21 Managing Application Onboarding
Use the application onboarding capability in Oracle Identity Self Service to create and manage applications, templates, instances of applications, and to clone applications.
This chapter contains the following sections:
Note:
The Design Console has been deprecated in this release. Use the new Applications page in Identity Self Service to do any of the following:
-
Application template-based install process should be used in ICF-based connector install package.
-
Install the template-based 12c connectors.
-
Manage IT resource instances for template-based applications.
21.1 About Application Onboarding
This section describes the following concepts:
21.1.1 What Is Application Onboarding?
Application onboarding is the process of registering or associating an application with Oracle Identity Manager so that Oracle Identity Manager can provision or reconcile user information in or from that application.
Oracle Identity Manager provides a quick and convenient way to onboard applications by using the Applications option on the Manage tab in Identity Self Service. You can perform all the necessary configurations to onboard an application from a single console.
This simplified solution has the following benefits:
-
You can configure new or existing applications by using a single user interface: Identity Self Service.
-
You can export configurations as application templates and configure applications by using these templates, instead of Oracle Identity Manager.
21.1.2 Application Onboarding Concepts
Some of the key concepts related to the Application onboarding are application authorization, types of application, application templates, disconnected connector applications, instance creation, cloning of applications, validation and transformation of provisioning and reconciliation attributes, and application template elements.
The concepts related to application onboarding are described in the following sections.
21.1.2.1 Application Authorization
Users can access the Application option in Identity Self Service if they have the following authorizations:
-
Any user with the Application Instance Administrator or System Administrator admin role can manage the application using the Application option.
-
Any user with the Application Instance Administrator admin role can manage entire life cycle of the applications published within the user’s home organization and in the organizations that are within the scope of control of the admin role.
21.1.2.2 Application Types
You can create two types of applications:
-
Target Application: A target application allows user requests for provisioning accounts through the access request catalog. The target application can be either connected or disconnected. Disconnected applications must be manually provisioned.
-
Authoritative Application: For an authoritative application, Oracle Identity Manager manages accounts and represents them as users across different reconciliation jobs. Authoritative Application cannot be requested through the access request catalog. Therefore, Oracle Identity Manager pulls data and represents the applications as users. Then grant different target application through request or access policy. For example, the HRMS applications that are managed entirely by an HR department. The HRMS applications involve user account creation. The Oracle Identity Manager pulls data from the HRMS application and represents these as user accounts. These user accounts are granted to various target applications through request and approval.
The application onboarding capability in Identity Self Service allows you to create applications in two ways:
-
From a connector package: Oracle Identity Manager provides predefined connectors with default templates, which includes all the target system-specific details, such as provisioning and reconciliation mappings, reconciliation actions, and reconciliation matching rules.
Note:
You can install the predefined connectors for which default templates are not available by using the Manage Connector option on the Provisioning Configuration tab in Identity System Administration interface.
-
Using application templates: If saved application templates are present in the system, then you can create a new application by using these templates.
21.1.2.3 Application Template
An application template is an XML representation of all the configurations that are relevant to an application instance. It contains all the information required for provisioning to a target system and reconciliation from a target system. In addition, it contains other details, such as publication information, connectivity details, and other advanced configurations that are specific to a target system. You can save an application configuration as a template and use it later to create an application. Application templates must be placed in a folder.
You can create templates in the following ways:
-
Create a template using the Save as Template option in Create Application page. See Creating Applications.
-
Run the Application Template Generation Job to generate the template. The folder where this template is to be saved is passed as a parameter to the job. (This may be useful for applications that are created by using Connector Installer before or after an upgrade. By default, templates are not generated for these applications.)
See Predefined Scheduled Tasks in Administering Oracle Identity Governance for information about this scheduled task.
-
Import templates using the Import option in Deployment Manager. See Importing Deployment in Administering Oracle Identity Governance for information about importing entities using Deployment Manager.
-
Create a template manually using the sample template.
Note:
-
For authoritative applications, create an application instance using the ApplicationInstanceService.addApplicationInstance(ApplicationInstance appInst) API and then use Application Template Generation Job to generate the template.
-
The applications that are created through the Create Application option contains the schema attributes related to all the values present in the lookup. These schema attributes may include attributes that were previously derived attributes, like _NAME_. When a new UI form is created, these attributes must be removed. To remove this attributes, customize the form using the sandbox.
