5 Using the Microsoft Active Directory User Management Connector
You can use the connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.
The following topics discuss information related to using the connector for performing reconciliation and provisioning operations:
Note:
These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.5.1 Guidelines on Using the Microsoft Active Directory User Management Connector
These guidelines give information on what to do when using the connector.
You must apply the following guidelines while performing reconciliation and provisioning operations:
5.1.1 Guidelines on Configuring Reconciliation
The following are guidelines that you must apply while configuring reconciliation:
-
Before a target resource reconciliation run is performed, lookup definitions must be synchronized with the lookup fields of the target system. In other words, scheduled tasks for lookup field synchronization must be run before user reconciliation runs.
-
If you are using Oracle Identity Governance release 11.1.2.x or later, then before you perform a reconciliation run, create an application instance.
-
The scheduled job for user reconciliation must be run before the scheduled job for reconciliation of deleted user data.
-
In the identity reconciliation mode, if you want to configure group reconciliation, then note that group reconciliation does not cover reconciliation of updates to existing groups on the target system. If you modify the name of a group on the target system, then it is reconciled as a new group in Oracle Identity Governance.
-
In the identity reconciliation mode, if you want to configure organization reconciliation, then note that:
-
Organization reconciliation does not cover reconciliation of updates to existing organization names on the target system. If you modify the name of an organization on the target system, then it is reconciled as a new organization in Oracle Identity Governance.
-
Organization reconciliation events created by the scheduled job for organization reconciliation (Active Directory Organization Recon) must be successfully processed before the scheduled job for trusted source reconciliation (Active Directory User Trusted Recon) is run. In other words, organization reconciliation must be run and the organization records reconciled from the target system must be successfully linked in Oracle Identity Governance.
-
On the target system, users are created in specific organizations. During trusted source reconciliation of user data, if you want OIM Users to be created in the same organizations on Oracle Identity Governance, then you must set the MaintainHierarchy attribute of the trusted source reconciliation scheduled task to
yes
. In addition, you must configure organization reconciliation to run before trusted source reconciliation. -
In Oracle Identity Governance, the organization namespace is a flat namespace although it allows parent-child hierarchical relationships between organizations. Therefore, two Microsoft Active Directory OUs with the same name cannot be created in Oracle Identity Governance, even if they have different parent OUs on the target system.
-
The name of an organization in Oracle Identity Governance cannot contain special characters, such as the equal sign (=) and comma (,). However, these special characters can be used in the name of an organization on the target system.
-
The synchronization of organization lookup fields is independent of whether or not you configure organization reconciliation.
-
-
If you are going to configure Microsoft AD LDS as the trusted source, then you must ensure that a value (either
true
orfalse
) is set for the msDS-UserAccountDisabled field of each user record on the target system. In Microsoft ADAM, the msDS-UserAccountDisabled field does not have a default value. -
The Filter attribute must contain only attributes that are present in the Decode column of the lookup definition that holds reconciliation attribute mapping.
5.1.2 Guidelines on Performing Provisioning Operations
The following are guidelines that you must apply while performing provisioning operations:
-
Before you perform provisioning operations, lookup definitions must be synchronized with the lookup fields of the target system. In other words, scheduled tasks for lookup field synchronization must be run before provisioning operations.
-
When both Microsoft Active Directory User Management and Microsoft Exchange connectors are deployed in your environment, do not specify a value for the Redirection Mail Id field.
If you specify a value for the Redirection Mail Id field during a user provisioning operation, then a corresponding mail user account is created in Microsoft Exchange. When an Exchange mail user account is created through Active Directory, then some of the fields of an Exchange mail user account such as Maximum Receive Size cannot be updated. This also means that the Microsoft Exchange Connector cannot be used for further provisioning operations of this user. This is because the user is already created in Microsoft Exchange as a Mailuser.
Note that the Microsoft Exchange connector cannot be used to convert Mailuser, mail user accounts created in the manner described in the preceding paragraph, to Mailbox as this is not allowed by the target. Therefore, it is recommended not to specify a value for the Redirection Mail Id field if both Microsoft Active Directory and Microsoft Exchange connector are deployed.
-
Passwords for user accounts provisioned from Oracle Identity Governance must adhere to the password policy set in Microsoft Active Directory.
Note:
If you install Microsoft ADAM in a domain controller then it acquires all the policies of Microsoft Active Directory installed in the same domain controller. If you install Microsoft ADAM in a workgroup, then the local system policies are applied.
In Microsoft Active Directory, password policies are controlled through password complexity rules. These complexity rules are enforced when passwords are changed or created. While changing the password of a Microsoft Active Directory account by performing a provisioning operation on Oracle Identity Governance, you must ensure that the new password adheres to the password policies on the target system.
See Also:
For more information about password guidelines applicable on the target system, see the Microsoft Active Directory User Management documentation.
-
Some Asian languages use multibyte character sets. If the character limit for fields on the target system is specified in bytes, then the number of Asian-language characters that you can enter in a particular field may be less than the number of English-language characters that you can enter in the same field. The following example illustrates this point:
Suppose you can enter 50 characters of English in the User Last Name field of the target system. If you have configured the target system for the Japanese language, then you would not be able to enter more than 25 characters in the same field.
