Managing Application Onboarding

21.1 About Application Onboarding

This section describes the following concepts:

21.1.1 What Is Application Onboarding?

Application onboarding is the process of registering or associating an application with Oracle Identity Manager so that Oracle Identity Manager can provision or reconcile user information in or from that application.

Oracle Identity Manager provides a quick and convenient way to onboard applications by using the Applications option on the Manage tab in Identity Self Service. You can perform all the necessary configurations to onboard an application from a single console.

This simplified solution has the following benefits:

You can configure new or existing applications by using a single user interface: Identity Self Service.
You can export configurations as application templates and configure applications by using these templates, instead of Oracle Identity Manager.

21.1.2 Application Onboarding Concepts

Some of the key concepts related to the Application onboarding are application authorization, types of application, application templates, disconnected connector applications, instance creation, cloning of applications, validation and transformation of provisioning and reconciliation attributes, and application template elements.

The concepts related to application onboarding are described in the following sections.

21.1.2.1 Application Authorization

Users can access the Application option in Identity Self Service if they have the following authorizations:

Any user with the Application Instance Administrator or System Administrator admin role can manage the application using the Application option.
Any user with the Application Instance Administrator admin role can manage entire life cycle of the applications published within the user’s home organization and in the organizations that are within the scope of control of the admin role.

21.1.2.2 Application Types

You can create two types of applications:

Target Application: A target application allows user requests for provisioning accounts through the access request catalog. The target application can be either connected or disconnected. Disconnected applications must be manually provisioned.
Authoritative Application: For an authoritative application, Oracle Identity Manager manages accounts and represents them as users across different reconciliation jobs. Authoritative Application cannot be requested through the access request catalog. Therefore, Oracle Identity Manager pulls data and represents the applications as users. Then grant different target application through request or access policy. For example, the HRMS applications that are managed entirely by an HR department. The HRMS applications involve user account creation. The Oracle Identity Manager pulls data from the HRMS application and represents these as user accounts. These user accounts are granted to various target applications through request and approval.

The application onboarding capability in Identity Self Service allows you to create applications in two ways:

From a connector package: Oracle Identity Manager provides predefined connectors with default templates, which includes all the target system-specific details, such as provisioning and reconciliation mappings, reconciliation actions, and reconciliation matching rules.

Note:

You can install the predefined connectors for which default templates are not available by using the Manage Connector option on the Provisioning Configuration tab in Identity System Administration interface.
Using application templates: If saved application templates are present in the system, then you can create a new application by using these templates.

21.1.2.3 Application Template

An application template is an XML representation of all the configurations that are relevant to an application instance. It contains all the information required for provisioning to a target system and reconciliation from a target system. In addition, it contains other details, such as publication information, connectivity details, and other advanced configurations that are specific to a target system. You can save an application configuration as a template and use it later to create an application. Application templates must be placed in a folder.

You can create templates in the following ways:

Create a template using the Save as Template option in Create Application page. See Creating Applications.
Run the Application Template Generation Job to generate the template. The folder where this template is to be saved is passed as a parameter to the job. (This may be useful for applications that are created by using Connector Installer before or after an upgrade. By default, templates are not generated for these applications.)

See Predefined Scheduled Tasks in Administering Oracle Identity Governance for information about this scheduled task.
Import templates using the Import option in Deployment Manager. See Importing Deployment in Administering Oracle Identity Governance for information about importing entities using Deployment Manager.
Create a template manually using the sample template.

Note:

For authoritative applications, create an application instance using the ApplicationInstanceService.addApplicationInstance(ApplicationInstance appInst) API and then use Application Template Generation Job to generate the template.
The applications that are created through the Create Application option contains the schema attributes related to all the values present in the lookup. These schema attributes may include attributes that were previously derived attributes, like _NAME_. When a new UI form is created, these attributes must be removed. To remove this attributes, customize the form using the sandbox.

See Managing Forms in Administering Oracle Identity Governance for more information on customizing the form by using the sandbox.

21.1.2.4 Disconnected Applications

Disconnected resources are targets for which there are no connectors. Therefore, you must provision these resources manually. You can create applications for disconnected resources by using the Applications page in Identity Self Service.

See Managing Disconnected Resources in Administering Oracle Identity Governance for information about the disconnected resources and disconnected application instances.

21.1.2.5 Instance Creation

Instance creation allows you to create an instance of an application that shares the configurations of the base application but includes different connectivity options.

The following configurations are shared between the base and instance applications:

Advance configurations
Schema configurations
Provisioning configuration
Reconciliation configuration

An instance application has its own attributes and configurations for:

Application Name
Application Display Name
Application Description
Basic Configurations
Catalog attributes
Organization publication

Note:

Configurations that are shared with base application cannot be modified using the edit application option.

21.1.2.6 Cloning Applications

When an application is cloned, all the configurations of the base application are copied into the cloned application.

21.1.2.7 Validation and Transformation of Provisioning and Reconciliation Attributes

When you create an application is created by using the Identity Self Service, you can apply, validate, and transform provisioning attributes before passing the attributes to the target system. Application onboarding capability in Identity Self Service lets you write Groovy script-based validation and transformation logic. See Creating a Target Application or Creating an Authoritative Application for more information on how to include these scripts.

Suppose that you want to manage accounts on an Oracle database Target through Oracle Identity Manager. This situation has the following requirements:

The account fields are, User ID, Organization, First Name, and Last Name.
The User ID field can not be null.
The user ID must end with @example.com. For example, if the user ID is test, then during the request it should be transformed to test@example.com on the target.
If the user does not provide organization details, then default value must be set to Server Technology.

To meet these requirements, you can create the following validation script and transformation script while creating the application.

Validation Groovy Script:

def errors = "";
if(User_Id == null || User_Id ==""){
errors = errors+" User Id cannot be null";
}
return errors;

Transformation Groovy Script:

if(Organization == null || Organization == "")
{
	Organization = "Server Technology";
}
User_Id = User_Id.toString()+"@example.com";

Validation Groovy Script for Resource Exclusion:

In the validation script, specify a list of user IDs for accounts that must be excluded from reconciliation and provisioning operations. The following is a sample script:

def errors = "";
def excludedUsers = ['user01','user02'];
def regexStr = /^[a-zA-Z0-9_]+/;
if(!User_Id.matches(regexStr)) errors = errors+" Invalid UserId";
if(excludedUsers.contains(User_Id)) errors = errors+" User Id lies in excluded list";
return errors;

See About Customizing Groovy Scripts for more sample scripts and information about transformation of attributes.