See Managing Forms in Administering Oracle Identity Governance for more information on customizing the form by using the sandbox.
21.1.2.4 Disconnected Applications
Disconnected resources are targets for which there are no connectors. Therefore, you must provision these resources manually. You can create applications for disconnected resources by using the Applications page in Identity Self Service.
See Managing Disconnected Resources in Administering Oracle Identity Governance for information about the disconnected resources and disconnected application instances.
21.1.2.5 Instance Creation
Instance creation allows you to create an instance of an application that shares the configurations of the base application but includes different connectivity options.
The following configurations are shared between the base and instance applications:
-
Advance configurations
-
Schema configurations
-
Provisioning configuration
-
Reconciliation configuration
An instance application has its own attributes and configurations for:
-
Application Name
-
Application Display Name
-
Application Description
-
Basic Configurations
-
Catalog attributes
-
Organization publication
Note:
Configurations that are shared with base application cannot be modified using the edit application option.
21.1.2.6 Cloning Applications
When an application is cloned, all the configurations of the base application are copied into the cloned application.
21.1.2.7 Validation and Transformation of Provisioning and Reconciliation Attributes
When you create an application is created by using the Identity Self Service, you can apply, validate, and transform provisioning attributes before passing the attributes to the target system. Application onboarding capability in Identity Self Service lets you write Groovy script-based validation and transformation logic. See Creating a Target Application or Creating an Authoritative Application for more information on how to include these scripts.
Suppose that you want to manage accounts on an Oracle database Target through Oracle Identity Manager. This situation has the following requirements:
-
The account fields are, User ID, Organization, First Name, and Last Name.
-
The User ID field can not be null.
-
The user ID must end with @example.com. For example, if the user ID is test, then during the request it should be transformed to test@example.com on the target.
-
If the user does not provide organization details, then default value must be set to Server Technology.
To meet these requirements, you can create the following validation script and transformation script while creating the application.
Validation Groovy Script:
def errors = "";
if(User_Id == null || User_Id ==""){
errors = errors+" User Id cannot be null";
}
return errors;
Transformation Groovy Script:
if(Organization == null || Organization == "")
{
Organization = "Server Technology";
}
User_Id = User_Id.toString()+"@example.com";
Validation Groovy Script for Resource Exclusion:
In the validation script, specify a list of user IDs for accounts that must be excluded from reconciliation and provisioning operations. The following is a sample script:
def errors = "";
def excludedUsers = ['user01','user02'];
def regexStr = /^[a-zA-Z0-9_]+/;
if(!User_Id.matches(regexStr)) errors = errors+" Invalid UserId";
if(excludedUsers.contains(User_Id)) errors = errors+" User Id lies in excluded list";
return errors;
See About Customizing Groovy Scripts for more sample scripts and information about transformation of attributes.
21.1.2.8 Important Elements in the Application Template XML
Some important elements and structures of the application template XML file are:
-
applicationName
: The application name must be unique and cannot be more than 200 characters. -
applicationDisplayName
: Display Name of application. -
connectorDisplayName
: The connector display name is used for locating the bundle and is a read-only field for the user. Value is included with the default template in the connector bundle. -
connectorVersion
: The connector version is used for locating the bundle and is a read-only field for the user. Value is included with the default template in the connector bundle. -
basicConfigurations
: The connectivity details for a target system, such as host and port. The list of parameters varies from target to target. -
advanceConfigurations
: The target specific configurations, which are used by the bundle while performing provision or recon to or from the target system. The list of parameters varies from target to target. -
objectClass
: Each template has atleast one object class that represents the object on the target system to be provisioned or reconciled.-
provisioningConfig
: Provisioning related configurations:-
validationScript
: Groovy validation scripts that are executed before provisioning on the target system. -
transformationScript
: Groovy transformation scripts that are executed before provisioning the data. -
capabilities
: A list of operations supported by the bundle on the target system.
-
-
reconConfig
: Reconciliation related configurations:-
reconJobDetails
: A list of jobs that reconcile the data into Oracle Identity Manager. -
identityCorrelationRule
: The rule for owner matching. This rule is defined between the target attribute and the Oracle Identity Manager user attribute. -
situationResponses
: A list of situations and their corresponding responses. For example, in a situation of No Matches Found, the response may be Create User. -
validationScript
: Groovy validation scripts that are executed before reconciling the data into Oracle Identity Manager. -
transformationScript
: Groovy transformation scripts that are executed before reconciling the data into Oracle Identity Manager.
