Name=Comment, Value=[some comment updated]}, Attribute: {Name=__NAME__, Value=[test  otest03192]}, Attribute: {Name=ShortName, Value=[otest03192]}, Attribute: {Name=__PASSWORD__, Value=[org.identityconnectors.common.security.GuardedString@e3259c99]}, Attribute: {Name=LastName, Value=[otest03192]}, Attribute: {Name=EndDate, Value=[0]}], ObjectClass=ObjectClass: __ACCOUNT__}"

Delete Operation:

SUSER_FirstName=test
WSUSER_LastName=otest03192
WSUSER_UNID=3B97A9C002AF3B2580257B330079E757

Example 3 of Configuration:

Keep the existing configuration from Example 2 and add Action Options for each action (create/update/delete). You can configure the same Action options for all of them, but each action can have different options.

Figure 3-4 and Figure 3-5 shows one action option configured:

Figure 3-4 Linking Lookup

Description of "Figure 3-4 Linking Lookup"

Figure 3-5 Configuring Lookup

Description of "Figure 3-5 Configuring Lookup"

When a provisioning operation is performed then the action is executed and script.out will have the following content:

Create Operation:

WSUSER_accountId=test  otest03193
WSUSER_Comment="some comment"
WSUSER_CustomActionOption=CustomActionOptionValue
WSUSER_EndDate=0
WSUSER_FirstName=test
WSUSER_idFile=f:\otest03193.id
WSUSER_LastName=otest03193
WSUSER_MailFile=mail/otest03193.nsf
WSUSER_MoveCertifier=false
WSUSER_NorthAmerican=false
WSUSER_Recertify=false
WSUSER_ShortName=otest03193
WSUSER___PASSWORD__=org.identityconnectors.common.security.GuardedString@e3259c99

Update Operation (update of one field):

WSUSER_Comment="some comment updated"
WSUSER_CustomActionOption=CustomActionOptionValue
WSUSER_FirstName=test
WSUSER_LastName=otest03193
WSUSER_UNID=885A2EBA9F6C4F9680257B33007BF3A6

Update Operation (update of multiple fields):

WSUSER_Comment="comment updated"
WSUSER_CustomActionOption=CustomActionOptionValue
WSUSER_FirstName=test
WSUSER_LastName=otest03193
WSUSER_Location="location updated"
WSUSER_UNID=885A2EBA9F6C4F9680257B33007BF3A6
WSUSER___CURRENT_ATTRIBUTES__="{Attributes=[Attribute: {Name=Recertify, Value=[false]}, Attribute: {Name=idFile, Value=[f:\otest03193.id]}, Attribute: {Name=NorthAmerican, Value=[false]}, Attribute: {Name=MailFile, Value=[mail/otest03193.nsf]}, Attribute: {Name=FirstName, Value=[test]}, Attribute: {Name=MoveCertifier, Value=[false]}, Attribute: {Name=Comment, Value=[some comment updated]}, Attribute: {Name=__NAME__, Value=[test  otest03193]}, Attribute: {Name=ShortName, Value=[otest03193]}, Attribute: {Name=__PASSWORD__, Value=[org.identityconnectors.common.security.GuardedString@e3259c99]}, Attribute: {Name=LastName, Value=[otest03193]}, Attribute: {Name=EndDate, Value=[0]}], ObjectClass=ObjectClass: __ACCOUNT__}"

Delete Operation:

WSUSER_CustomActionOption=CustomActionOptionValue
SUSER_FirstName=test
WSUSER_LastName=otest03192
WSUSER_UNID=3B97A9C002AF3B2580257B330079E757

3.6.3 Accessing Variables from Script

CMD:

Environment variables are used, it can be accessed with %VARIABLE%.
Example:
echo "%WSUSER_UNID%"

LOTUSSCRIPT:

Domino for example:

Sub Initialize
 Main
End Sub
Sub Main
      Dim session As New NotesSession
      Dim doc As NotesDocument
      Set doc = session.DocumentContext
      Dim unid As Variant
      unid = doc.GetItemValue("WSUSER_UNID")
End Sub

3.6.4 Configuring Action Scripts

To configure the action:

1. Log in to the Design Console.
2. Search and open Lookup.Domino.UM.Configuration.
3. Add the following new values:

   • Code Key: Before Create Action Language

   • Decode: Enter the scripting language of the script you want to execute

   • Example: cmd

4. Add these new values:

   • Code Key: Before Create Action File

   • Decode: Enter the full path to the file containing the script to be executed (OIM must be able to access this file.)