-
The character length of target system fields must be taken into account when specifying values for the corresponding Oracle Identity Governance fields. For example, ensure that the value you specify for the User Login field in Oracle Identity Governance contains no more than 20 characters. This is because the sAMAccountName attribute in the target system (corresponding to the User Login field in Oracle Identity Governance) cannot contain more than 20 characters.
-
On the target system, the Manager Name field accepts only DN values. Therefore, when you set or modify the Manager Name field on Oracle Identity Governance, you must enter the DN value.
For example:
cn=abc,ou=lmn,dc=corp,dc=com
-
If the value that you specify for the Manager Name field contains special characters, then you must prefix each special character with a backslash (
\
). For example, if you want to specify CN=John Doe #2,OU=sales,DC=example,DC=com as the value of the Manager Name field, then you must specify the following as the value:CN=John Doe \#2,OU=sales,DC=example,DC=com
The following is the list of special characters that must be prefixed with a backslash (\):
-
Number sign (
#
) -
Backslash (
\
) -
Plus sign (
+
) -
Equal sign (
=
) -
Comma (
,
) -
Semicolon (
;
) -
Less than symbol (
<
) -
Greater than symbol (
>
) -
Quotation mark (
"
)
-
-
While specifying a value for the Home Directory field, follow these guidelines:
-
The value must always begin with two backslashes (\\).
-
The value must contain at least one backslash (\), but not at the end.
Correct sample values:
\\
SOME_MACHINE
\
SOME_SHARE
\
SOME_DIRECTORY
\\
SOME_MACHINE
\
SOME_SHARE
\
SOME_DIRECTORY
\
SOME_OTHER_DIRECTORY
Incorrect sample values:
\\
SOME_MACHINE
\
SOME_SHARE
\
\\
SOME_MACHINE
-
-
If you want to provision users and groups under the Users container, then include the following entry in the Lookup.ActiveDirectory.OrganizationalUnits lookup definition:
Code Key:
IT_RESOURCE_KEY
~CN=Users,DC=childtest,DC=test,DC=idm,DC=central,DC=example,DC=com
Decode:
IT_RESOURCE_NAME
~CN=Users,DC=childtest,DC=test,DC=idm,DC=central,DC=example,DC=com
In the Code Key and Decode values, replace:
-
IT_RESOURCE_KEY with the numeric code assigned to each IT resource in Oracle Identity Governance. You can determine the value of the IT resource key by performing lookup field synchronization of organizational units and then finding the IT resource key from the code key value of the Lookup.ActiveDirectory.OrganizationalUnits lookup definition.
-
IT_RESOURCE_NAME with the name of the IT resource in Oracle Identity Governance.
-
5.2 Configuring Reconciliation
You can configure the connector to specify the type of reconciliation and its schedule.
This section discusses the following topics related to configuring reconciliation:
5.2.1 Performing Full Reconciliation and Incremental Reconciliation
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Governance. After you create the application, you must first perform full reconciliation.
In addition, you can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Governance.
For performing a full reconciliation run, values for the following parameters of the jobs for reconciling user records must not be present:
-
Batch Start
-
Filter
-
Latest Token
At the end of the reconciliation run, the Latest Token parameter of the job for user record reconciliation is automatically set to the highest value of the uSNChanged attribute of a domain controller that is used for reconciliation. From the next run onward, only records created or modified after the value in the latest token attribute are considered for reconciliation. This is incremental reconciliation.
5.2.2 Performing Limited Reconciliation
These topics help you understand limited reconciliation and the ways in which it can be achieved.
5.2.2.1 About Limited Reconciliation
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled.
You can perform limited reconciliation the first time you perform a reconciliation run. In other words, by using filters or by specifying a search base while configuring a scheduled job for full reconciliation, you can perform limited reconciliation.
5.2.2.2 Performing Limited Reconciliation By Using Filters
You can perform limited reconciliation by creating filters for the reconciliation module.
This connector provides a Filter attribute (a scheduled task attribute) that allows you to use any of the Microsoft Active Directory resource attributes to filter the target system records. Table 5-1 lists the filter syntax that you can use and the corresponding description and sample values.
Note:
Filters with wildcard characters are not supported.