21.1.2.8 Important Elements in the Application Template XML

Some important elements and structures of the application template XML file are:

applicationName: The application name must be unique and cannot be more than 200 characters.
applicationDisplayName: Display Name of application.
connectorDisplayName: The connector display name is used for locating the bundle and is a read-only field for the user. Value is included with the default template in the connector bundle.
connectorVersion: The connector version is used for locating the bundle and is a read-only field for the user. Value is included with the default template in the connector bundle.
basicConfigurations: The connectivity details for a target system, such as host and port. The list of parameters varies from target to target.
advanceConfigurations: The target specific configurations, which are used by the bundle while performing provision or recon to or from the target system. The list of parameters varies from target to target.
objectClass: Each template has atleast one object class that represents the object on the target system to be provisioned or reconciled.
- provisioningConfig: Provisioning related configurations:
  - validationScript: Groovy validation scripts that are executed before provisioning on the target system.
  - transformationScript: Groovy transformation scripts that are executed before provisioning the data.
  - capabilities: A list of operations supported by the bundle on the target system.
- reconConfig: Reconciliation related configurations:
  - reconJobDetails: A list of jobs that reconcile the data into Oracle Identity Manager.
  - identityCorrelationRule: The rule for owner matching. This rule is defined between the target attribute and the Oracle Identity Manager user attribute.
  - situationResponses: A list of situations and their corresponding responses. For example, in a situation of No Matches Found, the response may be Create User.
  - validationScript: Groovy validation scripts that are executed before reconciling the data into Oracle Identity Manager.
  - transformationScript: Groovy transformation scripts that are executed before reconciling the data into Oracle Identity Manager.
- form: Specifies one parent form per objectClass.
  - schemaAttributes: The schema configuration for objectClass. Each schema attribute has the following attributes:
    - name: The name of the attribute on target system.
    - dataType: The data type of the attribute. For example, String.
    - displayName: The Name of the attribute in Oracle Identity Manager.
    - length: The length of data that can be stored in the attribute. If this attribute is not supplied in the template, it is configured with the default length. However, this attribute is not exposed in the interface.
    - identityAttribute: The name of the user attribute. Changes to this name forces the corresponding account attribute to be updated on the target system.
      
      Note:
      
      The list of schemaAttributes does not include the user password. If you want to add this capability, then select the capability in the Settings tab, from the provisioning options.
    - keyField: Defines the Recon account matching rule.
    - keyFieldCaseInsensitive: Defines whether the Recon account matching rule is case insensitive or not.
    - required: Indicates whether the attribute is required.
    - fieldType: Displays the type of schema attribute. This attribute is for legacy purposes and is not exposed to the user. If the type is not specified in the template, this attribute is configured with the default type.
    - entitlement: Marks the schema attribute as an entitlement. This property is inherited by child schema attributes.
    - reconcileable: Indicates whether the attribute can be reconciled.
    - provisionable: Indicates whether the attribute can be provisioned. This property is inherited from parent schema attributes.
    - encrypted: Indicates whether the attribute is encrypted.
    - advanceFlags: Advance flags such as Lookup, Date, and WriteBack.
      - Lookup: Use Lookup if ~ must be removed from the attribute value before the value is sent to the target.
      - Date: Use Date if the datatype attribute matches the date on the target.
      - WriteBack: Use WriteBack if the attribute must be populated from the target after provisioning.
    - Account Discriminator: Set the schema attribute as the discriminator for the accounts. You can select multiple provisionable fields as account discriminators. See Terminologies Used in Access Policies for more information on Account Discriminator.
    - listOfValues: The name of the Lookup attribute that lists the value for the attribute.
    - defaultValue: The value to be used during reconciliation when no value for the attribute is available on the target system.
    - provideOldValueOnUpdate: Set to true if the old value of this attribute must propagate to the target during the update.
    - dependentAttribute: The value of this attribute is supplied to the target application during the update of this attribute.
    Note:
    
    Both provideOldValueOnUpdate and dependentAttribut attributes are not supported at the same time. Either the old value is passed to the target or the dependent attribute is passed to the target during the attribute update.
  - form: Specifies the child form (or forms) for the parent or root form. It corresponds to a multi-valued attribute.
    - Use Bulk: Select this option to configure the Update Child Table Values Bulk adapter for all child table-related operations.
      
      Some targets support only bulk updates of child values for all operations, including adding a new child, updating an existing child, and removing a child. For these targets, the Use Bulk option must be selected for each child form.
catalogAttributes: List of catalog attributes.
- Audit Objective: A text field that provides any relevant value or description for Oracle Identity Analytics (OIA) certification.
- Risk Level: Level of risk for the entity. The values supported are Low Risk, Medium Risk, and High Risk.
- User Defined Tags: A value that describes the catalog item and that can be used for searching the entity.
- Approver User: User who can approve the catalog item. This is used at the time of processing the request for the catalog item or during attestation.
- Approver Role: Role that can approve the catalog item.
- Certifier User: User who can certify the catalog item.
- Certifier Role: Role that can certify the catalog item.
- Fulfillment User: User who can complete or fulfill the request for the catalog item.
- Fulfillment Role: Role that can complete or fulfill the request for the catalog item.
- Certifiable: Specifies whether a catalog item is certifiable.
organizations: The list of organizations where the application is published.
parentApplicationName: The name of the application on which the current application has a dependency. For example, if AD Exchange application has a dependency on the AD application, then parentApplicationName is set to the AD application.

21.2 Searching Applications

On the Applications page, you can search for applications based on the application name, display name, connector name, and base application.

To search for applications:

Log in to Identity Self Service.
Click the Manage tab, and then click the Applications box to open the Applications page.
In the search list, select any one of the following:
- Name: Search by application name.
- Display Name: Search by display name.
- Connector Name: Search by connector name.
- Base Application: Search by base application name.
In the Search box, enter your search criterion.
Click the Search icon.