   • Example: /home/scripts/testscript.bat

5. Add these new values:

   • Code Key: Before Create Action Target

   • Decode: Allowed values are Connector and Resource, depending on the connector what is supported.

     As previously stated, the IBM Lotus Notes and Domino connector supports the CMD script for a Connector target.

   • Example: Connector

6. Save the lookup.

Now, this action will be executed every time you create a user. You must configure these three values for each action you want to execute.

3.7 Configuring Provisioning in Oracle Identity Manager Release 11.1.2.x

To configure provisioning operations in Oracle Identity Manager release 11.1.2.x:

Note:

The time required to complete a provisioning operation that you perform the first time by using this connector takes longer than usual.

1. Log in to Oracle Identity System Administration.

2. Create a user. See Managing Users in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for more information about creating a user.

3. On the Account tab, click Request Accounts.

4. In the Catalog page, search for and add to cart the application instance, and then click Checkout.

5. Specify value for fields in the application form and then click Ready to Submit.

6. Click Submit.

7. If you want to provision entitlements, then perform these steps:

   1. On the Entitlements tab, click Request Entitlements.

   2. In the Catalog page, search for and add to cart the entitlement, and then click Checkout.

   3. Click Submit.

3.8 Guidelines for Performing Provisioning

Apply the following guidelines while performing provisioning.

• You must enter values for the following mandatory attributes during provisioning operations:

  Last Name

  Server Name

  Password

• The IDFile Name and Mail File Name attributes are unique for each user. The Mail File Already Exists error message is displayed if you enter a file name that already exists on the target system.

• If you specify True as the value of the createMailDBInBackground attribute, then the connector does not check whether mail files are successfully created during Create User provisioning operations.

• Password update will not work if ID File Name is not provided for that user while provisioning.

3.9 Performing Provisioning Operations on Oracle Identity Manager Release 11.1.1.x

Provisioning a resource for an OIM User involves using Oracle Identity Manager to create a target system account for the user.

When you install the connector on Oracle Identity Manager release 11.1.1, the direct provisioning feature, including the process form, is automatically enabled.

If you configured the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning. If you want to revert to direct provisioning, then perform the steps described in Switching Between Request-Based Provisioning and Direct Provisioning.

This following are types of provisioning operations:

• Direct provisioning

• Request-based provisioning

  Note:

  This does not apply if you are using OIM 11.1.2.x or later.

Note:

Oracle Identity Manager does not indicate the status of provisioning operations. After a provisioning operation, if the connector status is

• Provisioned, the operation was successful.

• Provisioning, the operation failed.

  To determine whether the problem occurred during an update or create operation, click Resource History for details.

See Also:

Managing Provisioning Tasks in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for more information about the types of provisioning

This section discusses the following topics:

• Direct Provisioning

• Request-Based Provisioning

3.9.1 Direct Provisioning

To provision a resource by using the direct provisioning approach:

1. Log in to the Administrative and User Console.

2. If you want to first create an OIM User and then provision a target system account, then:

   1. On the Welcome to Identity Administration page, in the Users region, click Create User.

   2. On the Create User page, enter values for the OIM User fields, and then click Save.

3. If you want to provision a target system account to an existing OIM User, then:

   1. On the Welcome to Identity Administration page, search for the OIM User by selecting Users from the list on the left pane.

   2. From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane.

4. On the user details page, click the Resources tab.

5. From the Action menu, select Add Resource. Alternatively, you can click the add resource icon with the plus (+) sign. The Provision Resource to User page is displayed in a new window.

6. On the Step 1: Select a Resource page, select Lotus Notes from the list and then click Continue.

7. On the Step 2: Verify Resource Selection page, click Continue.

8. On the Step 5: Provide Process Data for Lotus User page, enter the details of the account that you want to create on the target system and then click Continue.

9. On the Step 5: Provide Process Data for Lotus User page, search for and select a group for the user on the target system and then click Continue.