Table 5-1 Keywords and Syntax for the Filter Attribute
Filter Syntax | Description |
---|---|
String Filters |
|
startsWith('ATTRIBUTE_NAME','PREFIX') |
Records whose attribute value starts with the specified prefix are reconciled. Example: In this example, all records whose userPrincipalName begins with 'John' are reconciled. |
endsWith('ATTRIBUTE_NAME','SUFFIX') |
Records whose attribute value ends with the specified suffix are reconciled. Example: In this example, all records whose last name ends with 'Doe' are reconciled. |
contains('ATTRIBUTE_NAME','STRING') |
Records where the specified string is contained in the attribute's value are reconciled. Example: In this example, all records whose display name contains 'Smith' are reconciled. |
containsAllValues('ATTRIBUTE_NAME',['STRING1','STRING2', . . . ,'STRINGn']) |
Records that contain all the specified strings for a given attribute are reconciled. Example: In this example, all records whose objectClass contains both "top" and "person" are reconciled. |
Equality and Inequality Filters |
|
equalTo('ATTRIBUTE_NAME','VALUE') |
Records whose attribute value is equal to the value specified in the syntax are reconciled. Example: In this example, all records whose sAMAccountName is Sales Organization are reconciled. |
greaterThan('ATTRIBUTE_NAME','VALUE') |
Records whose attribute value (string or numeric) is greater than (in lexicographical or numerical order) the value specified in the syntax are reconciled. Example 1: In this example, all records whose common name is present after the common name 'bob' in the lexicographical order (or alphabetical order) are reconciled. Example 2: In this example, all records whose employee number is greater than 1000 are reconciled. |
greaterThanOrEqualTo('ATTRIBUTE_NAME','VALUE') |
Records whose attribute value (string or number) is lexographically or numerically greater than or equal to the value specified in the syntax are reconciled. Example 1: In this example, all records whose sAMAccountName is equal to 'S' or greater than 'S' in lexicographical order are reconciled. Example 2: In this example, all records whose employee number is greater than or equal to 1000 are reconciled. |
lessThan('ATTRIBUTE_NAME','VALUE') |
Records whose attribute value (string or numeric) is less than (in lexicographical or numerical order) the value specified in the syntax are reconciled. Example 1: In this example, all records whose last name is present after the last name 'Smith' in the lexicographical order (or alphabetical order) are reconciled. Example 2: In this example, all records whose employee number is less than 1000 are reconciled. |
lessThanOrEqualTo('ATTRIBUTE_NAME','VALUE') |
Records whose attribute value (string or numeric) is lexographically or numerically less than or equal to the value specified in the syntax are reconciled. Example 1: In this example, all records whose sAMAccountName is equal to 'A' or less than 'A' in lexicographical order are reconciled. Example 2: In this example, all records whose employee number is less than or equal to 1000 are reconciled. |
Complex Filters |
|
<FILTER1> & <FILTER2> |
Records that satisfy conditions in both filter1 and filter2 are reconciled. In this syntax, the logical operator & (ampersand symbol) is used to combine both filters. Example: In this example, all records whose common name starts with John and last name ends with Doe are reconciled. |
<FILTER1> | <FILTER2> |
Records that satisfy either the condition in filter1 or filter2 are reconciled. In this syntax, the logical operator | (vertical bar) is used to combine both filters. Example: In this example, all records that contain 'Andy' in the sAMAccount Name attribute or records that contain 'Brown' in the last name are reconciled. |
not(<FILTER>) |
Records that do not satisfy the given filter condition are reconciled. Example: In this example, all records that does not contain the common name 'Mark' are reconciled. |
5.2.2.3 Performing Limited Reconciliation By Using the Search Base Attribute
You can perform limited reconciliation by using the Search Base parameter of the reconciliation job.
By specifying a value for the Search Base parameter, you can limit the container from which the user, group, or organization records must be reconciled. This is the starting point for the search in the hierarchial structure for objects in Microsoft Active Directory.
5.2.3 Performing Batched Reconciliation
You can perform batched reconciliation to reconcile a specific number of records from the target system into Oracle Identity Governance.
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete. You can configure batched reconciliation to avoid such problems.
To configure batched reconciliation, specify values for the following parameter of the reconciliation jobs:
-
Batch Size: Use this parameter to specify the number of records that must be included in each batch.
-
Batch Start: Use this parameter to specify the record number from which batched reconciliation must begin.
-
Number of Batches: Use this parameter to specify the total number of batches that must be reconciled. The default value of this parameter is
All.
If you do not want to implement batched reconciliation, then accept the default value. When you accept the default value, the values of the Batch Size, Batch Start, Sort By, and Sort Direction parameters are ignored. -
Sort By: Use this parameter to specify the name of the target system field by which the records in a batch must be sorted.
-
Sort Direction: Use this parameter to specify the whether records being fetched must be sorted in ascending or descending order. The value of this parameter can be either
asc
ordesc.
If batched reconciliation fails, then you only need to rerun the reconciliation job without changing the values of the job parameters.
After completing batched reconciliation, if you want to perform incremental reconciliation, then specify the value of the highestCommittedUSN attribute (see Step 3 of Preupgrade Steps) as the value of the Latest Token parameter. From the next reconciliation run onward, the reconciliation engine automatically enters a value for the Latest Token parameter.
Note:
Sorting large number of records on the target system fails during batched reconciliation. Therefore, it is recommended that you use the PageSize parameter of Advanced Settings Parameters to fetch records from the target system.
5.3 Scheduled Jobs for Lookup Field Synchronization
Scheduled jobs for lookup field synchronization fetch the most recent values from specific fields in the target system to lookup definitions in Oracle Identity Governance. These lookup definitions are used as an input source for lookup fields in Oracle Identity Governance.
