1. Performing Self Service Tasks with Oracle Identity Governance
  2. Working with Identity Administration
  3. Managing Application Onboarding

21 Managing Application Onboarding

Use the application onboarding capability in Oracle Identity Self Service to create and manage applications, templates, flat file configuration for applications, instances of applications, manage jobs, upgrade the applications, and to clone applications.

This chapter contains the following sections:

Note:

The Design Console has been deprecated in this release. Use the new Applications page in Identity Self Service to do any of the following:

  • Application template-based install process should be used in ICF-based connector install package.

  • Install the template-based 12c connectors.

  • Manage IT resource instances for template-based applications.

21.1 About Application Onboarding

This section describes the following concepts:

21.1.1 What Is Application Onboarding?

Application onboarding is the process of registering or associating an application with Oracle Identity Governance so that Oracle Identity Governance can provision or reconcile user information in or from that application.

Oracle Identity Governance provides a quick and convenient way to onboard applications by using the Applications option on the Manage tab in Identity Self Service. You can perform all the necessary configurations to onboard an application from a single console.

This simplified solution has the following benefits:

  • You can configure new or existing applications by using a single user interface: Identity Self Service.

  • You can export configurations as application templates and configure applications by using these templates, instead of Oracle Identity Governance.

21.1.2 Application Onboarding Concepts

Some of the key concepts related to the Application onboarding are application authorization, types of application, application templates, disconnected connector applications, instance creation, cloning of applications, validation and transformation of provisioning and reconciliation attributes, and application template elements.

The concepts related to application onboarding are described in the following sections.

21.1.2.1 Application Authorization

Users can access the Application option in Identity Self Service if they have the following authorizations:

  • Any user with the Application Instance Administrator or System Administrator admin role can manage the application using the Application option.

  • Any user with the Application Instance Administrator admin role can manage the entire life cycle of the applications published within the user’s home organization and in the organizations that are within the scope of control of the admin role.

21.1.2.2 Application Types

You can create two types of applications:

  • Target Application: A target application allows user requests for provisioning accounts through the access request catalog. The target application can be either connected or disconnected. The disconnected applications must be manually provisioned.

  • Authoritative Application: For an authoritative application, Oracle Identity Governance manages accounts and represents them as users across different reconciliation jobs. Authoritative applications cannot be requested through the access request catalog. Therefore, Oracle Identity Governance pulls data and represents the applications as users, and then grants different target applications through requests or access policies. For example, the HRMS applications that are managed entirely by an HR department. The HRMS applications involve user account creation. Oracle Identity Governance pulls data from the HRMS application and represents these as user accounts. These user accounts are granted to various target applications through requests and approvals.

The application onboarding capability in Identity Self Service allows you to create applications in two ways:

  • From a connector package: Oracle Identity Governance provides predefined connectors with default templates, which includes all the target system-specific details, such as provisioning and reconciliation mappings, reconciliation actions, and reconciliation matching rules.

    Note:

    You can install the predefined connectors for which default templates are not available by using the Manage Connector option on the Provisioning Configuration tab in the Identity System Administration interface.

  • Using application templates: If saved application templates are present in the system, then you can create new applications by using these templates.

21.1.2.3 Application Templates

An application template is an XML representation of all the configurations that are relevant to an application instance. It contains all the information required for provisioning to a target system and reconciliation from a target system. In addition, it contains other details, such as publication information, connectivity details, and other advanced configurations that are specific to a target system. You can save an application configuration as a template and use it later to create an application. Application templates must be placed in a folder.

You can create application templates in the following ways:

  • Create a template by clicking the Save as Template option in the Create Application page. See Creating Applications.

  • Run the Application Template Generation Job scheduled task to generate the template. The folder in which this template is to be saved is passed as a parameter to the job. This may be useful for applications that are created by using the Connector Installer before or after an upgrade. By default, templates are not generated for these applications.

    See Predefined Scheduled Tasks in Administering Oracle Identity Governance for information about this scheduled task.

  • Import templates by using the Import option in the Deployment Manager. See Importing Deployments in Administering Oracle Identity Governance for information about importing entities by using the Deployment Manager.

  • Create a template manually by using the sample template.

Note:

  • For authoritative applications, create an application instance by using the ApplicationInstanceService.addApplicationInstance(ApplicationInstance appInst) API, and then run the Application Template Generation Job to generate the template. See Java API Reference for Oracle Identity Governance for information about this API.