-
-
form
: Specifies one parent form perobjectClass
.-
schemaAttributes
: The schema configuration forobjectClass
. Each schema attribute has the following attributes:-
name
: The name of the attribute on target system. -
dataType
: The data type of the attribute. For example, String. -
displayName
: The Name of the attribute in Oracle Identity Manager. -
length
: The length of data that can be stored in the attribute. If this attribute is not supplied in the template, it is configured with the default length. However, this attribute is not exposed in the interface. -
identityAttribute
: The name of the user attribute. Changes to this name forces the corresponding account attribute to be updated on the target system.Note:
The list of
schemaAttributes
does not include the user password. If you want to add this capability, then select the capability in the Settings tab, from the provisioning options. -
keyField
: Defines the Recon account matching rule. -
keyFieldCaseInsensitive
: Defines whether the Recon account matching rule is case insensitive or not. -
required
: Indicates whether the attribute is required. -
fieldType
: Displays the type of schema attribute. This attribute is for legacy purposes and is not exposed to the user. If the type is not specified in the template, this attribute is configured with the default type. -
entitlement
: Marks the schema attribute as an entitlement. This property is inherited by child schema attributes. -
reconcileable
: Indicates whether the attribute can be reconciled. -
provisionable
: Indicates whether the attribute can be provisioned. This property is inherited from parent schema attributes. -
encrypted
: Indicates whether the attribute is encrypted. -
advanceFlags
: Advance flags such as Lookup, Date, and WriteBack.-
Lookup
: UseLookup
if ~ must be removed from the attribute value before the value is sent to the target. -
Date
: UseDate
if thedatatype
attribute matches the date on the target. -
WriteBack
: UseWriteBack
if the attribute must be populated from the target after provisioning.
-
-
Account Discriminator
: Set the schema attribute as the discriminator for the accounts. You can select multiple provisionable fields as account discriminators. See Terminologies Used in Access Policies for more information on Account Discriminator. -
listOfValues
: The name of the Lookup attribute that lists the value for the attribute. -
defaultValue
: The value to be used during reconciliation when no value for the attribute is available on the target system. -
provideOldValueOnUpdate
: Set to true if the old value of this attribute must propagate to the target during the update. -
dependentAttribute
: The value of this attribute is supplied to the target application during the update of this attribute.
Note:
Both
provideOldValueOnUpdate
anddependentAttribut
attributes are not supported at the same time. Either the old value is passed to the target or the dependent attribute is passed to the target during the attribute update. -
-
form
: Specifies the child form (or forms) for the parent or root form. It corresponds to a multi-valued attribute.-
Use Bulk
: Select this option to configure the Update Child Table Values Bulk adapter for all child table-related operations.Some targets support only bulk updates of child values for all operations, including adding a new child, updating an existing child, and removing a child. For these targets, the Use Bulk option must be selected for each child form.
-
-
-
-
catalogAttributes
: List of catalog attributes.-
Audit Objective
: A text field that provides any relevant value or description for Oracle Identity Analytics (OIA) certification. -
Risk Level
: Level of risk for the entity. The values supported are Low Risk, Medium Risk, and High Risk. -
User Defined Tags
: A value that describes the catalog item and that can be used for searching the entity. -
Approver User
: User who can approve the catalog item. This is used at the time of processing the request for the catalog item or during attestation. -
Approver Role
: Role that can approve the catalog item. -
Certifier User
: User who can certify the catalog item. -
Certifier Role
: Role that can certify the catalog item. -
Fulfillment User
: User who can complete or fulfill the request for the catalog item. -
Fulfillment Role
: Role that can complete or fulfill the request for the catalog item. -
Certifiable
: Specifies whether a catalog item is certifiable.
-
-
organizations
: The list of organizations where the application is published. -
parentApplicationName
: The name of the application on which the current application has a dependency. For example, if AD Exchange application has a dependency on the AD application, thenparentApplicationName
is set to the AD application.
21.2 Searching Applications
On the Applications page, you can search for applications based on the application name, display name, connector name, and base application.
21.3 Creating Applications
You can use the Create Application option to create a target application or an authoritative application
Creating applications is described in the following sections:
21.3.1 Creating a Target Application
Creating a Target Application includes steps such as, providing basic information, updating schema attributes, reviewing and updating settings for default attributes, and verifying the application information.