The following are the scheduled jobs for lookup field synchronization:
Note:
The procedure to configure these scheduled tasks is described later in the guide.
-
Active Directory Group Lookup Recon
This scheduled task is used to synchronize group lookup fields in Oracle Identity Governance with group-related data in the target system.
-
Active Directory Organization Lookup Recon
This scheduled task is used to synchronize organization lookup fields in Oracle Identity Governance with organization-related data in the target system.
Table 5-2 describes the attributes of both scheduled jobs.
Table 5-2 Attributes of the Scheduled Tasks for Lookup Field Synchronization
Attribute | Description |
---|---|
Code Key Attribute |
Name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job you are using, the default values are as follows:
Note: You must not change the value of this attribute. |
Decode Attribute |
Enter the name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job you are using, the default values are as follows:
|
Filter |
Enter a filter to filter out records to be stored in the lookup definition. For more information about the Filter attribute, see Performing Limited Reconciliation. |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile records. Sample value: |
Lookup Name |
Enter the name of the lookup definition in Oracle Identity Governance that must be populated with values fetched from the target system. Note: If the lookup name that you specify as the value of this attribute is not present in Oracle Identity Governance, then this lookup definition is created while the scheduled job is run. Depending on the scheduled job you are using, the default values are as follows:
|
Object Type |
This attribute holds the name of the type of object you want to reconcile. Depending on the scheduled job you are using, the default values are as follows:
|
5.4 Configuring and Running Group Reconciliation
There are two scenarios in which group reconciliation can be performed.
Depending on the scenario in which you want to perform group reconciliation, perform one of the following procedures:
-
See Reconciling Target System Groups into Individual Organizations to reconcile each target system group into an organization of its own.
-
See Reconciling Target System Groups a Single Organization to reconcile each target system group into a single organization.
5.4.1 Reconciling Target System Groups into Individual Organizations
Create an organizational unit in Oracle Identity Governance with the name of the group (available in the target system), and then reconcile groups to this newly created organizational unit. In other words, suppose a scenario in which you want every target system group to be reconciled into an organization of its own.
To perform group reconciliation in this scenario:
5.4.2 Reconciling Target System Groups a Single Organization
This procedure describes how to perform group reconciliation when all groups available on the target system must be reconciled under the same organizational unit in Oracle Identity Governance. In other words, suppose a scenario in which you want all target system groups to be reconciled into a single organization.
To perform group reconciliation in this scenario:
5.5 Configuring and Running Organization Reconciliation
You can configure and run the scheduled job for organization reconciliation.
The following is the procedure to run the scheduled job for organization reconciliation:
Note:
OIM created Organizations do not relate to the OU objects on the Directory Resources of Microsoft Active Directory. The connector does not support the creation of any OU objects in OIM which can then be provisioned to Microsoft Active Directory. Instead, OUs can be created directly on the Directory Services of Microsoft Active Directory.
In addition, as a best practice, ensure that all newly created OUs and other objects are fetched into OIM from the target system by performing a trusted resource reconciliation run.
5.6 Configuring Reconciliation Jobs
Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.
You can apply this procedure to configure the reconciliation jobs for users and entitlements.
5.7 Performing Provisioning Operations
You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.
To perform provisioning operations in Oracle Identity Governance:
- Log in to Identity Self Service.
- Create a user as follows:
- In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
- From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
- Enter details of the user in the Create User page.
- On the Account tab, click Request Accounts.
- In the Catalog page, search for and add to cart the application instance for the connector that you configured earlier, and then click Checkout.
- Specify value for fields in the application form and then click Ready to Submit.
- Click Submit.
See Also:
Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for details about the fields on the Create User page5.8 Connector Objects Used for Groups Management
Learn about the objects that are used by the connector to perform group management operations such as create, update, and delete.
5.8.1 Preconfigured Lookup Definitions for Group Operations
The lookup definitions for Groups are automatically created in Oracle Identity Governance after you create the application by using the connector.
5.8.1.1 Lookup.ActiveDirectory.GM.Configuration
The Lookup.ActiveDirectory.GM.Configuration lookup definition holds configuration entries that are specific to the group object type. This lookup definition is used during group management operations when your target system is configured as a target resource.
Table 5-3 lists the default entries in this lookup definition.