  • The applications that are created through the Create Application option contains the schema attributes related to all the values present in the lookup. These schema attributes might include attributes that are previously derived attributes, such as _NAME_. When a new UI form is created, these attributes must be removed. To remove these attributes, customize the form by using a sandbox.

    See Managing Forms in Administering Oracle Identity Governance for more information on customizing forms by using sandboxes.

21.1.2.4 Disconnected Applications

Disconnected resources are targets for which there are no connectors. Therefore, you must provision these resources manually. You can create applications for disconnected resources from the Applications page in the Identity Self Service.

See Managing Disconnected Resources in Administering Oracle Identity Governance for information about disconnected resources and disconnected application instances.

21.1.2.5 Instance Creation

You can create an instance of an application that shares the configurations of the base application but includes different connectivity options.

The following configurations are shared between the base and instance applications:

  • Advanced configuration

  • Schema configuration

  • Provisioning configuration

  • Reconciliation configuration

An instance application has its own attributes and configurations for:

  • Application Name

  • Application Display Name

  • Application Description

  • Basic Configurations

  • Catalog attributes

  • Organization publication

Note:

Configurations that are shared with the base application cannot be modified by editing an application from the Applications page.

21.1.2.6 Cloning Applications

When an application is cloned, all the configurations of the base application are copied into the cloned application.

21.1.2.7 Validation and Transformation of Provisioning and Reconciliation Attributes

When you create an application from the Identity Self Service, you can apply, validate, and transform provisioning attributes before passing the attributes to the target system. Application onboarding capability in Identity Self Service lets you write Groovy script-based validation and transformation logic. See Creating a Target Application or Creating an Authoritative Application for more information on how to include these scripts.

Suppose you want to manage accounts on an Oracle Database target through Oracle Identity Governance. This situation has the following requirements:

  • The account fields are User ID, Organization, First Name, and Last Name.

  • The User ID field cannot be null.

  • The user ID must end with @example.com. For example, if the user ID is test, then during the request it must be transformed to test@example.com on the target.

  • If the user does not provide organization details, then the default value must be set to Server Technology.

To meet these requirements, you can create the following validation script and transformation script while creating the application.

Validation Groovy Script: 

def errors = "";
if(User_Id == null || User_Id ==""){
errors = errors+" User Id cannot be null";
}
return errors;

Transformation Groovy Script: 

if(Organization == null || Organization == "")
{
	Organization = "Server Technology";
}
User_Id = User_Id.toString()+"@example.com";

Validation Groovy Script for Resource Exclusion:

In the validation script, you can specify a list of user IDs for accounts that must be excluded from reconciliation and provisioning operations. The following is a sample script to do so:

def errors = "";
def excludedUsers = ['user01','user02'];
def regexStr = /^[a-zA-Z0-9_]+/;
if(!User_Id.matches(regexStr)) errors = errors+" Invalid UserId";
if(excludedUsers.contains(User_Id)) errors = errors+" User Id lies in excluded list";
return errors;

See About Customizing Groovy Scripts for more sample scripts and information about transformation of attributes.

21.1.2.8 Important Elements in the Application Template XML

Some important elements and structures of the application template XML file are:

  • applicationName: The application name. It must be unique and cannot be more than 200 characters.

  • applicationDisplayName: Display Name of the application.

  • connectorDisplayName: The connector display name is used for locating the connector bundle and is a read-only field for the user. The value is included with the default template in the connector bundle.

  • connectorVersion: The connector version is used for locating the connector bundle and is a read-only field for the user. The value is included with the default template in the connector bundle.

  • basicConfigurations: The connectivity details for a target system, such as host and port. The list of parameters varies from target to target.

  • advanceConfigurations: The target specific configurations, which are used by the bundle while performing provisioning or reconciliation to or from the target system. The list of parameters varies from target to target.

  • objectClass: Each template has at least one object class that represents the object on the target system to be provisioned or reconciled.

    • provisioningConfig: Provisioning related configurations:

      • validationScript: Groovy validation scripts that are executed before provisioning on the target system.

      • transformationScript: Groovy transformation scripts that are executed before provisioning the data.

      • capabilities: A list of operations supported by the bundle on the target system.

    • reconConfig: Reconciliation related configurations:

      • reconJobDetails: A list of jobs that reconcile the data into Oracle Identity Governance.

      • identityCorrelationRule: The rule for owner matching. This rule is defined between the target attribute and the Oracle Identity Governance user attribute.

