5 Using the IBM RACF Advanced Connector
You can use the IBM RACF Advanced connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.
The procedure to use the IBM RACF Advanced connector can be divided into the following topics:
5.1 Guidelines on Using the IBM RACF Advanced Connector
Apply the following guidelines while using the connector:
-
The LDAP Gateway does not send the full attribute value when provisioning attribute values that contain one or more space characters. If this problem occurs, surround the attribute value in single quotation marks when populating the form field.
-
The RACF connector LDAP gateway encrypts ASCII data transmitting the encrypted message to the mainframe. The mainframe decrypts this message, as the in bound message is in ASCII format, it is translated to EBCDIC for mainframe processing. As a result, any task that requires non-ASCII data transfer fails. In addition, there is no provision in the connector to indicate that the task has failed or that an error has occurred on the mainframe. To avoid errors of this type, you must exercise caution when providing inputs to the connector for the target system, especially when using a regional language interface.
-
Passwords used on the mainframe must conform to stringent rules related to passwords on mainframes. These passwords are also subject to restrictions imposed by corporate policies and rules about mainframe passwords. Keep in mind these requirements when you create or modify target system accounts through provisioning operations on Oracle Identity Manager.
-
The subpool must be started before starting the Reconciliation Agent. If the agent is started before the subpool, then an error message stating, "NO TOKEN FOUND", will be printed. Additionally, if the LDAP Gateway is not available when the Reconciliation Agent is started, then an error message is generated stating, "NO LDAP FOUND" will be printed.
-
When you update the
TSO_SIZE
andTSO_MAXSIZE
attributes during a provisioning operation, you must not include leading zeros in the value that you specify. For example, if you want to change the value of theSIZE
attribute from000001
to000002
, then enter2
in theSIZE
field on the Identity Self Service.
5.2 Scheduled Tasks for Lookup Field Synchronization
The scheduled tasks for lookup field synchronization populate lookup tables with facility, dataset, group, or profiles IDs that can be assigned during the user provisioning process.
The following are the scheduled tasks for lookup field synchronization:
-
RACF Find All Resources
-
RACF Find All Datasets
-
RACF Find All Groups
These scheduled tasks populate lookup fields in Oracle Identity Manager with resource profiles, datasets, or group IDs. Values from these lookup fields can be assigned during user provisioning operations and reconciliation runs. When you configure these scheduled tasks, they run at specified intervals and fetch a listing of all resource, dataset, or group IDs on the target system for reconciliation.
Table 5-1 describes the attributes of the 3 scheduled tasks.
Table 5-1 Attributes of the Find All Resources, Find All Datasets, and Find All Groups Scheduled Tasks
Attribute | Description |
---|---|
IT Resource |
Enter the name of the IT resource that was configured for the target system. Sample value: |
Resource Object |
Enter the name of the resource object against which provisioning runs must be performed. Sample value: |
Lookup Code Name |
Enter the name of the lookup code where OIM will store the results of the scheduled task. Sample value 1: Sample value 2: |
Recon Type |
This attribute determines how resources, datasets, or group memberships from the target system are populated in Oracle Identity Manager lookup definitions. You can use one of the following options:
Default value: |
Resource Class Type Note: This attribute is available only in the RACF Find All Resources scheduled task. |
Enter the name of the type of resource class you are reconciling. You can enter multiple resource class types as a comma-separated list. Sample value: Note: Ensure that the resources list that you specify here matches the list that you have specified for the |
5.2.1 RACF Reconcile Groups To Internal LDAP
The RACF Reconcile Groups to Internal LDAP scheduled task is used to process the Group file extract from the target system to the internal LDAP store. When you configure this scheduled task, it runs at specified intervals and fetches a list of groups on the target system. Each of these groups is then reconciled to the internal LDAP store. No reconciliation to Oracle Identity Manager is performed.
Table 5-2 describes the attributes of the scheduled task.
Table 5-2 Attributes of the RACF Reconcile Groups To Internal LDAP Task
Attribute | Description |
---|---|
Domain OU |
Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored. Sample value: |
IT Resource |
Enter the name of the IT
resource that was configured for the target
system.
Sample value:
|
5.2.2 RACF Find All LDAP Groups
This scheduled task populates lookup fields in Oracle Identity Manager with resource group IDs from internal LDAP. Values from these lookup fields can be assigned during user provisioning operations and reconciliation runs. When you configure this scheduled task, it runs at specified intervals and fetches a listing of all group IDs on the internal LDAP for reconciliation.