The search results table displays the application name, display name, connector name, and application.

21.3 Creating Applications

You can use the Create Application option to create a target application or an authoritative application

Creating applications is described in the following sections:

21.3.1 Creating a Target Application

Creating a Target Application includes steps such as, providing basic information, updating schema attributes, reviewing and updating settings for default attributes, and verifying the application information.

To navigate to the Create Application Wizard, login to Identity Self Service, go to the Manage tab and click the Applications box to open the Applications page. From the Actions menu, click Create, and then select Target. Alternatively, click Create on the toolbar, and select Target to open the Create Application wizard.

From this point onward, page-wise instructions are provided in the following sections:

21.3.1.1 Providing Basic Information for Target Application

On the Basic Information page, select the application you wish to onboard. To do so:

If you want to onboard a disconnected application using the default disconnected template, then select the Disconnected checkbox.

Note:
To create a disconnected application for any custom template, do not select the Disconnected checkbox. Go to step 3.
If you want to create the application from a connector package, then select Connector Package. Select the connector from the Select Bundle list. By default, the Select Bundle drop-down shows the list of template from the connector bundles present in OIM_HOME/server/ConnectorDefaultDirectory.
To load a template from connector bundles at an alternate location, provide the path in the Alternate Connector Directory field, and click the Reload connector list from alternate directory icon next to the Alternate Connector Directory.
Alternatively, if you want to create the application from using a template, then select Template. Select Select Template.
Enter the Application Name, Display Name, and Description for the application. Application Name and Display Name are mandatory fields. Application Name cannot include a space. Display name is the name that is used to represent the application in the request catalog.
Depending on the selected bundle or template, Basic Configuration and Advanced Settings for the connector may appear.
Note:
- The parameters in the Basic Configuration and Advanced Settings section will vary based on the connector you have selected. For more information about these parameters, refer to the corresponding Connector documentation available on the Oracle Help Center website at the following URL:
  
  https://docs.oracle.com/middleware/12213/oig/index.html
- After applying Bundle Patch 12.2.1.3.180413, Advanced Settings section allows you to add new attributes using the Add Attribute option.
  
  To add an attribute:
  1. Click Add Attribute. New Attribute window is displayed.
  2. Enter Name, Value, Catagory, and Display Name, and click OK.
    
    The new attribute is displayed in the Custom section.
Update the required Basic Configuration parameters. Check if the connection between the target system and the server is fine using the Test Connection button.
Click Next to open the Schema page.

21.3.1.2 Providing Schema Information for Target Application

On the Schema page, you can manage the account and entitlement schema attributes. You can edit or delete existing attributes from the schema. After you perform all required actions in Schema page, click Next to go to the Settings page.

Adding attributes and child form is described in the following sections:

21.3.1.2.1 Adding Attributes

To add new attributes:

Click Add Attribute to add a new row to the table. Provide the following Application Attribute details:
- Identity Attribute: Select an attribute from the list of user attributes. This attribute is used for user trigger process, that is, to propagate the user attribute changes to the user resource account. For example, if the FirstName of a user is modified, the changes should be pushed down to fname of the user account on the target, then select FirstName in the Identity Attribute list and select fname in the corresponding Target Attribute list.
  
  See Process Definition Form in Developing and Customizing Applications for Oracle Identity Governance for more information on user triggered process.
- Display Name: Enter the display name for the attribute in Oracle Identity Manager.
- Target Attribute: Enter the target attribute name. For connectors that support schema discovery, if the correct connectivity details are provided in the Basic Configuration section, then all the attributes on target are listed in the Target Attribute drop-down, select the target attribute name from the list.
- Data Type: Select the data type from the list.
Provide the following Provisioning Property descriptions:
- Mandatory: Select if the attribute is mandatory for target provisioning.
- Provision Field: Select if the attribute must be present on the provisioning form.
Provide the following Reconciliation Properties descriptions:
- Recon Field: Select if reconciliation process needs to pull this attribute value.
- Key Field: Select if attribute is used for entity matching during reconciliation.
- Case Insensitive: Select if the account matching rule is case-insensitive.
To add additional properties to the attribute, click icon. The Advanced Settings window is displayed. Provide the following advanced settings:
- Account Discriminator: Select to mark this attribute as one of the Account Discriminator fields. The collection of all such attributes in the form will uniquely identify the logical entity on which accounts are created. See Terminologies Used in Access Policies for more information on Account Discriminator.
- Lookup: Select to indicate that the value of this attribute is set to a Lookup field. In the List Of Values field, enter the name of a lookup which contains a list of allowed values for this attribute. While provisioning, the value of this attribute can be set to one of the values from this list. If the lookup name provided does not exist, then a new lookup will be created with an empty list of value. This is applicable only when the Data Type of the attribute is String.
- Date: Select if the data type of the attribute is Date on target and must be mapped to String type attribute in Oracle Identity Manager.
- WriteBack: Select to set the attribute as WriteBack for provisioning use case. When account provisioning is done, the value of this attribute in Oracle Identity Manager will get updated with the value in target. For example, __UID__ field is of type WriteBack. The value for UID is generated on the target and is written back into the Oracle Identity Manager account after provisioning.
- Provide old value on update: Select if the update operation of the attribute on target requires the old value to be propagated to target along with the new value. For example, to change the account password, you must provide the old password value along with the new password.
- Dependent Attribute: Enter or select the name of the Oracle Identity Manager attribute on which the update operation of this attribute on target is dependent.
If you want to remove any attribute, then click icon that is associated with the attribute.

21.3.1.2.2 Adding Child Forms

To add child forms:

Click Add Child Form, Add Child Form window is displayed.
Enter the Form name and click OK. The new child form is created.
Enter the attribute details. This is similar to the attribute details in Adding Attributes.
Provide the following application attribute details: Display Name, Target Attribute, and Data Type.
Provide the following Provisioning Property: Mandatory
Provide the following Reconciliation Properties: Recon Field, Key Field, and Case Insensitive.
To add additional properties to the attribute, click icon. The Advanced Settings window is displayed. Provide the following advanced settings: Lookup, Date, WriteBack, and Entitlement (Select if this attribute must be marked as an entitlement).
For targets that support only bulk update of child values, select Use Bulk option.
Click Delete Form to remove the child form.