      • situationResponses: A list of situations and their corresponding responses. For example, for an Authoritative Application, in a situation of No Matches Found, the response may be Create User.

        For a Target Application, in a situation of No Matches Found, the response may be Establish Link.

      • validationScript: Groovy validation scripts that are executed before reconciling the data into Oracle Identity Governance.

      • transformationScript: Groovy transformation scripts that are executed before reconciling the data into Oracle Identity Governance.

    • form: Specifies one parent form per objectClass.

      • schemaAttributes: The schema configuration for objectClass. Each schema attribute has the following attributes:

        • name: The name of the attribute on the target system.

        • dataType: The data type of the attribute. For example, String.

        • displayName: The name of the attribute in Oracle Identity Governance.

        • length: The length of data that can be stored in the attribute. If this attribute is not supplied in the template, then it is configured with the default length. However, this attribute is not exposed in the interface.

          Note:

          While creating an application, you can provide any value for this attribute. But while updating the application, the new length must be equal to or greater than the existing length.

        • identityAttribute: The name of the user attribute. Changes to this name forces the corresponding account attribute to be updated on the target system.

          Note:

          The list of schemaAttributes does not include the user password. If you want to add this capability, then select the capability in the Settings tab, from the provisioning options.

        • keyField: Defines the reconciliation account matching rule.

        • keyFieldCaseInsensitive: Defines whether the reconcilication account matching rule is case insensitive or not.

        • required: Indicates whether or not the attribute is required.

        • fieldType: Displays the type of schema attribute. This attribute is for legacy purposes and is not exposed to the user. If the type is not specified in the template, then this attribute is configured with the default type.

        • entitlement: Marks the schema attribute as an entitlement. This property is inherited by child schema attributes.

        • reconcileable: Indicates whether or not the attribute can be reconciled.

        • provisionable: Indicates whether or not the attribute can be provisioned. This property is inherited from parent schema attributes.

        • encrypted: Indicates whether or not the attribute is encrypted.

        • advanceFlags: Advanced flags, such as Lookup, Date, and WriteBack.

          • Lookup: Use Lookup if the tilde character (~) must be removed from the attribute value before the value is sent to the target.

          • Date: Use Date if the datatype attribute matches the date on the target.

          • WriteBack: Use WriteBack if the attribute must be populated from the target after provisioning.

        • Account Discriminator: Set the schema attribute as the discriminator for the accounts. You can select multiple provisionable fields as account discriminators. See Terminologies Used in Access Policies for more information about account discriminators.

        • listOfValues: The name of the Lookup attribute that lists the value for the attribute.

        • defaultValue: The value to be used during reconciliation when no value for the attribute is available on the target system.

        • provideOldValueOnUpdate: Set to true if the old value of this attribute must propagate to the target during the update.

        • dependentAttribute: The value of this attribute is supplied to the target application during the update of this attribute.

        Note:

        Both provideOldValueOnUpdate and dependentAttribute attributes are not supported at the same time. Either the old value is passed to the target or the dependent attribute is passed to the target during the attribute update.

      • form: Specifies the child form (or forms) for the parent or root form. It corresponds to a multi-valued attribute.

        • Use Bulk: Select this option to configure the Update Child Table Values Bulk adapter for all child table-related operations.

          Some targets support only bulk updates of child values for all operations, including adding a new child, updating an existing child, and removing a child. For these targets, the Use Bulk option must be selected for each child form.

  • catalogAttributes: List of catalog attributes.

    • Audit Objective: A text field that provides any relevant value or description for Oracle Identity Analytics (OIA) certification.

    • Risk Level: Level of risk for the entity. The values supported are Low Risk, Medium Risk, and High Risk.

    • User Defined Tags: A value that describes the catalog item and that can be used for searching the entity.

    • Approver User: User who can approve the catalog item. This is used at the time of processing the request for the catalog item or during attestation.

    • Approver Role: Role that can approve the catalog item.

    • Certifier User: User who can certify the catalog item.

    • Certifier Role: Role that can certify the catalog item.

    • Fulfillment User: User who can complete or fulfill the request for the catalog item.

    • Fulfillment Role: Role that can complete or fulfill the request for the catalog item.

    • Certifiable: Specifies whether or not a catalog item is certifiable.

  • organizations: The list of organizations to which the application is published.

  • parentApplicationName: The name of the application on which the current application has a dependency. For example, if AD Exchange application has a dependency on the AD application, then parentApplicationName is set to the AD application.