Table 5-3 describes the attributes of the scheduled task.
Table 5-3 Attributes of the RACF Find All LDAP Groups Task
Attribute | Description |
---|---|
IT Resource |
Enter the name of the IT resource that was configured for the target system. Sample value: Groups are reconciled from internal LDAP store using the IT Resource. |
Secondary IT Resource |
Enter the name of the secondary IT resource that was configured for the target system. Sample value:
Groups are stored in OIM in the following format: |
Filter |
Filter to be specified in LDAP format. Sample value for Simple Filter:
Sample value for Complex Filter:
|
Resource Object |
Enter the name of the resource object against which provisioning runs must be performed. Sample value:
|
Lookup Code Name |
Enter the name of the lookup code where OIM will store the results of the scheduled task. Sample value:
|
Recon Type |
This attribute determines how group memberships
from the target system are populated in Oracle
Identity Manager lookup definitions. You can use
one of the following options:
|
Domain OU |
Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored. Sample value:
|
AttrsToReturn |
Enter a comma-separated list of object attributes that the connector must retrieve from internal LDAP. For example, enter a comma-separated list of group attributes that the connector must fetch from LDAP and load into Oracle Identity Manager. . Sample value:
Note: cn and commandFlag attributes are mandatory |
DescTemplate |
By default, when lookup reconciliation is performed, the lookup description is same as the lookup value in the lookup window. Therefore, if required, use the DescTemplate attribute to specify the attribute whose value must be used as the lookup description and displayed in the lookup window. |
SearchBaseDN |
This should be kept blank. This is reserved for future use. |
5.3 Configuring the Security Attributes Lookup Field
The Lookup.RacfSecurityAttributeNames lookup definition is one of the lookup definitions that is created in Oracle Identity Manager when you deploy the connector. This lookup field is populated with standard RACF nonvalue security attributes such as ADSP, AUDIT, SPECIAL, and so on.
The IBM RACF Advanced connector includes a scheduled task to automatically populate the lookup field used for storing RACF security attributes.
This section contains the following topics:
5.3.1 Attributes of the Find All Security Attributes Scheduled Task
The IBM RACF Advanced connector includes a scheduled task to automatically populate the lookup field used for storing RACF security attributes.
Note:
The Find All Security Attributes scheduled task does not query the target system for data. Instead, the scheduled task automatically populates the lookup field with "itResourceKey~sourceName" pairs based on the IT Resource and Find All Security Attributes scheduled task property values.
Table 5-4 describes the properties of the Find All Security Attributes scheduled task.
Table 5-4 Attributes of the Find All Security Attributes Scheduled Task
Attribute | Description |
---|---|
IT Resource |
Enter the name of the IT resource that was configured for the target system. Sample value: |
Security Attributes |
Enter a comma-separated list of RACF non-value security attributes. Sample value: |
Lookup Code Name |
Enter the name of the lookup code where Oracle Identity Manager will store the source entries. Sample value: |
Recon Type |
This attribute determines how security attributes from the target system are populated in Oracle Identity Manager lookup definitions. You can use one of the following options:
Default value: |
However, you can also manually add additional values. See Adding Additional Security Attributes for Provisioning and Reconciliation.
5.4 Configuring Reconciliation
The IBM RACF Advanced connector supports both incremental reconciliation (sometimes referred to as real-time reconciliation) and full reconciliation. This section discusses the following topics related to configuring reconciliation:
5.4.1 Configuring Incremental Reconciliation
The Voyager agent and the LDAP gateway perform incremental reconciliation using the RACF Reconcile All LDAP Users scheduled task. To configure incremental reconciliation:
5.4.2 Performing Full Reconciliation
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager.
After you deploy the connector, you must first perform full reconciliation. After first-time reconciliation, the connector will automatically switch to performing incremental reconciliation based on the time stamp value present in the IT resource.
To perform full reconciliation in a set up that involves LDAP gateway as an intermediary datastore between the RACF target system and Oracle Identity Manager, choose one of the options:
- If you are performing reconciliation for the first time, then:
- Generate an EXTRACT reconciliation file on the RACF target
system. To do so:
- For z/OS 2.3 :
On the mainframe, execute the RACFRCOU or RACFRCOG batch jobs for reconciling Users or Groups, respectively. These batch jobs populate user and group data in the &HLQ..PIONEER.IMPORTU.FILE dataset (referenced with DD name //FULLIMPU inside PIONEER STC Procedure) and &HLQ..PIONEER.IMPORTG.FILE dataset (referenced with DD name //FULLIMPG inside PIONEER STC Procedure), respectively.