To navigate to the Create Application Wizard, login to Identity Self Service, go to the Manage tab and click the Applications box to open the Applications page. From the Actions menu, click Create, and then select Target. Alternatively, click Create on the toolbar, and select Target to open the Create Application wizard.
From this point onward, page-wise instructions are provided in the following sections:
21.3.1.1 Providing Basic Information for Target Application
21.3.1.2 Providing Schema Information for Target Application
On the Schema page, you can manage the account and entitlement schema attributes. You can edit or delete existing attributes from the schema. After you perform all required actions in Schema page, click Next to go to the Settings page.
Adding attributes and child form is described in the following sections:
21.3.1.2.2 Adding Child Forms
- Click Add Child Form, Add Child Form window is displayed.
- Enter the Form name and click OK. The new child form is created.
- Enter the attribute details. This is similar to the attribute details in Adding Attributes.
- Provide the following application attribute details: Display Name, Target Attribute, and Data Type.
- Provide the following Provisioning Property: Mandatory
- Provide the following Reconciliation Properties: Recon Field, Key Field, and Case Insensitive.
- To add additional properties to the attribute, click icon. The Advanced Settings window is displayed. Provide the following advanced settings: Lookup, Date, WriteBack, and Entitlement (Select if this attribute must be marked as an entitlement).
- For targets that support only bulk update of child values, select Use Bulk option.
- Click Delete Form to remove the child form.
21.3.1.3 Providing Settings Information for Target Application
On the Settings page, you can review and customize the default settings related to provisioning, reconciliation, catalog, and organization publications. After you perform all required actions in Settings page, click Next to go to the Finish page.
Expand the Preview Settings tab and perform the following:
21.3.1.3.1 Updating the Provisioning Configuration
21.3.1.3.2 Updating the Reconciliation Configuration
On the Reconciliation tab, you can review or customize the required predefined matching rules, situations and responses, and reconciliation jobs.
Perform the following to update the reconciliation configuration:
21.3.1.3.2.1 Updating Identity Correlation Rule
21.3.1.3.2.2 Updating Situations and Responses
- To add new situation and responses, click Add.
- Select the situation from the Situation list, for example, No matches found, One entity match found and so on.
- Select an appropriate response for the situation from the Response list, for example, Create User, Establish Link and so on.
21.3.1.3.2.3 Updating Validation and Transformation Scripts
Note:
-
You cannot add or manage scripts for the applications that are created through the Connector Installer. However, the Java- based transformation and validation provided via Design Console continue to work.
-
You can access any provisioning attribute value in the Groovy script with its display name as defined in schema section. To do this, replace spaces in the display name with underscore character (_).
21.3.1.3.3 Updating the Organization Configuration
- Click Add to open the Add Organization window.
- Search for the organization. Select the required organization from the search result table, and click Select.
- Select Hierarchy Aware if you want to publish this application to the organization and its child organizations.
21.3.1.3.4 Updating the Catalog Configuration
In the Catalog tab, you can set various configuration-related Catalog metadata.
You can update the following attributes:
-
Category: Enter the category for the application.
-
User Defined Tags: Enter the user defined tag for this attribute.
-
Audit Objective: Enter the objective of the audit.
-
Auditable: Select Yes if the application is auditable or No if it is not.
-
Requestable: Select Yes if the application is requestable or No if it is not. The following fields are enabled if Requestable is set to Yes:
-
Fulfillment Role: Click Search icon to search and select the fulfillment role.
-
Approver User: Click Search icon to search and select the user.
-
Approver Role: Click Search icon to search and select approver role.
-
Fulfillment User: Click Search icon to search and select the fulfillment user.
-
-
Certifiable: Select Yes if the attribute is certifiable or No if it is not. The below listed fields are enabled if Certifiable is set to Yes:
-
Certifier User: Click Search icon to search and select the certifier user.
-
Certifier Role: Click Search icon to search and select the certifier role.
-
-
Risk Level: Select the risk levels, High Risk, Medium Risk, or Low Risk.
21.3.1.4 Verifying the Target Application Details
On the Finish page, review the details used to create the application. If anything needs to be changed, click Back and make the required changes. If the details are fine, then click Finish to create an application.