Table 5-3 Entries in the Lookup.ActiveDirectory.GM.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Provisioning Attribute Map |
Lookup.ActiveDirectory.GM.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.ActiveDirectory.GM.ProvAttrMap for more information about this lookup definition. |
Provisioning Validation Lookup |
Lookup.ActiveDirectory.GM.ProvValidation |
This entry holds the name of the lookup definition that is used to configure validation of attribute values entered on the process form during provisioning operations. See Configuring Validation of Data During Reconciliation and Provisioning for Groups and Organizational Units for more information about adding entries in this lookup definition. |
Recon Attribute Defaults |
Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults |
This entry holds the name of the lookup definition that maps fields on the group form and their default values. See Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults for more information about this lookup definition. |
Recon Attribute Map |
Lookup.ActiveDirectory.GM.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.ActiveDirectory.GM.ReconAttrMap for more information about this lookup definition. |
Recon Transformation Lookup |
Lookup.ActiveDirectory.GM.ReconTransformation |
This entry holds the name of the lookup definition that is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Configuring Transformation of Data During Reconciliation for Groups and Organizational Units for more information about adding entries in this lookup definition. |
Recon Validation Lookup |
Lookup.ActiveDirectory.GM.ReconValidation |
This entry holds the name of the lookup definition that is used to configure validation of attribute values that are fetched from the target system during reconciliation. See Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults for more information about adding entries in this lookup definition. |
5.8.1.2 Lookup.ActiveDirectory.GM.ProvAttrMap
The Lookup.ActiveDirectory.GM.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is preconfigured and is used during group provisioning operations.
You can add entries in this lookup definitions if you want to map new target system attributes for provisioning.
Table 5-4 Default Entries in the Lookup.ActiveDirectory.GM.ProvAttrMap
Group Field on Oracle Identity Governance (Code Key) | Target System Field (Decode) | Description |
---|---|---|
__NAME__ |
__NAME__="CN=${Group_Name},${Organization_Name}" |
Group name with full DN |
Display Name |
displayName |
Display name for a group |
Group Name |
sAMAccountName |
Group name |
Group Type |
groupType |
Group type |
Organization Name[LOOKUP,IGNORE] |
IGNORED |
Name of the organization to which the group belongs |
Unique Id |
__UID__ |
Object GUID of the group |
5.8.1.3 Lookup.ActiveDirectory.GM.ReconAttrMap
The Lookup.ActiveDirectory.GM.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes. This lookup definition is preconfigured and used for performing target resource group reconciliation runs.
Table 5-5 lists the group fields of the target system from which values are fetched during reconciliation. The Active Directory Group Recon scheduled job is used to reconcile group data.
You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation.
Table 5-5 Entries in the Lookup.ActiveDirectory.GM.ReconAttrMap
Group Field on Oracle Identity Governance (Code Key) | Microsoft Active Directory Field (Decode) | Description |
---|---|---|
Display Name |
displayName |
Display name for a group |
Group name |
sAMAccountName |
Group name |
Group Type |
groupType |
Group type |
OIM Org Name |
sAMAccountName |
OIM organization name Note that this value does not contain the DN. |
Organization Name[LOOKUP] |
ad_container |
Organization name with DN format For example, |
Org Name |
sAMAccountName |
Organization name without DN format |
Org Type |
OIM Organization Type |
Organization type |
Unique Id |
__UID__ |
Object GUID of the group |
5.8.1.4 Lookup.ActiveDirectory.GM.ProvValidation
The Lookup.ActiveDirectory.GM.ProvValidation lookup definition is used to configure validation of attribute values entered on the process form during group provisioning operations. See Configuring Validation of Data During Reconciliation and Provisioning for Groups and Organizational Units or more information about adding entries in this lookup definition.
5.8.1.5 Lookup.ActiveDirectory.GM.ReconTransformation
The Lookup.ActiveDirectory.GM.ReconTransformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Configuring Transformation of Data During Reconciliation for Groups and Organizational Units for more information about adding entries in this lookup definition.
5.8.1.6 Lookup.ActiveDirectory.GM.ReconValidation
The Lookup.ActiveDirectory.GM.ReconValidation lookup definition is used to configure validation of attribute values that are fetched from the target system during group reconciliation. See Configuring Validation of Data During Reconciliation and Provisioning for Groups and Organizational Units for more information about adding entries in this lookup definition.
5.8.1.7 Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults
The Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults lookup definition holds mappings between reconciliation fields (for group) and their default values. This lookup definition is used when there is a mandatory field on the group form, but no corresponding field in the target system from which values can be fetched during group reconciliation.
This lookup definition is empty by default. If you add entries to this lookup definition, then the Code Key and Decode values must be in the following format:
Code Key: Name of the reconciliation field of the AD Group resource object
Decode: Corresponding default value to be displayed
For example, assume a field named Group ID is a mandatory field on the group form. Suppose the target system contains no field that stores information about the group ID for an account. During reconciliation, no value for the Group ID field is fetched from the target system. However, as the Group ID field cannot be left empty, you must specify a value for this field. Therefore, create an entry in this lookup definition with the Code Key value set to Group ID
and Decode value set to GRP1223.
This implies that the value of the Group ID field on the group form displays GRP1223 for all accounts reconciled from the target system.
5.8.1.8 Lookup.ActiveDirectory.GroupTypes
The Lookup.ActiveDirectory.GroupTypes lookup definition holds information about group types that you can select for the group that you create through Oracle Identity Governance. The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Group type code on the target system
Decode: Corresponding group type to be displayed in the Group Type lookup field of the OIM User form
5.8.2 Reconciliation Scheduled Jobs for Groups Management
After you create an application, reconciliation scheduled jobs are automatically created in Oracle Identity Governance. You must configure these scheduled jobs to suit your requirements by specifying values for its attributes.