21.3.1.3 Providing Settings Information for Target Application

On the Settings page, you can review and customize the default settings related to provisioning, reconciliation, catalog, and organization publications. After you perform all required actions in Settings page, click Next to go to the Finish page.

Expand the Preview Settings tab and perform the following:

21.3.1.3.1 Updating the Provisioning Configuration

In the Provisioning tab, perform the following steps to update provisioning configurations:

In the Global Configuration section, review and if required, update the predefined provisioning configurations:
- Validation Script: Click to review the validation script or to include a script. The Validation Script editor is displayed. If the script is present, you can edit the validation script or compile the script.
- Transformation Script: Click to review the transformation script or to include a script. The Transformation Script editor is displayed. If the script is present, you can edit the transformation script or compile the script.
- Account Name: Select the attribute to uniquely identify the account from the list. This list consists of all the schema attributes which can be set as account name.
See About Customizing Groovy Scripts for more information on how to write Validation and Transformation Script.
In the Capabilities section, you can review and if required update pre and post action scripts for the provisioning operations that are associated with this application. Provisioning operations include Create, Enable, Disable, Update (Bulk), Delete, and Change User Password.
Note:
If script execution is not supported for a particular provisioning operation in a connector, then the Action Scrip button is disabled.

To do so:
1. Select the capabilities you want to review, edit or add pre and post action script for and click Action Script associated with that capability to open the Action Script editor.
2. You can configure to run the script before or after provisioning operations. Use the pane where Trigger Time is set to Before to configure script that must run before provisioning operation and the pane where Trigger Time is set to After to configure script that must run after provisioning operation.
3. Enter Language in which the script is written. For example, Shell.
  
  Note:
  For more information on the languages supported and whether the script execution for a particular action is supported by the connector type refer to the corresponding connector document.
4. Enter Target to specify where the script has to be executed. For example, if Target is set to Resource, the script is executed on the computer where the target system is running. If Target is set to Connector, the script is executed on the Oracle Identity Manager server or the connector server (if configured).
5. Enter script and click Compile to check if the script is valid.
6. Click Save.
  
  Note:
  You cannot add or manage scripts for the applications that are created through Connector Installer. However, the Java-based transformation and validation provided by Design Console continue to work.

21.3.1.3.2 Updating the Reconciliation Configuration

On the Reconciliation tab, you can review or customize the required predefined matching rules, situations and responses, and reconciliation jobs.

Perform the following to update the reconciliation configuration:

21.3.1.3.2.1 Updating Identity Correlation Rule

In the Identity Correlation Rule section, you can review and if required edit or add simple or complex correlation rules. To add a rule:

If you want to add a simple rule, then select Simple Correlation Rule and set the rule conditions. If the rule is based on more than one condition, then click Add Rule Element to include a new rule element. Each rule element matches one target attribute to a user or identity attribute. These rule elements are separated by AND or OR operator.

Else, if you want to add a complex rule, then select Complex Correlation Rule and enter the rule equation in JSON format. To validate the rule, click Validate JSON Syntax.

Complex correlation rules are used when:

Rule has nested rules. The following is an example of a nested rule:

{    
          "ruleOperator": "AND", 
          "ruleElement": [     
              {           
                    "targetAttribute": "__NAME__",
                    "userAttribute": "User Login",
                    "elementOperator": "Equals",                          
                    "transformName": "NONE"      
              },        
      ],    
      "identityCorrelationRule": [     
       {        
           "ruleOperator": "OR",
           "ruleElement": [            
              {                  
                     "targetAttribute": "Mid Name", 
                     "userAttribute": "Middle Name",
                     "elementOperator": "Equals",
                     "transformName": "NONE" 
              },     
              {
                     "targetAttribute": "Last Name",
                     "userAttribute": "Last Name",
                     "elementOperator": "Equals",
                     "transformName": "NONE",
                     "caseSensitive": true
              }
           ]   
        },
        {  
           "ruleOperator": "OR",
           "ruleElement": [            
               { 
      
                     "targetAttribute": "First Name",  
                     "userAttribute": "First Name",         
                     "elementOperator": "Equals",
                     "transformName": "NONE",
               }
           ]   
        }            
    ]
 }

When the target system must be configured to match part of the data value of a target attribute to the identity or user attribute value, then some transformation can be specified in the rule. For example, to match a SubString of the target FirstName to the Oracle Identity Manager User FirstName. Supported transformations are:

Substring, for example start point or end point.
Endstring, for example end point.
Tokenize, for example Delimiters, Token Number, or Space Delimiter.

The following is an example for a rule that has transformName set to Tokenize and the rule maps target attribute _NAME_ to Oracle Identity Manager attribute User Login.

{   
       "ruleOperator": "AND",
       "ruleElement": [ 
            {          
                "targetAttribute": "__NAME__",
                "userAttribute": "User Login",
                "elementOperator": "Equals",
                "transformName": "Tokenize",
                "transformParams": [ 
                    {   
                        "name": "Space Delimiter",
                        "value": "FALSE"            
                    },   
                    {    
                        "name": "Token Number", 
                        "value": "1"             
                    },   
                    {   
                       "name": "Delimiters",
                       "value": "'@'"              
                    }   
               ]     
            }    
       ]
 }

21.3.1.3.2.2 Updating Situations and Responses

In the Situations And Responses section, you can review, and if required, update or add new situation and responses. To do so:

To add new situation and responses, click Add.
Select the situation from the Situation list, for example, No matches found, One entity match found and so on.
Select an appropriate response for the situation from the Response list, for example, Create User, Establish Link and so on.

21.3.1.3.2.3 Updating Validation and Transformation Scripts

In the Validation & Transformation section, review and if required, update or add new validation and transformation logic based on groovy script. Click Validation Script or click Transformation Script to open the editor to include script.