When you are prompted whether you want to create a default request form, click Yes or No.
If you choose to create a default request form, then the default form is created with the same name as the application. The default form cannot be modified later. Therefore, if you want to customize it, you must create a new. To view the new default form, you must log in again to Oracle Identity Self Service. However, other users can view the default form as soon as it is created.
If you want to perform any sandbox- related changes after you create an application, then you must log out from the current Oracle Identity Self Service session and log in again.
21.3.2 Creating an Authoritative Application
Creating an Authoritative Application includes steps such as, providing basic information, updating schema attributes, reviewing and updating settings for default attributes, and verifying the application information.
To navigate to the Create Application Wizard, login to Identity Self Service, go to the Manage tab and click the Applications box to open the Applications page. From the Actions menu, click Create, and then select Authoritative. Alternatively, click Create on the toolbar, and select Authoritative to open the Create Application wizard.
From this point onward, page-wise instructions are provided in the following sections:
21.3.2.1 Providing Basic Information for Authoritative Application
21.3.2.2 Providing Schema Information for Authoritative Application
21.3.2.3 Providing Settings Information for Authoritative Application
On the Settings page, you can review and customize the default settings related to reconciliation and organization publications. After you perform all required actions in Settings page, click Next to go to the Finish page.
21.3.2.3.1 Updating the Reconciliation Configuration
On the Reconciliation tab, you can review or customize the required predefined matching rules, situations and responses, and reconciliation jobs.
Perform the following to update the reconciliation configuration:
21.3.2.3.1.1 Updating Identity Correlation Rule
21.3.2.3.1.2 Updating Situations and Responses
- To add new situation and responses, click Add.
- Select the situation from the Situation list, for example, No matches found, One entity match found and so on.
- Select an appropriate response for the situation from the Response list, for example, Create User, Establish Link and so on.
21.3.2.3.1.3 Updating Validation and Transformation Scripts
Note:
-
You cannot add or manage scripts for the applications that are created through the Connector Installer. However, the Java- based transformation and validation provided via Design Console continue to work.
-
You can access any provisioning attribute value in the Groovy script with its display name as defined in schema section. To do this, replace spaces in the display name with underscore character (_).
21.3.2.3.2 Updating the Organization Configuration
- Click Add to open the Add Organization window.
- Search for the organization. Select the required organization from the search result table, and click Select.
- Select Hierarchy Aware if you want to publish this application to the organization and its child organizations.
21.4 Creating Templates
You can use the Create Application option to create a target template or an authoritative template and save it in the database for future use.
Creating templates is described in the following sections:
21.4.2 Creating a Target Template
- Perform all the steps described in the Creating a Target Application till you open the Finish page of the Create Target Application wizard.
- In the Finish page:
21.5 Modifying Applications
You can edit applications that were created by using the Connector Installation Wizard or applications that were created by using the Create Application option.
The following sections describe how to edit applications:
21.5.1 Editing an Application That Was Created by Using the Connector Installation Wizard
When an authoritative application is created by using the Connector Installation wizard, no default application instance is created. Therefore, the application cannot be edited on the Applications page of the Identity Self Service. To edit an authoritative application that was created by using the Connector Installation wizard, follow these steps:
-
Create an application instance for this application by using the ApplicationInstanceService.addApplicationInstance(ApplicationInstance appInst) API.
-
After the application instance is created, run the default Application Template Generation Job that creates a template for the application.
Note:
You cannot add or manage scripts for applications that are created through Connector Installer. However, the Java-based transformation and validation that the Design Console provides continues to work.
21.6 Cloning Applications
When you clone an application, all the configurations of the base application are copied into the cloned application.
21.7 Creating Instance Applications
You can create an application instance that has the same configurations as the base application.
Note:
-
Advance configurations
-
Schema configurations
-
Provisioning configuration
-
Reconciliation configuration
- Log in to Oracle Identity Self Service.
- Click the Manage tab. Click the Applications box to open the Applications page.
- Select the application.
- From the Action menu, select Create Instance. Alternatively, click Create Instance on the toolbar to open the Create Instance Application page.
- On the Basic Information tab:
- Depending on the base application that is selected, the Settings tab may include information that can be updated. If the base application is a target application, then the Organization and Catalog tabs are displayed. If the base application is an authoritative application, then the Organization tab is displayed. Change values of the attributes as required.
- Click Apply.