21.2 Searching Applications

On the Applications page, you can search for applications based on the application name, display name, connector name, and base application.

To search for applications:
  1. Login to Identity Self Service.
  2. Click the Manage tab, and then click the Applications box to open the Applications page.
  3. In the search list, select any one of the following:

    • Name: Search by application name.

    • Display Name: Search by display name.

    • Connector Name: Search by connector name.

    • Base Application: Search by base application name.

  4. In the Search box, enter your search criterion.
  5. Click the Search icon.

    The search results table displays the application name, display name, connector name, and application.

21.3 Creating Applications

You can use the Create Application option to create a target application or an authoritative application

Creating applications is described in the following sections:

21.3.1 Creating a Target Application

Creating a Target Application includes steps such as, providing basic information, updating schema attributes, reviewing and updating settings for default attributes, and verifying the application information.

To navigate to the Create Application Wizard, login to Identity Self Service, go to the Manage tab and click the Applications box to open the Applications page. From the Actions menu, click Create, and then select Target. Alternatively, click Create on the toolbar, and select Target to open the Create Application wizard.

From this point onward, page-wise instructions are provided in the following sections:

21.3.1.1 Providing Basic Information for Target Application
On the Basic Information page, select the application you wish to onboard. To do so:
  1. If you want to onboard a disconnected application using the default disconnected template, then select the Disconnected checkbox.

    Note:

    To create a disconnected application for any custom template, do not select the Disconnected checkbox. Go to step 3.
  2. If you want to create the application from a connector package, then select Connector Package. Select the connector from the Select Bundle list. By default, the Select Bundle drop-down shows the list of templates from the connector bundles present in the OIM_HOME/server/ConnectorDefaultDirectory/ directory.
    To load a template from connector bundles at an alternate location, provide the path in the Alternate Connector Directory field, and click the Reload connector list from alternate directory icon next to the Alternate Connector Directory.
  3. Alternatively, if you want to create the application by using a template, then select Template. Select Select Template.
  4. Enter values in the Application Name, Display Name, and Description fields for the application. Application Name and Display Name are mandatory fields. The application name cannot include a space. Display name is the name that is used to represent the application in the request catalog.
  5. Depending on the selected bundle or template, Basic Configuration and Advanced Settings for the connector may appear.

    Note:

    The parameters in the Basic Configuration and Advanced Settings section will vary based on the connector you have selected. For more information about these parameters, refer to the corresponding Connector documentation available on the Oracle Help Center website at the following URL:

    https://docs.oracle.com/en/middleware/idm/identity-governance-connectors/12.2.1.3/index.html

    • The Advanced Settings section allows you to add new attributes. To add an attribute:

      1. Click Add Attribute. The New Attribute window is displayed.

      2. Enter the values for the Name, Value, Category, and Display Name fields, and click OK.

        The new attribute is displayed in the Custom section.

    • If you have selected a flat file connector from the Select Bundle list, then in Advanced Settings, you have to provide the flat file location in the flatFileLocation field.

      Click Parse Headers to list the flat file schema properties from the CSV file mentioned in the flatFileLocation field.

      You can update the flat file attributes information and also add new fields. Click Add Field to add a new field.

      1. Enter the display name of the flat file attribute in the Attribute field.

      2. Select MVA if the attribute is a multivalued attribute.

      3. Click Add Attribute to create the complex multivalued attribute and specify the Sub Field names.

      4. Select the data type for the attribute.

      5. Select Name if the attribute has to be mapped to _Name_.

      6. Select UID if the attribute has to be mapped to _UID_.

      7. Select Status if the attribute has to be mapped to status.

      8. Select Mandatory if it is mandatory to get the value of this field from the target system. This option is selected when Name or UID is selected.

    Update the required Basic Configuration parameters. Check if the connection between the target system and the server is fine by clicking the Test Connection button.

  6. Click Next to navigate to the Schema page.
21.3.1.2 Providing Schema Information for Target Application

On the Schema page, you can manage the account and entitlement schema attributes. You can edit or delete existing attributes from the schema. After you perform all required actions in the Schema page, click Next to go to the Settings page.

Note:

If the connector is a Database Application Tables (DBAT) connector, then you can use the auto-discovery feature to fetch the target schema. If the Test Connection option on the Basic Information page is successful, then click Discover on the Schema page to fetch the target schema. If you are using this feature for editing an application, then the current configurations are overridden and you must do the attribute mapping on this page again.