These batch jobs are a member of the <hlq>.JCLLIB dataset that is available in the etc/Provisioning and Reconciliation Connector/RACF-AGENTS-201905311134-6.0.0.zip file of the connector installation media.
When Pioneer receives request for full reconciliation (user or group), it reads the corresponding dataset and sends the response back to gateway and clears the dataset. After each execution of full reconciliation, the corresponding file gets cleared. Therefore, if required, you must regenerate the EXTRACT file for populating the internal LDAP for Oracle Identity Manager to reconcile the latest data.
For reconciling all Dataset profiles and General resource profiles from RACF DB, we are using RACF DB unload. In the distribution, we are shipping sample JCL, named RACFRC (<HLQ>.JCLLIB(RACFRC)). In this JCL, the first step is to take the RACF DB unload using IRRDBU00 utility. The details about this utility can be referred at: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.icha700/usdbum.htm (Z/OS V2.4)
Following steps in the Job are different sort steps, manipulating the RACF DB unload data for Datasets and general resource profile records and arranging them in sequence. The DD name IMPORTD maps to the final file containing all dataset profiles. This file name must match with the file name in PIONEER STC DD name FULLIMPD. The DD name IMPORTR maps to the final file containing all general resource profiles. This file name must match with the file name in PIONEER STC DD name FULLIMPR.
- For z/OS 2.4 :
On the mainframe, execute the RACFRCOU or RACFRCOG batch jobs for reconciling Users or Groups, respectively. These batch jobs populate user and group data in the &HLQ..PIONEER.IMPORTU.FILE dataset (referenced with DD name //FULLIMPU inside PIONEER STC Procedure) and &HLQ..PIONEER.IMPORTG.FILE dataset (referenced with DD name //FULLIMPG inside PIONEER STC Procedure), respectively.
These batch jobs are a member of the <hlq>.JCLLIB dataset that is available in the etc/Provisioning and Reconciliation Connector/RACF-AGENTS-201905311134-6.0.0.zip file of the connector installation media.
When Pioneer receives request for full reconciliation (user or group), it reads the corresponding dataset and sends the response back to gateway and clears the dataset. After each execution of full reconciliation, the corresponding file gets cleared. Therefore, if required, you must regenerate the EXTRACT file for populating the internal LDAP for Oracle Identity Manager to reconcile the latest data.
For reconciling all Dataset profiles and General resource profiles from RACF DB, we are using RACF DB unload. In the distribution, we are shipping sample JCL, named RACFRC (<HLQ>.JCLLIB(RACFRCOD) and <HLQ>.JCLLIB(RACFRCOR) ). In this JCL, the first step is to take the RACF DB unload using IRRDBU00 utility. The details about this utility can be referred at: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.icha700/usdbum.htm (Z/OS V2.4)
Following steps in the Job are different sort steps, manipulating the RACF DB unload data for Datasets and general resource profile records and arranging them in sequence. The DD name IMPORTD maps to the final file containing all dataset profiles. This file name must match with the file name in PIONEER STC DD name FULLIMPD. The DD name IMPORTR maps to the final file containing all general resource profiles. This file name must match with the file name in PIONEER STC DD name FULLIMPR.
- For z/OS 2.3 :
- Set the value of the Last Modified Time Stamp parameter of
the IT resource parameter to
0
. - Run the RACF Reconcile Users to Internal LDAP scheduled task.
- Run the RACF Reconcile Groups To Internal LDAP scheduled task.
- Run the RACF Reconcile Datasets To Internal LDAP scheduled task.
- Run the RACF Reconcile Resources To Internal LDAP scheduled task.
- Run the RACF Reconcile All LDAP Users scheduled task.
Note:
If you do not run the RACF Recon Users to Internal LDAP scheduled task with the EXTRACT recon file, then the RACF Reconcile LDAP Users scheduled task will always perform in incremental mode. - Generate an EXTRACT reconciliation file on the RACF target
system. To do so:
- If this not the first time that you are performing full reconciliation, then:
- Set the value of the Last Modified Time Stamp parameter of the IT resource parameter to
0
. - Run the RACF Reconcile All LDAP Users scheduled task.
- Set the value of the Last Modified Time Stamp parameter of the IT resource parameter to
Note:
If updates for a user are complete and the user is reconciles, in order to to see the datasets/resources again you need to run the following jobs again- RACF Reconcile Datasets To Internal LDAP
- RACF Reconcile Resources To Internal LDAP
- RACF Reconcile All LDAP Users
This completes full reconciliation and from the next reconciliation run onward, the connector will automatically switch to incremental reconciliation by using the value in the Last Modified Time Stamp parameter of the IT resource.