Note:

You cannot add or manage scripts for the applications that are created through the Connector Installer. However, the Java- based transformation and validation provided via Design Console continue to work.
You can access any provisioning attribute value in the Groovy script with its display name as defined in schema section. To do this, replace spaces in the display name with underscore character (_).

21.3.1.3.2.4 Updating Reconciliation Jobs

On the Reconciliation Jobs section, you can review and if required, update or add new reconciliation jobs. To add a job:

Click Add Job to open the New Job window.
Enter Job Name, required parameters and their values and click OK. You can add parameters to the existing jobs using the Add Parameter option. Click Add Parameter to open the Select Parameter Type window. Select the parameter type from the list and click OK. Enter the required details and click OK.
The following reconciliation jobs can be set:
- Full: This is used to reconcile all existing user records from the target system into Oracle Identity Manager.
- Incremental: This is used to reconcile only records created or modified after the last reconciliation run.
- Delete: This is used for reconciliation of deleted records.
- Entitlement: This is used for lookup field synchronization.
Note:
For information about the default set of reconciliation jobs for a given connector, refer to the corresponding Connector documentation available on the Oracle Help Center website at the following URL:
http://docs.oracle.com/cd/E22999_01/index.htm

21.3.1.3.3 Updating the Organization Configuration

On the Organization tab, select the organizations to which this application will be published. By default, the application is configured to be published to the Top organization. To add organizations:

Click Add to open the Add Organization window.
Search for the organization. Select the required organization from the search result table, and click Select.
Select Hierarchy Aware if you want to publish this application to the organization and its child organizations.

21.3.1.3.4 Updating the Catalog Configuration

In the Catalog tab, you can set various configuration-related Catalog metadata.

You can update the following attributes:

Category: Enter the category for the application.
User Defined Tags: Enter the user defined tag for this attribute.
Audit Objective: Enter the objective of the audit.
Auditable: Select Yes if the application is auditable or No if it is not.
Requestable: Select Yes if the application is requestable or No if it is not. The following fields are enabled if Requestable is set to Yes:
- Fulfillment Role: Click Search icon to search and select the fulfillment role.
- Approver User: Click Search icon to search and select the user.
- Approver Role: Click Search icon to search and select approver role.
- Fulfillment User: Click Search icon to search and select the fulfillment user.
Certifiable: Select Yes if the attribute is certifiable or No if it is not. The below listed fields are enabled if Certifiable is set to Yes:
- Certifier User: Click Search icon to search and select the certifier user.
- Certifier Role: Click Search icon to search and select the certifier role.
Risk Level: Select the risk levels, High Risk, Medium Risk, or Low Risk.

21.3.1.4 Verifying the Target Application Details

On the Finish page, review the details used to create the application. If anything needs to be changed, click Back and make the required changes. If the details are fine, then click Finish to create an application.

When you are prompted whether you want to create a default request form, click Yes or No.

If you choose to create a default request form, then the default form is created with the same name as the application. The default form cannot be modified later. Therefore, if you want to customize it, you must create a new. To view the new default form, you must log in again to Oracle Identity Self Service. However, other users can view the default form as soon as it is created.

If you want to perform any sandbox- related changes after you create an application, then you must log out from the current Oracle Identity Self Service session and log in again.

21.3.2 Creating an Authoritative Application

Creating an Authoritative Application includes steps such as, providing basic information, updating schema attributes, reviewing and updating settings for default attributes, and verifying the application information.

To navigate to the Create Application Wizard, login to Identity Self Service, go to the Manage tab and click the Applications box to open the Applications page. From the Actions menu, click Create, and then select Authoritative. Alternatively, click Create on the toolbar, and select Authoritative to open the Create Application wizard.

From this point onward, page-wise instructions are provided in the following sections:

21.3.2.1 Providing Basic Information for Authoritative Application

On the Basic Information page, select the application you wish to onboard. To do so:

If you want to create the application from a connector package, then select Connector Package. Select the connector from the Select Bundle list. By default, the Select Bundle drop-down shows the list of template from the connector bundles present in OIM_HOME/server/ConnectorDefaultDirectory.
To load a template from connector bundles at an alternate location, provide the path in the Alternate Connector Directory field, and click the Reload connector list from alternate directory icon next to the Alternate Connector Directory.
Alternatively, if you want to create the application from using a template, then select Template. Select Select Template.
Enter the Application Name, Display Name, and Description for the application. Application Name and Display Name are mandatory fields. Application Name cannot include a space. Display name is the name that is used to represent the application in the request catalog.
Depending on the selected bundle or template, Basic Configuration and Advanced Settings for the connector may appear.

Note:
The parameters in the Basic Configuration and Advanced Settings section will vary based on the connector you have selected. For more information about these parameters, refer to the corresponding Connector documentation available on the Oracle Help Center website at the following URL:
http://docs.oracle.com/cd/E22999_01/index.htm

Update the required Basic Configuration parameters. Check if the connection between the target system and the server is fine using the Test Connection button.
Click Next to open the Schema page.

21.3.2.2 Providing Schema Information for Authoritative Application

On the Schema page, you can manage the account and entitlement schema attributes. You can edit or delete existing attributes from the schema. After you perform all required actions in Schema page, click Next to go to the Settings page. To add new attributes:

Click Add Attribute to add a new row to the table. Provide the following Application Attribute details:
- Identity Display Name: Select the display name for the attribute.
- Target Attribute: Enter the target attribute name or select the attribute name from the list.
- Data Type: Select the data type from the list.
Provide the following Reconciliation Properties descriptions:
- Mandatory: Select if the attribute is mandatory for target provisioning.
- Key Field: Select if attribute is used for entity matching during reconciliation.
To add additional properties to the attribute, click . The Advanced Settings window is displayed. Provide the default value and click OK.

21.3.2.3 Providing Settings Information for Authoritative Application

On the Settings page, you can review and customize the default settings related to reconciliation and organization publications. After you perform all required actions in Settings page, click Next to go to the Finish page.

21.3.2.3.1 Updating the Reconciliation Configuration

On the Reconciliation tab, you can review or customize the required predefined matching rules, situations and responses, and reconciliation jobs.