Adding attributes and child form is described in the following sections:

21.3.1.2.1 Adding Attributes
To add new attributes:
  1. Click Add Attribute to add a new row to the table. Provide the following Application Attribute details:

    • Identity Attribute: Select an attribute from the list of user attributes. This attribute is used for user trigger process, that is, to propagate the user attribute changes to the user resource account. For example, if the FirstName of a user is modified, the changes should be pushed down to fname of the user account on the target, then select FirstName in the Identity Attribute list and select fname in the corresponding Target Attribute list.

      See Process Definition Form in Developing and Customizing Applications for Oracle Identity Governance for more information on user triggered process.

    • Display Name: Enter the display name for the attribute in Oracle Identity Governance.

    • Target Attribute: Enter the target attribute name. For connectors that support schema discovery, if the correct connectivity details are provided in the Basic Configuration section, then all the attributes on the target are listed in the Target Attribute drop-down. Select the target attribute name from the list.

    • Data Type: Select the data type from the list.

  2. Provide the following Provisioning Property descriptions:

    • Mandatory: Select if the attribute is mandatory for target provisioning.

    • Provision Field: Select if the attribute must be present on the provisioning form.

  3. Provide the following Reconciliation Properties descriptions:

    • Recon Field: Select if the reconciliation process needs to pull this attribute value.

    • Key Field: Select if the attribute is used for entity matching during reconciliation.

    • Case Insensitive: Select if the account matching rule is case-insensitive.

  4. To add additional properties to the attribute, click Advanced Setting icon icon. The Advanced Settings window is displayed. Provide the following advanced settings:

    • Account Discriminator: Select to mark this attribute as one of the Account Discriminator fields. The collection of all such attributes in the form uniquely identifies the logical entity on which accounts are created. See Terminologies Used in Access Policies for more information about Account Discriminator.

    • Lookup: Select to indicate that the value of this attribute is set to a Lookup field. In the List Of Values field, enter the name of a lookup that contains a list of allowed values for this attribute. While provisioning, the value of this attribute can be set to one of the values from this list. If the lookup name provided does not exist, then a new lookup is created with an empty list of value. This is applicable only when the Data Type of the attribute is String.

    • Date: Select if the data type of the attribute is Date on the target and must be mapped to a String type attribute in Oracle Identity Governance.

    • WriteBack: Select to set the attribute as WriteBack for provisioning use case. When account provisioning is done, the value of this attribute in Oracle Identity Manager will get updated with the value in target. For example, __UID__ field is of type WriteBack. The value for UID is generated on the target and is written back into the Oracle Identity Manager account after provisioning.

    • Provide old value on update: Select if the update operation of the attribute on target requires the old value to be propagated to the target along with the new value. For example, to change the account password, you must provide the old password value along with the new password.

    • Dependent Attribute: Enter or select the name of the Oracle Identity Governance attribute on which the update operation of this attribute on target is dependent.

  5. If you want to remove any attribute, then click the Delete icon icon that is associated with the attribute.
21.3.1.2.2 Adding Child Forms

To add child forms:
  1. Click Add Child Form. The Add Child Form window is displayed.
  2. Enter the Form name, and click OK. The new child form is created.
  3. Enter the attribute details. This is similar to the attribute details in Adding Attributes.
  4. Provide the following application attribute details: Display Name, Target Attribute, and Data Type.
  5. Provide the following Provisioning Property: Mandatory
  6. Provide the following Reconciliation Properties: Recon Field, Key Field, and Case Insensitive.
  7. To add additional properties to the attribute, click the Advanced Setting icon icon. The Advanced Settings window is displayed. Provide the following advanced settings: Lookup, Date, WriteBack, and Entitlement (Select if this attribute must be marked as an entitlement).
  8. For targets that support only bulk update of child values, select the Use Bulk option.
  9. Click Delete Form to remove the child form.
21.3.1.3 Providing Settings Information for Target Application

On the Settings page, you can review and customize the default settings related to provisioning, reconciliation, catalog, and organization publications. After you perform all required actions on the Settings page, click Next to go to the Finish page.

Expand the Preview Settings tab and perform the following:

21.3.1.3.1 Updating the Provisioning Configuration
In the Provisioning tab, perform the following steps to update provisioning configurations:
  1. In the Global Configuration section, review and if required, update the predefined provisioning configurations:

    • Validation Script: Click to review the validation script or to include a script. The Validation Script editor is displayed. If the script is present, you can edit the validation script or compile the script.