To perform full reconciliation in a set up that does not involve LDAP gateway, run the RACF Reconcile All Users scheduled task. The scheduled job will always run in full reconciliation mode.
5.4.3 Reconciliation Scheduled Tasks
When you run the Connector Installer, these reconciliation scheduled tasks are automatically created in Oracle Identity Manager.
5.4.3.1 RACF Reconcile All Users
The RACF Reconcile All Users scheduled task is used to reconcile user data in the target resource (account management) mode of the connector. This scheduled task runs at specified intervals and fetches create or modify events on the target system for reconciliation.
Table 5-5 describes the attributes of the scheduled task.
Table 5-5 Attributes of the RACF Reconcile All Users Scheduled Task
Attribute | Description |
---|---|
IT Resource |
Enter the name of the IT resource that was configured for the target system. Sample value: |
Resource Object |
Enter the name of the resource object against which reconciliation runs must be performed. Sample value: |
MultiValuedAttributes |
Enter a comma-separated list of multivalued attributes that you want to reconcile. Do not include a space after each comma. Sample value: |
SingleValueAttributes |
Enter a comma-separated list of single-valued attributes that you want to reconcile. Do not include a space after each comma. Do not include attributes already listed in the MultiValueAttributes field. Sample value: Note: By default, Oracle Identity Manager's design form only allows entering up to 150 characters in a text field. To increase this limit, change the value of the TSA_VALUE column in Oracle Identity Manager database. |
UID Case |
Enter either "upper" or "lower" for the case for the UID attribute value. Sample value: |
UsersList |
Enter a comma-separated list of UIDs that you want to reconcile from the target system. If this property is left blank, all users on the target system will be reconciled. Sample value: |
Filter |
Enter a filter criteria to search for and retrieve user records that match the given filter criteria. You can use any target system attribute to create the filter criterion. The filter criterion that you enter must be a valid filter according to RFC2254. The filter can be either simple or complex. A simple filter uses only a (uid=<userid>) condition whereas a complex filter is a combination of one or more attributes. Sample value for a simple filter:
Sample value for a complex filter:
This complex filter searches for and retrieves all user records whose commandflag attribute value is UPDATE and revoke is n. Note: If you specify a complex filter, then ensure that you have enabled the caching layer of the LDAP Gateway as described in Understanding the Caching Layer. If the caching layer is disabled, then the connector considers only the simple filter (uid=<userid>). |
5.4.3.2 RACF Deleted User Reconciliation Using OIM
The RACF Reconcile Deleted Users to OIM scheduled task is used to reconcile data about deleted users in the target resource (account management) mode of the connector.
When you configure this scheduled task, it runs at specified intervals and fetches a list of users on the target system. These user names are then compared with provisioned users in Oracle Identity Manager. Any user profiles that exist within Oracle Identity Manager, but not in the target system, are deleted from Oracle Identity Manager.
Table 5-6 describes the attributes of the scheduled task.
Table 5-6 Attributes of the RACF Reconcile Deleted Users to Oracle Identity Manager Scheduled Task
Attribute | Description |
---|---|
IT Resource |
Enter the name of the IT resource that was configured for the target system. Sample value: |
Resource Object |
Enter the name of the resource object against which the delete reconciliation runs must be performed. Sample value: |
Recon Matching Rule Attributes |
Enter a comma-separated list of attributes used in the matching rule. If the IT resource is used, enter Sample value: |
5.4.3.3 RACF Reconcile Users to Internal LDAP
The RACF Reconcile Users to Internal LDAP scheduled task is used to process the CFILE extract from the target system to the internal LDAP store. When you configure this scheduled task, it runs at specified intervals and fetches a list of users and their profiles on the target system. Each of these users is then reconciled to the internal LDAP store. No reconciliation to Oracle Identity Manager is performed.
Table 5-7 describes the attributes of the scheduled task.
Table 5-7 Attributes of the RACF Reconcile Users to Internal LDAP Scheduled Task
Attribute | Description |
---|---|
IT Resource |
Enter the name of the IT resource that was configured for the target system. Sample value: |
Domain OU |
Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored.Sample value: |
5.4.3.4 RACF Reconcile All LDAP Users
The RACF Reconcile All LDAP Users scheduled task is used to reconcile users from the internal LDAP store to Oracle Identity Manager. When you configure this scheduled task, it runs at specified intervals and fetches a list of users within the internal LDAP store and reconciles these users to Oracle Identity Manager.