You must specify values for the attributes of the following scheduled jobs:
5.8.2.1 Active Directory Group Recon
Use the Active Directory Group Recon scheduled job to reconcile group data from the target system.
Table 5-6 Attributes of the Active Directory Group Recon Scheduled Job
Attribute | Description |
---|---|
Filter |
Expression for filtering records. See Performing Limited Reconciliation By Using Filters for more information. Default value: Note: While creating filters, ensure to use attributes specific to Groups. |
Incremental Recon Attribute |
Enter the name of the target system attribute that holds last update-related number, non-decreasing value. For example, The value in this attribute is used during incremental reconciliation to determine the newest or most youngest record reconciled from the target system. Default value: Note: Do not change the value of this attribute. |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile group or organization data. Default value: |
Latest Token |
This attribute holds the value of the uSNChanged attribute of a domain controller that is used for reconciliation. Sample value: Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only groups or organizational units whose uSNChanged value is greater than the Latest Token attribute value are reconciled. |
Object Type |
Type of object to be reconciled. Default value: |
Organization Name |
Enter the name of the organization to which all groups fetched from the target system is linked. See Configuring and Running Group Reconciliation for more information on the usage of this attribute. |
Organization Type |
Type of organization to be created in Oracle Identity Governance. Default value: |
Resource Object Name |
Name of the resource object that is used for reconciliation. Default value: |
Scheduled Task Name |
Name of the scheduled task used for reconciliation. Default value: |
Search Base |
Enter the container in which the search for group records must be performed during reconciliation. Sample Value: Note: If you do not specify a value for this attribute, then the value specified as the value of the Container parameter of the IT resource is used as the value of this attribute. |
Search Scope |
Enter Enter Note: If you want to enter onelevel, then ensure that you do not include a space between "one" and "level." Default value: |
5.8.2.2 Active Directory Group Delete Recon
Use the Active Directory Group Delete Recon scheduled job to reconcile data about deleted groups.
Table 5-7 Attributes of the Active Directory Group Delete Recon Scheduled Job
Attribute | Description |
---|---|
Delete Recon |
Specifies whether delete reconciliation must be performed. Default value: Note: Do not change the value of this attribute. |
IT Resource Name |
Name of the IT resource instance that the connector must use to reconcile group data. Default value: |
Object Type |
This attribute holds the type of object you want to reconcile. Default value: |
Resource Object Name |
Enter the name of the resource object against which reconciliation runs must be performed. Default value: |
Scheduled Task Name |
This attribute holds the name of the scheduled task. Default value: |
Sync Token |
This attribute must be left blank when you run delete reconciliation for the first time. This ensures that data about all records that are deleted from the target system are fetched into Oracle Identity Governance. After the first delete reconciliation run, the connector automatically enters a value for this attribute in an XML serialized format. From the next reconciliation run onward, only data about records that are deleted since the last reconciliation run ended are fetched into Oracle Identity Governance. This attribute stores values in the following format:
A value of A value of |
Organization Name |
Enter the name of the organization to which data about all deleted groups fetched from the target system is linked. There are two scenarios in which group reconciliation is performed. These scenarios are described in Configuring and Running Group Reconciliation. If you have configured the connector to perform group reconciliation in scenario 1, then you need not specify a value for this attribute. In case you specify a value, it is ignored by the connector. If you have configured the connector to perform group reconciliation in scenario 2, then enter the same organization name specified for the Organization Name attribute of the Active Directory Group Recon scheduled job. |
5.8.3 Reconciliation Rules and Action Rules for Groups Management
Reconciliation rules are used by the reconciliation engine to determine the identity to which Oracle Identity Governance must assign a newly discovered account on the target system. Reconciliation action rules define that actions the connector must perform based on the reconciliation rules.
5.8.3.1 Reconciliation Rule for Groups
The following is the process-matching rule for groups:
Rule name: AD Group
Rule element: Organization Name Equals OIM Org Name
In this rule element:
-
Organization Name is the Organization Name field of the OIM User form.
-
OIM Org Name is the name of the group in Oracle Identity Governance. OIM Org Name is the value specified in the Organization Name attribute of the ActiveDirectory Group Recon scheduled job.
5.8.3.2 Reconciliation Action Rules for Groups
Table 5-8 lists the action rules for groups reconciliation.
Table 5-8 Action Rules for Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Assign to Authorizer With Least Load |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
5.9 Connector Objects Used for Organizational Units Management
Learn about the objects that are used by the connector to perform organizational units management operations such as create, update, and delete.
5.9.1 Preconfigured Lookup Definitions for Organizational Unit Operations
The lookup definitions for Organizational Units are automatically created in Oracle Identity Governance after you create the application by using the connector.
5.9.1.1 Lookup.ActiveDirectory.OM.Configuration
The Lookup.ActiveDirectory.OM.Configuration lookup definition holds configuration entries that are specific to the organizational unit object type. This lookup definition is used during organizational unit management operations when your target system is configured as a target resource.
Table 5-9 lists the default entries in this lookup definition.