    • Transformation Script: Click to review the transformation script or to include a script. The Transformation Script editor is displayed. If the script is present, you can edit the transformation script or compile the script.

    • Account Name: Select the attribute to uniquely identify the account from the list. This list consists of all the schema attributes that can be set as account name.

    See About Customizing Groovy Scripts for information about how to write validation and transformation scripts.

  2. In the Capabilities section, you can review and if required, update pre and post action scripts for the provisioning operations that are associated with this application. Provisioning operations include Create, Enable, Disable, Update (Bulk), Delete, and Change User Password.

    Note:

    If script execution is not supported for a particular provisioning operation in a connector, then the Action Scrip button is disabled.

    To update pre and post action scripts for the provisioning operations:

    1. Select the capabilities you want to review, edit, or add pre and post action script for, and click Action Script associated with that capability. The Action Script editor opens.

    2. You can configure to run the script before or after provisioning operations. Use the pane where Trigger Time is set to Before to configure the script that must run before the provisioning operation and the pane where Trigger Time is set to After to configure the script that must run after the provisioning operation.

    3. Enter the Language in which the script is written. For example, Shell.

      Note:

      For more information on the languages supported and whether the script execution for a particular action is supported by the connector type, refer to the corresponding connector documentation.

    4. Enter value of the Target field to specify where the script has to be executed. For example, if the Target is set to Resource, then the script is executed on the computer where the target system is running. If the Target is set to Connector, then the script is executed on the Oracle Identity Governance server or the connector server (if configured).

    5. Enter the script and click Compile to check if the script is valid.

    6. Click Save.

      Note:

      You cannot add or manage scripts for the applications that are created through Connector Installer. However, the Java-based transformation and validation provided by the Design Console continue to work.
21.3.1.3.2 Updating the Reconciliation Configuration

On the Reconciliation tab, you can review or customize the required predefined matching rules, situations and responses, and reconciliation jobs.

Perform the following to update the reconciliation configuration:

21.3.1.3.2.1 Updating Identity Correlation Rules
In the Identity Correlation Rule section, you can review and if required, edit or add simple or complex correlation rules. To add a rule:
  1. If you want to add a simple rule, then select the Simple Correlation Rule option, and set the rule conditions. If the rule is based on more than one condition, then click Add Rule Element to include a new rule element. Each rule element matches one target attribute to a user or identity attribute. These rule elements are separated by the AND or OR operators.
  2. Otherwise, if you want to add a complex rule, then select the Complex Correlation Rule option, and enter the rule equation in JSON format. To validate the rule, click Validate JSON Syntax.

    Complex correlation rules are used when:

    • The rule has nested rules. The following is an example of a nested rule:

      {    
          "ruleOperator": "AND", 
          "ruleElement": [     
              {           
                    "targetAttribute": "__NAME__",
                    "userAttribute": "User Login",
                    "elementOperator": "Equals",                          
                    "transformName": "NONE"      
              },        
      ],    
      "identityCorrelationRule": [     
       {        
           "ruleOperator": "OR",
           "ruleElement": [            
              {                  
                     "targetAttribute": "Mid Name", 
                     "userAttribute": "Middle Name",
                     "elementOperator": "Equals",
                     "transformName": "NONE" 
              },     
              {
                     "targetAttribute": "Last Name",
                     "userAttribute": "Last Name",
                     "elementOperator": "Equals",
                     "transformName": "NONE",
                     "caseSensitive": true
              }
           ]   
        },
        {  
           "ruleOperator": "OR",
           "ruleElement": [            
               { 
      
                     "targetAttribute": "First Name",  
                     "userAttribute": "First Name",         
                     "elementOperator": "Equals",
                     "transformName": "NONE",
               }
           ]   
        }            
    ]
 }

    • When the target system must be configured to match part of the data value of a target attribute to the identity or user attribute value, some transformation can be specified in the rule. For example, to match a SubString of the target FirstName to the Oracle Identity Governance User FirstName. The supported transformations are:

      • Substring, for example start point or end point

      • Endstring, for example end point

      • Tokenize, for example Delimiters, Token Number, or Space Delimiter

      The following is an example for a rule that has transformName set to Tokenize and the rule maps target attribute _NAME_ to Oracle Identity Governance attribute User Login.