Table 5-8 describes the attributes of the scheduled task.
Table 5-8 Attributes of the RACF Reconcile All LDAP Users Scheduled Task
Attribute | Description |
---|---|
IT Resource |
Enter the name of the IT resource that was configured for the target system. Sample value: |
Secondary IT Resource |
Enter the name of the secondary IT resource that was configured for the target system. Sample value: |
Resource Object |
Enter the name of the resource object against which the delete reconciliation runs must be performed. Sample value: |
Domain OU |
Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored.Sample value: |
MultiValuedAttributes |
Enter a comma-separated list of multivalued attributes that you want to reconcile. Do not include a space after each comma. Sample value: |
SingleValueAttributes |
Enter a comma-separated list of single-valued attributes that you want to reconcile. Do not include a space after each comma. Do not include attributes already listed in the MultiValueAttributes field. Sample value: Note: By default, Oracle Identity Manager's design form only allows entering up to 150 characters in a text field. To increase this limit, change the value of the TSA_VALUE column in the Oracle Identity Manager database. |
LDAP Time Zone |
Enter the full OIM server timezone database name value. Do not use the abbreviated timezone value. To find out the timezone database name value refer to List of tz database time zones. Sample value: |
UID Case |
Enter whether the user ID should be displayed in uppercase or lowercase. Sample value: |
Filter |
Enter a filter criteria to search for and retrieve user records that match the given filter criteria. You can use any target system attribute to create the filter criterion. The filter criterion that you enter must be a valid filter according to RFC2254. The filter can be either simple or complex. A simple filter uses only a (uid=<userid>) condition whereas a complex filter is a combination of one or more attributes. Sample value for a simple filter:
Sample value for a complex filter:
This complex filter searches for and retrieves all user records whose commandflag attribute value is UPDATE and revoke is n. |
5.4.3.5 RACF Reconcile Datasets To Internal LDAP
Note:
- For z/OS 2.3 the <HLQ>.JCLLIB(RACFRC) job needs to be executed on the mainframe prior to executing this task.
- For z/OS 2.4 the <HLQ>.JCLLIB(RACFRCOD) job needs to be executed on the mainframe prior to executing this task.
Table 5-9 describes the attributes of the scheduled task.
Table 5-9 Attributes of the RACF Reconcile Datasets To Internal LDAP Task
Attribute | Description |
---|---|
Domain OU |
Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored. Sample value: |
IT Resource |
Enter the name of the IT resource that was configured for the target system. Sample value: |
5.4.3.6 RACF Reconcile Resources To Internal LDAP
Note:
- For z/OS 2.3 the <HLQ>.JCLLIB(RACFRC) job needs to be executed on the mainframe prior to executing this task.
- For z/OS 2.4 the <HLQ>.JCLLIB(RACFRCOR) job needs to be executed on the mainframe prior to executing this task.
Table 5-10 describes the attributes of the scheduled task.
Table 5-10 Attributes of the RACF Reconcile Resources To Internal LDAP Task
Attribuite | Description |
---|---|
Domain OU |
Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored. Sample value: |
IT Resource |
Enter the name of the IT resource that was configured for the target system. Sample value: |
5.4.4 Guidelines for Configuring Filtered Reconciliation to Multiple Resource Objects
Some organizations use multiple resource objects to represent multiple user types in their system. The Resource Object property of the RACF Reconcile All Users scheduled task is used to specify the resource object used during reconciliation, and you can enter more than one resource object in the value of the Resource Object attribute. Further, you can include IBM RACF attribute-value pairs to filter records for each resource object.
See Also:
RACF Reconcile All Users for information about the RACF Reconcile All Users scheduled task
The following is a sample format of the value for the Resource Object attribute:
(ATTRIBUTE1:VALUE1)RESOURCE_OBJECT1,RESOURCE_OBJECT2
As shown by RESOURCE_OBJECT2 in the sample format, specifying a filter attribute is optional, but if more than one resource object is specified, you must specify a filter for each additional resource object. If you do not specify a filter attribute, then all records are reconciled to the first resource object in the list. Further, the filters are checked in order, so the resource object without a filter attribute should be included last in the list.
Filter attributes should be surrounded by parentheses.
Apply the following guidelines while specifying a value for the Resource Object attribute:
-
The names of the resource objects must be the same as the names that you specified while creating the resource objects in the Oracle Identity Manager Design Console.