21.8 Creating Applications in Bulk
You can load base applications and instance applications in bulk by using the Application Bulk Create scheduled task.
See Predefined Scheduled Tasks in Administering Oracle Identity Governance for information about this scheduled task.
The templates are processed in the following way:
-
The templates that do not contain a base application name are processed first, and new applications are created synchronously.
-
The templates that do contain a base application name are used to create instance applications. These templates are processed asynchronously.
See Application Template for more information about templates and how they are created.
Note:
When you create applications by using a job run of the Application Bulk Create scheduled task, use a sandbox to create the UI form from Identity System Administration.21.9 Deleting Applications
You cannot delete applications from Oracle Identity Self Service.
In some situations, such as when the application creation process fails, the system may contain partially committed applications. To remove partially committed applications from the system, run the connector uninstall utility, as described in Uninstalling Connectors in Administering Oracle Identity Governance.
21.10 About Customizing Groovy Scripts
Groovy Helper provides options to help you transform and validate data during reconciliation or provisioning operations.
The following options are available:
-
Provisioning Mechanism Information: Call the context.provisionMechanism method to get the following provisioning mechanism information from Groovy Helper.
-
REQUEST
-
ADMIN
-
POLICY
These values are case-sensitive.
-
-
Operation Information: Call the context.operationType method to get the following type of operations from Groovy Helper.
-
create
-
modify
These values are case-sensitive.
-
-
Common Data Container Information:
-
Requester Information: Call the context.requester method to identify the requester information (for the user initiating the provisioning request) from Groovy Helper. The user object from which any user attribute can be obtained is returned. For example, context.requester.getAttribute(“User Login”) will return the user ID of the requester.
-
Requester Manager Information: Call the context.requesterManager method to identify the requester’s manager information (for the manager of the user initiating the provisioning request) from Groovy Helper. The user object from which any user attribute can be obtained is returned. For example, context.requesterManager.getAttribute(“User Login”) will return the user ID of the requester’s manager.
-
Beneficiary Information: Call the context.beneficiary method identify the beneficiary information (for the user for whom the provisioning request is initiated) from Groovy Helper. The user object from which any user attribute can be obtained is returned. For example, context.beneficiary.getAttribute(“User Login”) will return the user ID of the beneficiary.
-
Beneficiary Manager Information: Call the context.beneficiaryManager method to identify the beneficiary’s manager information (manager of the user for whom the provisioning request is initiated) from Groovy Helper. The user object from which any user attribute can be obtained is returned. For example, context.beneficiaryManager.getAttribute(“User Login”) will return the user ID of the beneficiary’s manager.
-
Beneficiary Password Information: Call the context.beneficiaryPassword method to identify the beneficiary’s password from Groovy Helper.
Note:
For more information on how to access user attributes, see the User Management APIs.
-
You can use the Groovy Helper methods in the following way:
-
Derived attributes: You can form attributes which are dependent on two or more other attributes. For example, the full name attribute is a combination of the first name, middle name, and last name attributes.
User_Id = context.beneficiary.getAttribute("User Login"); First_Name = context.beneficiary.getAttribute("First Name"); Last_Name = context.beneficiary.getAttribute("Last Name"); Middle_Name = context.beneficiary.getAttribute("Middle Name"); Full_Name = First_Name + ". " + Middle_Name + ". " + Last_Name;
-
Default value attributes: You can form attributes whose default value must be populated. For example, if the user does not provide organization details, then the default value is set to Server Technology.
If (Organization == null || Organization == "") { Organization = "Server Technology"; }
-
Transformed attributes: You can form attributes whose value is transformed. For example,@example.com is appended to the User ID attribute.
User_Id = User_Id.toString()+"@example.com";
In the following sample script, based on the type of provisioning (such as REQUEST, POLICY, or ADMIN) and on the type of operation being performed (such as creation or modification), data is transformed. All the variable values are initialized and available for provisioning and reconciliation operations, except resultList, which is defined and declared in the script itself.