      {   
       "ruleOperator": "AND",
       "ruleElement": [ 
            {          
                "targetAttribute": "__NAME__",
                "userAttribute": "User Login",
                "elementOperator": "Equals",
                "transformName": "Tokenize",
                "transformParams": [ 
                    {   
                        "name": "Space Delimiter",
                        "value": "FALSE"            
                    },   
                    {    
                        "name": "Token Number", 
                        "value": "1"             
                    },   
                    {   
                       "name": "Delimiters",
                       "value": "'@'"              
                    }   
               ]     
            }    
       ]
 }
21.3.1.3.2.2 Updating Situations and Responses
In the Situations And Responses section, you can review, and if required, update or add new situations and responses. To do so:
  1. To add a new situation and response, click Add.
  2. Select the situation from the Situation list, for example No matches found or One entity match found.
  3. Select an appropriate response for the situation from the list of possible Response. See the following options:
    1. Create User
    2. Establish Link
    3. None
As part of AOB, OIM 12cPS4 the following responses are replaced by NONE.
  • Assign To Administrator With Least Load
  • Assign To Authorizer With Least Load
  • Assign To Authorizer With Highest Priority
21.3.1.3.2.3 Updating Validation and Transformation Scripts
In the Validation & Transformation section, review and if required, update or add new validation and transformation logic based on groovy scripts. Click Validation Script or click Transformation Script to open the editor to include scripts.

Note:

  • You cannot add or manage scripts for the applications that are created through the Connector Installer. However, the Java- based transformation and validation provided by the Design Console continue to work.

  • You can access any provisioning attribute value in the Groovy script with its display name as defined in the schema section. To do this, replace spaces in the display name with underscore characters (_).

21.3.1.3.2.4 Updating Reconciliation Jobs
On the Reconciliation Jobs section, you can review and if required, update or add new reconciliation jobs. To add a job:
  1. Click Add Job to open the New Job window.
  2. Enter values for the Job Name field and other required parameters, and click OK. You can add parameters to the existing jobs by clicking Add Parameter. This opens the Select Parameter Type window. Select the parameter type from the list, and click OK. Enter the required details, and click OK.

    The following reconciliation jobs can be set:

    • Full: This is used to reconcile all existing user records from the target system into Oracle Identity Governance.

    • Incremental: This is used to reconcile only records created or modified after the last reconciliation run.

    • Delete: This is used for reconciliation of deleted records.

    • Entitlement: This is used for lookup field synchronization.

    For flat file connectors, the following reconciliation jobs can be set:

    • Flat File Full: This is used to reconcile all existing user records from the target system into Oracle Identity Governance.

      Figure 21-1 Flat File Full


      Example for Flat File Full

    • Flat File Diff Sync: This is used to perform diff-based reconciliation.

    • Flat File Delete Sync: This is used to perform a delete reconciliation run.

    • Flat File Delete: This is used for reconciliation of deleted records.

    • Flat File Entitlement: This is used for lookup field synchronization.

    When you create an authoritative Application for Flat File connector, under Applications ensure to fill up the Reconciliation Jobs section within Reconciliation located in Settings tab. Enter the values for the mandatory parameters (marked by the asterisk (*) symbol) for all the reconciliation jobs and then click Apply.

    The mandatory parameters are:
    • Job Name
    • FlatFile Instance Name
    • Flat File directory
    • Scheduled Task Name
    • Previous Flat File directory or Current Flat File directory.
    A successful message is displayed stating that the flat file configuration is created successfully.

    Note:

    For information about the default set of reconciliation jobs for a given connector, refer to the corresponding Connector documentation available on the Oracle Help Center website at the following URL:

    https://docs.oracle.com/en/middleware/idm/identity-governance-connectors/12.2.1.3/index.html

21.3.1.3.3 Updating the Organization Configuration
On the Organization tab, select the organizations to which this application will be published. By default, the application is configured to be published to the Top organization. To add organizations:
  1. Click Add to open the Add Organization window.
  2. Search for the organization. Select the required organization from the search result table, and click Select.
  3. Select Hierarchy Aware if you want to publish this application to the organization and its child organizations.
21.3.1.3.4 Updating the Catalog Configuration

In the Catalog tab, you can set various configuration-related Catalog metadata.

You can update the following attributes:

  • Category: Enter the category for the application.

  • User Defined Tags: Enter the user defined tag for this attribute.

  • Audit Objective: Enter the objective of the audit.