-
The IBM RACF attribute names must be the same as the names used in the LDAP Gateway configuration files.
-
The value must be a regular expression as defined in the java.util.regex Java package. Note that the find() API call of the regex matcher is used rather than the matches() API call. This means that a substring matching rule can be specified in the pattern, rather than requiring the entire string matching rule.
Further, substring matching is case-sensitive. A "(tso)" filter will not match a user with the user ID "TSOUSER1".
-
Multiple values can be matched. Use a vertical bar (|) for a separator as shown in the following example:
(ATTRIBUTE:VALUE1|VALUE2|VALUE3)RESOURCE_OBJECT
-
Multiple filters can be applied to the attribute and to the same resource object. For example:
(ATTRIBUTE1:VALUE1)&(ATTRIBUTE2:VALUE2)RESOURCE_OBJECT
The following is a sample value for the Resource Object attribute:
(tsoProc:X)TSSR01,(instdata:value1|value2|value3)RacfResourceObject2,(tso)RacfResourceObject24000,Resource
In this sample value:
-
(tsoProc:X)TSSRO1 represents a user with X as the attribute value for the TSO Proc segment. Records that meet this criterion are reconciled with the TSSRO1 resource object.
-
(instdata:value1|value2|value3)RacfResourceObject2 represents a user with value1, value2, or value3 as their INSTDATA attribute value. Records that meet this criterion are reconciled with the RacfResourceObject2 resource object.
-
(tso)RacfResourceObject24000 represents a user with TSO privileges. A TSO attribute value is not specified. Records that meet this criterion are reconciled with the RacfResourceObject24000 resource object.
-
All other records are reconciled with the resource object.
5.5 Configuring Account Status Reconciliation for IBM RACF Advanced Connector
Note:
This section describes an optional procedure. Perform this procedure only if you want reconciliation of user status changes on IBM RACF.
When a user is disabled or enabled on the target system, the status of the user can be reconciled into Oracle Identity Manager. To configure reconciliation of user status changes made on IBM RACF:
5.6 Scheduled Tasks for IBM RACF Advanced Connector
Table 5-11 lists the scheduled tasks that you must configure.
Table 5-11 Scheduled Tasks for Lookup Field Synchronization and Reconciliation for IBM RACF
Scheduled Task | Description |
---|---|
RACF Find All Resources |
This scheduled task is used to synchronize the values of resource profile lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Scheduled Tasks for Lookup Field Synchronization. |
RACF Find All Datasets |
This scheduled task is used to synchronize the values of dataset lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Scheduled Tasks for Lookup Field Synchronization. |
RACF Find All Groups |
This scheduled task is used to synchronize the values of group lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Scheduled Tasks for Lookup Field Synchronization. |
RACF Find All Security Attributes |
This scheduled task is used to automatically populate the security attributes lookup field with IT Resource Key~Security Attribute Name pairs. For information about this scheduled task and its attributes, see Configuring the Security Attributes Lookup Field. |
RACF Reconcile All Users |
This scheduled task is used to fetch user data during target resource reconciliation. For information about this scheduled task and its attributes, see RACF Reconcile All Users. |
RACF Reconcile Deleted Users to OIM |
This scheduled task is used to fetch data about deleted users during target resource reconciliation. During a reconciliation run, for each deleted user account on the target system, the RACF User resource is revoked for the corresponding OIM User. For information about this scheduled task and its attributes, see RACF Deleted User Reconciliation Using OIM. |
RACF Reconcile Users to Internal LDAP |
This scheduled task is used to reconcile users from the target system to the internal LDAP store. For information about this scheduled task and its attributes, see RACF Reconcile Users to Internal LDAP. |
RACF Reconcile All LDAP Users |
This scheduled task is used to reconcile users from the internal LDAP store to Oracle Identity Manager. For information about this scheduled task and its attributes, see RACF Reconcile All LDAP Users. |
5.7 Configuring Reconciliation Jobs
Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.
You can apply this procedure to configure the reconciliation jobs for users and entitlements.
5.8 Performing Provisioning Operations
You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.
To perform provisioning operations in Oracle Identity Governance:
- Log in to Identity Self Service.
- Create a user as follows:
- In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
- From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
- Enter details of the user in the Create User page.
- On the Account tab, click Request Accounts.
- In the Catalog page, search for and add to cart the application instance for the connector that you configured earlier, and then click Checkout.
- Specify value for fields in the application form and then click Ready to Submit.
- Click Submit.
See Also:
Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for details about the fields on the Create User page