Perform the following to update the reconciliation configuration:

21.3.2.3.1.1 Updating Identity Correlation Rule

In the Identity Correlation Rule section, you can review and if required edit or add simple or complex correlation rules. To add a rule:

If you want to add a simple rule, then select Simple Correlation Rule and set the rule conditions. If the rule is based on more than one condition, then click Add Rule Element to include a new rule element. Each rule element matches one target attribute to a user or identity attribute. These rule elements are separated by AND or OR operator.

Else, if you want to add a complex rule, then select Complex Correlation Rule and enter the rule equation in JSON format. To validate the rule, click Validate JSON Syntax.

Complex correlation rules are used when:

Rule has nested rules. The following is an example of a nested rule:

{    
          "ruleOperator": "AND", 
          "ruleElement": [     
              {           
                    "targetAttribute": "__NAME__",
                    "userAttribute": "User Login",
                    "elementOperator": "Equals",                          
                    "transformName": "NONE"      
              },        
      ],    
      "identityCorrelationRule": [     
       {        
           "ruleOperator": "OR",
           "ruleElement": [            
              {                  
                     "targetAttribute": "Mid Name", 
                     "userAttribute": "Middle Name",
                     "elementOperator": "Equals",
                     "transformName": "NONE" 
              },     
              {
                     "targetAttribute": "Last Name",
                     "userAttribute": "Last Name",
                     "elementOperator": "Equals",
                     "transformName": "NONE",
                     "caseSensitive": true
              }
           ]   
        },
        {  
           "ruleOperator": "OR",
           "ruleElement": [            
               { 
      
                     "targetAttribute": "First Name",  
                     "userAttribute": "First Name",         
                     "elementOperator": "Equals",
                     "transformName": "NONE",
               }
           ]   
        }            
    ]
 }

When the target system must be configured to match part of the data value of a target attribute to the identity or user attribute value, then some transformation can be specified in the rule. For example, to match a SubString of the target FirstName to the Oracle Identity Manager User FirstName. Supported transformations are:

Substring, for example start point or end point.
Endstring, for example end point.
Tokenize, for example Delimiters, Token Number, or Space Delimiter.

The following is an example for a rule that has transformName set to Tokenize and the rule maps target attribute _NAME_ to Oracle Identity Manager attribute User Login.

{   
       "ruleOperator": "AND",
       "ruleElement": [ 
            {          
                "targetAttribute": "__NAME__",
                "userAttribute": "User Login",
                "elementOperator": "Equals",
                "transformName": "Tokenize",
                "transformParams": [ 
                    {   
                        "name": "Space Delimiter",
                        "value": "FALSE"            
                    },   
                    {    
                        "name": "Token Number", 
                        "value": "1"             
                    },   
                    {   
                       "name": "Delimiters",
                       "value": "'@'"              
                    }   
               ]     
            }    
       ]
 }

21.3.2.3.1.2 Updating Situations and Responses

In the Situations And Responses section, you can review, and if required, update or add new situation and responses. To do so:

To add new situation and responses, click Add.
Select the situation from the Situation list, for example, No matches found, One entity match found and so on.
Select an appropriate response for the situation from the Response list, for example, Create User, Establish Link and so on.

21.3.2.3.1.3 Updating Validation and Transformation Scripts

In the Validation & Transformation section, review and if required, update or add new validation and transformation logic based on groovy script. Click Validation Script or click Transformation Script to open the editor to include script.

Note:

You cannot add or manage scripts for the applications that are created through the Connector Installer. However, the Java- based transformation and validation provided via Design Console continue to work.
You can access any provisioning attribute value in the Groovy script with its display name as defined in schema section. To do this, replace spaces in the display name with underscore character (_).

21.3.2.3.1.4 Updating Reconciliation Jobs

On the Reconciliation Jobs section, you can review and if required, update or add new reconciliation jobs. To add a job:

Click Add Job to open the New Job window.
Enter Job Name, required parameters and their values and click OK. You can add parameters to the existing jobs using the Add Parameter option. Click Add Parameter to open the Select Parameter Type window. Select the parameter type from the list and click OK. Enter the required details and click OK.
The following reconciliation jobs can be set:
- Full: This is used to reconcile all existing user records from the target system into Oracle Identity Manager.
- Incremental: This is used to reconcile only records created or modified after the last reconciliation run.
- Delete: This is used for reconciliation of deleted records.
Note:
For information about the default set of reconciliation jobs for a given connector, refer to the corresponding Connector documentation available on the Oracle Help Center website at the following URL:
http://docs.oracle.com/cd/E22999_01/index.htm

21.3.2.3.2 Updating the Organization Configuration

On the Organization tab, select the organizations to which this application will be published. By default, the application is configured to be published to the Top organization. To add organizations:

Click Add to open the Add Organization window.
Search for the organization. Select the required organization from the search result table, and click Select.
Select Hierarchy Aware if you want to publish this application to the organization and its child organizations.

21.3.2.4 Verifying the Authoritative Application Details

On the Finish page, review the details used to create the application. If anything needs to be changed, click Back and make the required changes. If the details are fine, then click Finish to create an application.

21.4 Creating Templates

You can use the Create Application option to create a target template or an authoritative template and save it in the database for future use.

Creating templates is described in the following sections:

21.4.1 Creating an Authoritative Template

To create an authoritative template:

Perform all the steps described in the Creating an Authoritative Application till you open the Finish page of the Create Authoritative Application wizard.
In the Finish page:

Click Save as Template to create a template. The Save as Template window is displayed.

Enter Template Name and Description, and click OK.

21.4.2 Creating a Target Template

To create a target template:

Perform all the steps described in the Creating a Target Application till you open the Finish page of the Create Target Application wizard.
In the Finish page:
1. Click Save as Template to create a template. The Save as Template window is displayed.
  Enter Template Name and Description, and click OK.

21.5 Modifying Applications

You can edit applications that were created by using the Connector Installation Wizard or applications that were created by using the Create Application option.

The following sections describe how to edit applications:

21.5.1 Editing an Application That Was Created by Using the Connector Installation Wizard

When an authoritative application is created by using the Connector Installation wizard, no default application instance is created. Therefore, the application cannot be edited on the Applications page of the Identity Self Service. To edit an authoritative application that was created by using the Connector Installation wizard, follow these steps:

Create an application instance for this application by using the ApplicationInstanceService.addApplicationInstance(ApplicationInstance appInst) API.
After the application instance is created, run the default Application Template Generation Job that creates a template for the application.