Table 5-9 Entries in the Lookup.ActiveDirectory.OM.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Provisioning Attribute Map |
Lookup.ActiveDirectory.OM.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.ActiveDirectory.OM.ProvAttrMap for more information about this lookup definition. |
Provisioning Validation Lookup |
Lookup.ActiveDirectory.OM.ProvValidation |
This entry holds the name of the lookup definition that is used to configure validation of attribute values entered on the process form during provisioning operations. See Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults for more information about adding entries in this lookup definition. |
Recon Attribute Defaults |
Lookup.ActiveDirectory.OM.ReconAttrMap.Defaults |
This entry holds the name of the lookup definition that maps fields on the organizational unit form and their default values. See Lookup.ActiveDirectory.OM.ReconAttrMap.Defaults for more information about this lookup definition. |
Recon Attribute Map |
Lookup.ActiveDirectory.OM.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.ActiveDirectory.OM.ReconAttrMap for more information about this lookup definition. |
Recon Transformation Lookup |
Lookup.ActiveDirectory.OM.ReconTransformation |
This entry holds the name of the lookup definition that is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults for more information about adding entries in this lookup definition. |
Recon Validation Lookup |
Lookup.ActiveDirectory.OM.ReconValidation |
This entry holds the name of the lookup definition that is used to configure validation of attribute values that are fetched from the target system during reconciliation. See Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults for more information about adding entries in this lookup definition. |
5.9.1.2 Lookup.ActiveDirectory.OM.Configuration.Trusted
The Lookup.ActiveDirectory.OM.Configuration.Trusted lookup definition holds configuration entries that are specific to the organizational unit object type. This lookup definition is used during trusted source reconciliation runs for organizational units.
Table 5-10 lists the default entries in this lookup definition.
Table 5-10 Entries in the Lookup.ActiveDirectory.OM.Configuration.Trusted Lookup Definition
Code Key | Decode | Description |
---|---|---|
Recon Attribute Defaults |
Lookup.ActiveDirectory.OM.ReconAttrMap.Defaults |
This entry holds the name of the lookup definition that maps fields on the organizational unit form and their default values. See Lookup.ActiveDirectory.OM.ReconAttrMap.Defaults for more information about this lookup definition. |
Recon Attribute Map |
Lookup.ActiveDirectory.OM.ReconAttrMap.Trusted |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.ActiveDirectory.OM.ReconAttrMap.Trusted for more information about this lookup definition. |
5.9.1.3 Lookup.ActiveDirectory.OM.ProvAttrMap
The Lookup.ActiveDirectory.OM.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is preconfigured and used during provisioning.
You can add entries in this lookup definitions if you want to map new target system attributes for provisioning.
Table 5-11 Entries in the Lookup.ActiveDirectory.OM.ProvAttrMap
Organizational Unit Field on Oracle Identity Governance (Code Key) | Target System Field (Decode) | Description |
---|---|---|
__NAME__ |
__NAME__="OU=$(Display_Name),$(Container) |
Organizational unit name with full DN |
Container[LOOKUP,IGNORE] |
IGNORED |
Organization name with DN formatFor example, |
Display Name[IGNORE] |
IGNORED |
Display name for an organizational unit |
Unique Id |
__UID__ |
Object GUID of the organizational unit |
5.9.1.4 Lookup.ActiveDirectory.OM.ReconAttrMap
The Lookup.ActiveDirectory.OM.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes. This lookup definition is preconfigured and used for performing target resource reconciliation runs for organizational units.
You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation.
Table 5-12 Default Entries in the Lookup.ActiveDIrectory.OM.ReconAttrMap
Organization Field on Oracle Identity Governance (Code Key) | Microsoft Active Directory Field (Decode) | Description |
---|---|---|
Container[LOOKUP] |
ad_container |
Organization name with DN format.For example, |
Display Name |
ou |
Display name for an organizational unit |
Unique Id |
__UID__ |
Object GUID of the organizational unit |
5.9.1.5 Lookup.ActiveDirectory.OM.ProvValidation
The Lookup.ActiveDirectory.OM.ProvValidation lookup definition is used to configure validation of attribute values entered on the process form during provisioning operations for organizational units. See Configuring Validation of Data During Reconciliation and Provisioning for Groups and Organizational Units for more information about adding entries in this lookup definition.
5.9.1.6 Lookup.ActiveDirectory.OM.ReconTransformation
The Lookup.ActiveDirectory.OM.ReconTransformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during reconciliation of organizational units. See Configuring Transformation of Data During Reconciliation for Groups and Organizational Units for more information about adding entries in this lookup definition.
5.9.1.7 Lookup.ActiveDirectory.OM.ReconValidation
The Lookup.ActiveDirectory.OM.ReconValidation lookup definition is used to configure validation of attribute values that are fetched from the target system during reconciliation. See Configuring Validation of Data During Reconciliation and Provisioning for Groups and Organizational Units for more information about adding entries in this lookup definition.