10. On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.

    The "Provisioning has been initiated" message is displayed.

11. Close the window displaying the "Provisioning has been initiated" message.

12. On the Resources tab, click Refresh to view the newly provisioned resource.

3.9.2 Request-Based Provisioning

A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:

Note:

The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.

• End User's Role in Request-Based Provisioning

• Approver's Role in Request-Based Provisioning

3.9.2.1 End User's Role in Request-Based Provisioning

The following steps are performed by the end user in a request-based provisioning operation:

1. Log in to the Administrative and User Console.
2. On the Welcome page, click Advanced in the upper-right corner of the page.
3. On the Welcome to Identity Administration page, click the Administration tab, and then click the Requests tab.
4. From the Actions menu on the left pane, select Create Request.

   The Select Request Template page is displayed.

5. From the Request Template list, select Provision Resource and click Next.
6. On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specify is displayed in the Available Users list.
7. From the Available Users list, select the user to whom you want to provision the account.

   If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.

8. Click Move or Move All to include your selection in the Selected Users list, and then click Next.
9. On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.
10. From the Available Resources list, select Lotus User, move it to the Selected Resources list, and then click Next.
11. On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.
12. On the Justification page, you can specify values for the following fields, and then click Finish.

    • Effective Date

    • Justification

    On the resulting page, a message confirming that your request has been sent successfully is displayed along with the Request ID.

13. If you click the request ID, then the Request Details page is displayed.
14. To view details of the approval, on the Request Details page, click the Request History tab.

3.9.2.2 Approver's Role in Request-Based Provisioning

The following are steps performed by the approver in a request-based provisioning operation:

The following are steps that the approver can perform:

1. Log in to the Administrative and User Console.
2. On the Welcome page, click Self-Service in the upper-right corner of the page.
3. On the Welcome to Identity Manager Self Service page, click the Tasks tab.
4. On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.
5. From the search results table, select the row containing the request you want to approve, and then click Approve Task.

   A message confirming that the task was approved is displayed.

3.10 Switching Between Request-Based Provisioning and Direct Provisioning

If you have configured the connector for request-based provisioning, you can always switch to direct provisioning. Similarly, you can always switch back to request-based provisioning any time. This section discusses the following topics:

• Switching From Request-Based Provisioning to Direct Provisioning

• Switching From Direct Provisioning to Request-Based Provisioning

3.10.1 Switching From Request-Based Provisioning to Direct Provisioning

If you want to switch from request-based provisioning to direct provisioning, then:

1. Log in to the Design Console.

2. Disable the Auto Save Form feature as follows:

   1. Expand Process Management, and then double-click Process Definition.

   2. Search for and open the Lotus User process definition.

   3. Deselect the Auto Save Form check box.

   4. Click the Save icon.

3. If the Self Request Allowed feature is enabled, then:

   1. Expand Resource Management, and then double-click Resource Objects.

   2. Search for and open the Lotus User resource object.

   3. Deselect the Self Request Allowed check box.

   4. Click the Save icon.

3.10.2 Switching From Direct Provisioning to Request-Based Provisioning

If you want to switch from direct provisioning back to request-based provisioning, then:

1. Log in to the Design Console.

2. Enable the Auto Save Form feature as follows:

   1. Expand Process Management, and then double-click Process Definition.

   2. Search for and open the Lotus User process definition.

   3. Select the Auto Save Form check box.

   4. Click the Save icon.

3. If you want to enable end users to raise requests for themselves, then:

   1. Expand Resource Management, and then double-click Resource Objects.

   2. Search for and open the Lotus User resource object.

   3. Select the Self Request Allowed check box.

   4. Click the Save icon.

3.11 Guidelines for Performing Reconciliation

Apply the following guidelines while performing reconciliation.

Oracle Identity Manager does not fetch values for the following fields from the target system during reconciliation:

• Certifier ID File Path

• Certifier Password

• IDFile Name

• Mail Replica Servers

• Organization Unit

• Recertify

• MoveCertifier

When an account is created in Oracle Identity Manager through reconciliation of a new record from the target system, you must manually set values for these fields.

3.12 Uninstalling the Connector

If you want to uninstall the connector for any reason, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.