Note:

You cannot add or manage scripts for applications that are created through Connector Installer. However, the Java-based transformation and validation that the Design Console provides continues to work.

21.5.2 Editing Applications

To edit an Application:

Log in to Oracle Identity Self Service.
Click the Manage tab. Click the Applications box to open the Applications page.
Select the application.
In the Action menu, select Edit. Alternatively, click Edit on the toolbar.

Note:

In the table that lists the applications, the application name is a hyperlink. Clicking this hyperlink opens a page that contains details of the application. You can edit the details on this page.

The Base Application field in the table indicates if the application is a base application or instance. The configurations that are shared with base application cannot be modified using the edit option.
On the application detail page, change the values of the attributes on the Basic Information, Schema, or Settings tab as required.

Note:

When you edit an application, if you are adding a new provisionable schema attribute or updating the display name of an existing provisionable schema attribute, then make sure to run the Form Upgrade Job scheduled job before you update an existing account for the application.
Click Apply.

21.5.3 Editing Templates

You can modify a template by using the Create Application option. On the Basic Information tab, use the Template option to select the template. Make the changes, and use the Save as Template option to save them to the template.

21.6 Cloning Applications

When you clone an application, all the configurations of the base application are copied into the cloned application.

To clone an application:

Log in to Oracle Identity Self Service.
Click the Manage tab. Click the Applications box to open the Applications page.
Select the application.
In the Action menu, select Clone. Alternatively, click Clone on the toolbar to open the Clone Application page.
On the Clone Application page:
1. Enter the Application Name, Display Name, and Description for the clone application. Application Name and Display Name are mandatory fields. Application Name cannot include space. Display name is the name that is used to represent the application in the request catalog.
2. Change the values of the attributes in the Basic Information, Schema, and Settings page as required.
Click Apply.

If you are cloning a target application, then you are asked whether you want to create a default request form. Click Yes or No.

If you choose to create a default request form, then the default form is created with the same name as the application. Default form can not be modified later. Therefore you will have to create a new form if you want to customize it. You have to re-login to Oracle Identity Self Service to view the created default form. However other users can view the default form once it is created.

If you want to perform any sandbox-related changes after creating an application, you need to logout from current Oracle Identity Self Service session and re-login.

21.7 Creating Instance Applications

You can create an application instance that has the same configurations as the base application.

Note:

The following configurations are shared between instance and base application:

Advance configurations
Schema configurations
Provisioning configuration
Reconciliation configuration

To create an Instance Application:

Log in to Oracle Identity Self Service.
Click the Manage tab. Click the Applications box to open the Applications page.
Select the application.
From the Action menu, select Create Instance. Alternatively, click Create Instance on the toolbar to open the Create Instance Application page.
On the Basic Information tab:
1. Enter the Application Name, Display Name, and Description for the Instance Application. Application Name and Display Name are mandatory fields. Application Name cannot include space. Display name is the name that is used to represent the application in the request catalog.
  
  The Base Application field displays the application for which you are creating an instance.
2. Depending on the base application that is selected, Basic Configuration for the connector is displayed. Update the required parameters and check if the connection between the target system and the server is fine using the Test Connection button.
Depending on the base application that is selected, the Settings tab may include information that can be updated. If the base application is a target application, then the Organization and Catalog tabs are displayed. If the base application is an authoritative application, then the Organization tab is displayed. Change values of the attributes as required.
Click Apply.

21.8 Creating Applications in Bulk

You can load base applications and instance applications in bulk by using the Application Bulk Create scheduled task.

See Predefined Scheduled Tasks in Administering Oracle Identity Governance for information about this scheduled task.

The templates are processed in the following way:

The templates that do not contain a base application name are processed first, and new applications are created synchronously.
The templates that do contain a base application name are used to create instance applications. These templates are processed asynchronously.

See Application Template for more information about templates and how they are created.

Note:

When you create applications by using a job run of the Application Bulk Create scheduled task, use a sandbox to create the UI form from Identity System Administration.

21.9 Deleting Applications

You cannot delete applications from Oracle Identity Self Service.

In some situations, such as when the application creation process fails, the system may contain partially committed applications. To remove partially committed applications from the system, run the connector uninstall utility, as described in Uninstalling Connectors in Administering Oracle Identity Governance.

21.10 About Customizing Groovy Scripts

Groovy Helper provides options to help you transform and validate data during reconciliation or provisioning operations.

The following options are available:

Provisioning Mechanism Information: Call the context.provisionMechanism method to get the following provisioning mechanism information from Groovy Helper.
- REQUEST
- ADMIN
- POLICY
These values are case-sensitive.
Operation Information: Call the context.operationType method to get the following type of operations from Groovy Helper.
- create
- modify
These values are case-sensitive.
Common Data Container Information:
- Requester Information: Call the context.requester method to identify the requester information (for the user initiating the provisioning request) from Groovy Helper. The user object from which any user attribute can be obtained is returned. For example, context.requester.getAttribute(“User Login”) will return the user ID of the requester.
- Requester Manager Information: Call the context.requesterManager method to identify the requester’s manager information (for the manager of the user initiating the provisioning request) from Groovy Helper. The user object from which any user attribute can be obtained is returned. For example, context.requesterManager.getAttribute(“User Login”) will return the user ID of the requester’s manager.
- Beneficiary Information: Call the context.beneficiary method identify the beneficiary information (for the user for whom the provisioning request is initiated) from Groovy Helper. The user object from which any user attribute can be obtained is returned. For example, context.beneficiary.getAttribute(“User Login”) will return the user ID of the beneficiary.
- Beneficiary Manager Information: Call the context.beneficiaryManager method to identify the beneficiary’s manager information (manager of the user for whom the provisioning request is initiated) from Groovy Helper. The user object from which any user attribute can be obtained is returned. For example, context.beneficiaryManager.getAttribute(“User Login”) will return the user ID of the beneficiary’s manager.
- Beneficiary Password Information: Call the context.beneficiaryPassword method to identify the beneficiary’s password from Groovy Helper.
  