5.9.1.8 Lookup.ActiveDirectory.OM.ReconAttrMap.Trusted
The Lookup.ActiveDirectory.OM.ReconAttrMap.Trusted lookup definition holds mappings between resource object fields and target system attributes. This lookup definitions is preconfigured and used during trusted source reconciliation runs for organizational units. Table 5-13 lists the default entries.
You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation.
Table 5-13 Default Entries in the Lookup.ActiveDirectory.OM.ReconAttrMap.Trusted Lookup Definition
OIM User Form Field (Code Key) | Target System Field (Decode) |
---|---|
Org Name |
ou |
5.9.1.9 Lookup.ActiveDirectory.OM.ReconAttrMap.Defaults
The Lookup.ActiveDirectory.OM.ReconAttrMap.Defaults lookup definition holds mappings between fields on the organizational unit form and their default values. This lookup definition is used when there is a mandatory field on the organizational unit form, but no corresponding field in the target system from which values can be fetched during organizational unit reconciliation.
This lookup definition is empty by default. If you add entries to this lookup definition, then the Code Key and Decode values must be in the following format:
Code Key: Name of the reconciliation field of the AD Organizational Unit resource object
Decode: Corresponding default value to be displayed
For example, assume a field named Organization ID is a mandatory field on the organizational unit form. Suppose the target system contains no field that stores information about the organization ID for an account. During reconciliation, no value for the Organization ID field is fetched from the target system. However, as the Organization ID field cannot be left empty, you must specify a value for this field. Therefore, create an entry in this lookup definition with the Code Key value set to Organization ID
and Decode value set to ORG1332.
This implies that the value of the Organization ID field on the organizational unit form displays ORG1332 for all accounts reconciled from the target system.
5.9.2 Reconciliation Scheduled Job for Organization Unit Management
You use the Active Directory Organization Recon scheduled job to reconcile organization unit data from the target system. This scheduled job is automatically created in Oracle Identity Governance after you create an application. You must configure this scheduled job to suit your requirements by specifying values for its attributes.
Table 5-14 Attributes of the Active Directory Organization Recon Scheduled Job
Attribute | Description |
---|---|
Filter |
Expression for filtering records. See Performing Limited Reconciliation By Using Filters for more information. Default value: Note: While creating filters, ensure to use attributes specific to Organizational Units. |
Incremental Recon Attribute |
Enter the name of the target system attribute that holds last update-related number, non-decreasing value. For example, The value in this attribute is used during incremental reconciliation to determine the newest or most youngest record reconciled from the target system. Default value: Note: Do not change the value of this attribute. |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile organization data. Default value: |
Latest Token |
This attribute holds the value of the uSNChanged attribute of a domain controller that is used for reconciliation. Sample value: Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only groups or organizational units whose uSNChanged value is greater than the Latest Token attribute value are reconciled. |
Object Type |
Type of object to be reconciled. Default value: |
Resource Object Name |
Name of the resource object that is used for reconciliation. Default value: |
Scheduled Task Name |
Name of the scheduled task used for reconciliation. Default value: |
Search Base |
Enter the container in which the search for organization records must be performed during reconciliation. Sample Value: Note: If you do not specify a value for this attribute, then the value specified as the value of the Container parameter of the IT resource is used as the value of this attribute. |
Search Scope |
Enter Enter Note: If you want to enter onelevel, then ensure that you do not include a space between "one" and "level." Default value: |
5.9.3 Reconciliation Rules and Action Rules for Organizational Units Management
Reconciliation rules are used by the reconciliation engine to determine the identity to which Oracle Identity Governance must assign a newly discovered account on the target system. Reconciliation action rules define that actions the connector must perform based on the reconciliation rules.
5.9.3.1 Reconciliation Rule for Organizational Units
The following is the process-matching rule for organizational units:
Rule name: AD Organizational Unit
Rule element: Organization Name Equals Display Name
In this rule element:
-
Organization Name is the Organization Name field of the OIM User form.
-
Display Name is the name of an organizational unit in Oracle Identity Governance.
5.9.3.2 Reconciliation Action Rules for Organizational Units
Table 5-15 lists the action rules for groups reconciliation.
Table 5-15 Action Rules for Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Assign to Authorizer With Least Load |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
5.10 Uninstalling the Connector
Uninstalling the connector deletes all the account-related data associated with its resource objects.
If you want to uninstall the connector for any reason, then run the Uninstall Connector utility. Before you run this utility, ensure that you set values for ObjectType
and ObjectValues
properties in the ConnectorUninstall.properties file. For example, if you want to delete resource objects, scheduled tasks, and scheduled jobs associated with the connector, then enter "ResourceObject", "ScheduleTask", "ScheduleJob" as the value of the ObjectType
property and a semicolon-separated list of object values corresponding to your connector (for example, ActiveDirectory User; ActiveDirectory Group) as the value of the ObjectValues
property.
Note:
If you set values for theConnectorName
and Release
properties along with the ObjectType
and ObjectValue
properties, then the deletion of objects listed in the ObjectValues
property is performed by the utility and the Connector information is skipped.
For more information, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Governance.