def resultList;
if (binding.variables.containsKey("context"))
{
if(context.operationType.equals("create"))
{
if(context.provisionMechanism.equals("POLICY"))
{
User_Id = context.beneficiary.getAttribute("User Login");
First_Name = context.beneficiary.getAttribute("First Name");
Last_Name = context.beneficiary.getAttribute("Last Name");
Middle_Name = context.beneficiary.getAttribute("Middle Name");
Full_Name = First_Name + ". " + Middle_Name + ". " + Last_Name;
Common_Name = Full_Name;
Password = context.beneficiaryPassword;
}
else if(context.provisionMechanism.equals("REQUEST") || context.provisionMechanism.equals("ADMIN"))
{
Full_Name = First_Name + ". " + Middle_Name + ". " + Last_Name;
Common_Name = Full_Name;
}
if(Organization_Name != null && Organization_Name.indexOf("~") != -1)
{
resultList = Organization_Name.tokenize("~");
User_Full_DN = "CN=" + Common_Name + "," + resultList[1];
}
}
else if(context.operationType.equals("modify"))
{
Full_Name = First_Name + ". " + Middle_Name + ". " + Last_Name;
Common_Name = Full_Name;
if(Organization_Name != null && Organization_Name.indexOf("~") != -1)
{
resultList = Organization_Name.tokenize("~");
User_Full_DN = "CN=" + Common_Name + "," + resultList[1];
}
}
}
The following is a sample Validation Groovy Script that displays an error message if the User ID is not provided.
def effors = "";
if(User_Id == null || User_Id =="")
{
errors = errors+" User Id cannot be null";
}
return errors;
In the validation script, you can specify a list of accounts that are excluded from reconciliation and provisioning operations. Accounts, whose user IDs are specified in the exclusion list are not affected by reconciliation and provisioning operations.
The following is a sample Validation Groovy Script for Resource Exclusion script:
def errors = "";
def excludedUsers = ['user01','user02'];
def regexStr = /^[a-zA-Z0-9_]$/;
if(!User_Id.matches(regexStr)) errors = errors+" Invalid UserId";
if(excludedUsers.contains(User_Id)) errors = errors+" User Id lies in excluded list";
return errors;
Action scripts are configured to run before or after create, update, enable, disable, change user password and delete provisioning operations. For example, you can configure a script to run before a user is created.
The following action script creates a text file on the target system with a given name. You can configure this script for AD Connector.
echo create >> C:\%givenName%.txt
21.11 Troubleshooting Application Onboarding
Problems that you encounter while performing application onboarding may be related to authorization or may reflect issues with template creation.
This section describes the troubleshooting procedures to follow as you resolve issues during application onboarding.
Problem
A user who is a member of an organization other than the default organization cannot create an application.
Solution
Make sure that the user has the correct administration roles. Only users who have theApplicationInstanceAdministrator administration role can perform the following actions in the Applications option of Identity Self Service:
-
Create, modify, delete, or search applications within organizations that are defined under the scope of control of the administration roles.
-
Create, modify, delete, or search applications within the parent organization.
For more information on administration roles, see Managing Administration Roles.
Problem
You can generate a template for applications that were created through Connector Installer before or after you upgrade the applications by using the Application Template Generation job.
Solution
Lookup.AOB.Certified.Bundles must have an entry for the bundle of the application for which the template is being generated. Lookup.AOB.Certified.Bundles must be updated with the following inputs:
-
Key: The name of the bundle that contains advanced configuration information.
-
Value: The connector display name ( <connector name>-CI.xml file must be present in the configuration folder).
The connector display name and the connector version are set in the generated template. If it is not possible to identify the unique connector display name for a given bundle name, the value in Lookup is set to Unidentified, and the connector display name and connector version are not set when the template is generated. It is the Application Administrator’s responsibility to set the correct connector display name and version.
Note:
Only certified bundles are part of this lookup.
Problem
The resource history for a provisioned account shows additional process tasks for field updates.
Solution
This is expected. Process tasks are created for all fields in the schema attribute except for Writeback and SOD fields. These process tasks are for single updates of fields. In some cases, such as when a derived attribute and its value are updated as a part of a transformation script, then the process task is triggered. In this case, the resource history for a provisioned account may show additional process tasks for derived attributes.
Problem
Logging of application onboarding with package oracle.iam.application is enabled, but log for entire flow is not available.
Solution
Application onboarding relies on the existing provisioning, reconciliation, scheduler, and catalog engines. To enable logging for application onboarding, logging of all the underlying engines should be enabled.
Problem
When you try to manage an application that is created using Application option in Identity Self Service from design console, it shows unexpected behavior.
Solution
Applications that are created using Application option in Identity Self Service should not be managed from design console.