  Note:
  
  For more information on how to access user attributes, see the User Management APIs.

You can use the Groovy Helper methods in the following way:

Derived attributes: You can form attributes which are dependent on two or more other attributes. For example, the full name attribute is a combination of the first name, middle name, and last name attributes.

User_Id = context.beneficiary.getAttribute("User Login");
First_Name = context.beneficiary.getAttribute("First Name");
Last_Name = context.beneficiary.getAttribute("Last Name");
Middle_Name = context.beneficiary.getAttribute("Middle Name");
Full_Name = First_Name  + ". " + Middle_Name + ". " + Last_Name;

Default value attributes: You can form attributes whose default value must be populated. For example, if the user does not provide organization details, then the default value is set to Server Technology.
```
If (Organization == null || Organization == "")
{
         Organization = "Server Technology";
}
```
Transformed attributes: You can form attributes whose value is transformed. For example,@example.com is appended to the User ID attribute.
```
User_Id = User_Id.toString()+"@example.com";
```

In the following sample script, based on the type of provisioning (such as REQUEST, POLICY, or ADMIN) and on the type of operation being performed (such as creation or modification), data is transformed. All the variable values are initialized and available for provisioning and reconciliation operations, except resultList, which is defined and declared in the script itself.

def resultList;
if (binding.variables.containsKey("context")) 
{ 
  if(context.operationType.equals("create"))
  { 
     if(context.provisionMechanism.equals("POLICY"))
     { 
         User_Id = context.beneficiary.getAttribute("User Login");
         First_Name = context.beneficiary.getAttribute("First Name");
         Last_Name = context.beneficiary.getAttribute("Last Name");
         Middle_Name = context.beneficiary.getAttribute("Middle Name");
         Full_Name = First_Name  + ". " + Middle_Name + ". " + Last_Name;
         Common_Name = Full_Name;
         Password = context.beneficiaryPassword; 
      }
      else if(context.provisionMechanism.equals("REQUEST") || context.provisionMechanism.equals("ADMIN"))
      {              
         Full_Name = First_Name  + ". " + Middle_Name + ". " + Last_Name;
         Common_Name = Full_Name;
      }              
      if(Organization_Name != null && Organization_Name.indexOf("~") != -1)
      {
         resultList = Organization_Name.tokenize("~");
         User_Full_DN = "CN=" + Common_Name + "," + resultList[1];
      }              
  } 
  else if(context.operationType.equals("modify"))
  {
      Full_Name = First_Name  + ". " + Middle_Name + ". " + Last_Name;
      Common_Name = Full_Name;
      if(Organization_Name != null && Organization_Name.indexOf("~")  !=  -1)
      {
         resultList = Organization_Name.tokenize("~");
         User_Full_DN = "CN=" + Common_Name + "," + resultList[1];
      }            
   }
}

The following is a sample Validation Groovy Script that displays an error message if the User ID is not provided.

def effors = "";
if(User_Id == null || User_Id =="")
{ 
   errors = errors+" User Id cannot be null";
}
return errors;

In the validation script, you can specify a list of accounts that are excluded from reconciliation and provisioning operations. Accounts, whose user IDs are specified in the exclusion list are not affected by reconciliation and provisioning operations.

The following is a sample Validation Groovy Script for Resource Exclusion script:

def errors = "";
def excludedUsers = ['user01','user02'];
def regexStr = /^[a-zA-Z0-9_]$/;
   if(!User_Id.matches(regexStr)) errors = errors+" Invalid UserId";
   if(excludedUsers.contains(User_Id)) errors = errors+" User Id lies in excluded list";
return errors;

Action scripts are configured to run before or after create, update, enable, disable, change user password and delete provisioning operations. For example, you can configure a script to run before a user is created.

The following action script creates a text file on the target system with a given name. You can configure this script for AD Connector.

echo create >> C:\%givenName%.txt

21.11 Troubleshooting Application Onboarding

Problems that you encounter while performing application onboarding may be related to authorization or may reflect issues with template creation.

This section describes the troubleshooting procedures to follow as you resolve issues during application onboarding.

Problem

A user who is a member of an organization other than the default organization cannot create an application.

Solution

Make sure that the user has the correct administration roles. Only users who have theApplicationInstanceAdministrator administration role can perform the following actions in the Applications option of Identity Self Service:

Create, modify, delete, or search applications within organizations that are defined under the scope of control of the administration roles.
Create, modify, delete, or search applications within the parent organization.

For more information on administration roles, see Managing Administration Roles.

Problem

You can generate a template for applications that were created through Connector Installer before or after you upgrade the applications by using the Application Template Generation job.

Solution

Lookup.AOB.Certified.Bundles must have an entry for the bundle of the application for which the template is being generated. Lookup.AOB.Certified.Bundles must be updated with the following inputs:

Key: The name of the bundle that contains advanced configuration information.
Value: The connector display name ( <connector name>-CI.xml file must be present in the configuration folder).

The connector display name and the connector version are set in the generated template. If it is not possible to identify the unique connector display name for a given bundle name, the value in Lookup is set to Unidentified, and the connector display name and connector version are not set when the template is generated. It is the Application Administrator’s responsibility to set the correct connector display name and version.

Note:

Only certified bundles are part of this lookup.

Problem

The resource history for a provisioned account shows additional process tasks for field updates.

Solution

This is expected. Process tasks are created for all fields in the schema attribute except for Writeback and SOD fields. These process tasks are for single updates of fields. In some cases, such as when a derived attribute and its value are updated as a part of a transformation script, then the process task is triggered. In this case, the resource history for a provisioned account may show additional process tasks for derived attributes.

Problem

Logging of application onboarding with package oracle.iam.application is enabled, but log for entire flow is not available.

Solution

Application onboarding relies on the existing provisioning, reconciliation, scheduler, and catalog engines. To enable logging for application onboarding, logging of all the underlying engines should be enabled.

Problem

When you try to manage an application that is created using Application option in Identity Self Service from design console, it shows unexpected behavior.

Solution

Applications that are created using Application option in Identity Self Service should not be managed from design console.