  • Auditable: Select Yes if the application is auditable or No if it is not.

  • Requestable: Select Yes if the application is requestable or No if it is not. The following fields are enabled if Requestable is set to Yes:

    • Fulfillment Role: Click the Search icon to search and select the fulfillment role.

    • Approver User: Click the Search icon to search and select the user.

    • Approver Role: Click the Search icon to search and select approver role.

    • Fulfillment User: Click the Search icon to search and select the fulfillment user.

  • Certifiable: Select Yes if the attribute is certifiable or No if it is not. The following fields are enabled if Certifiable is set to Yes:

    • Certifier User: Click the Search icon to search and select the certifier user.

    • Certifier Role: Click the Search icon to search and select the certifier role.

  • Risk Level: Select the risk levels, which are High Risk, Medium Risk, or Low Risk.

21.3.1.4 Verifying the Target Application Details

On the Finish page, review the details used to create the application. If anything needs to be changed, click Back and make the required changes. If the details are fine, then click Finish to create an application.

When you are prompted whether you want to create a default request form, click Yes or No.

If you choose to create a default request form, then the default form is created with the same name as the application. The default form cannot be modified later. Therefore, if you want to customize it, you must create a new one. To view the new default form, you must log in again to Oracle Identity Self Service. However, other users can view the default form as soon as it is created.

If you want to perform any sandbox- related changes after you create an application, then you must log out from the current Oracle Identity Self Service session and log in again.

21.3.2 Creating an Authoritative Application

Creating an Authoritative Application includes steps such as, providing basic information, updating schema attributes, reviewing and updating settings for default attributes, and verifying the application information.

To navigate to the Create Application Wizard, login to Identity Self Service, go to the Manage tab and click the Applications box to open the Applications page. From the Actions menu, click Create, and then select Authoritative. Alternatively, click Create on the toolbar, and select Authoritative to open the Create Application wizard.

From this point onward, page-wise instructions are provided in the following sections:

21.3.2.1 Providing Basic Information for Authoritative Applications
On the Basic Information page, select the application you wish to onboard. To do so:
  1. If you want to create the application from a connector package, then select Connector Package. Select the connector from the Select Bundle list. By default, the Select Bundle drop-down shows the list of templates from the connector bundles present in the OIM_HOME/server/ConnectorDefaultDirectory directory.
    To load a template from the connector bundles at an alternate location, provide the path in the Alternate Connector Directory field, and click the Reload connector list from alternate directory icon next to the Alternate Connector Directory field.
  2. Alternatively, if you want to create the application by using a template, then select Template. Select Select Template.
  3. Enter the Application Name, Display Name, and Description for the application. Application Name and Display Name are mandatory fields. Application Name cannot include a space. Display name is the name that is used to represent the application in the request catalog.
  4. Depending on the selected bundle or template, Basic Configuration and Advanced Settings for the connector may appear.

    Note:

    The parameters in the Basic Configuration and Advanced Settings section varies based on the connector you select. For more information about these parameters, refer to the corresponding Connector documentation available on the Oracle Help Center website at the following URL:

    https://docs.oracle.com/en/middleware/idm/identity-governance-connectors/12.2.1.3/index.html

    Update the required Basic Configuration parameters. Check if the connection between the target system and the server is fine by clicking Test Connection.

    If you have selected a flat file connector from the Select Bundle list, then in Advanced Settings, provide the flat file location in the flatFileLocation field.

    Click Parse Headers to list the flat file schema properties from the CSV file mentioned in flatFileLocation field.

    You can update the flat file attributes information and also add new fields. Click Add Field to add a new field.

    1. Enter the display name of the flat file attribute in the Attribute field.

    2. Select MVA if the attribute is a multivalued attribute.

    3. Click Add Attribute to create the complex multivalued attribute, and specify the Sub Field names.

    4. Select the data type for the attribute.

    5. Select Name if the attribute has to be mapped to _Name_.

    6. Select UID if the attribute has to be mapped to _UID_.

    7. Select Status if the attribute has to be mapped to status.

    8. Select Mandatory if it is mandatory to get the value of this field from the target system. This option is selected when Name or UID is selected.

  5. Click Next to open the Schema page.
21.3.2.2 Providing Schema Information for Authoritative Application
On the Schema page, you can manage the account and entitlement schema attributes. You can edit or delete existing attributes from the schema. After you perform all required actions in Schema page, click Next to go to the Settings page. To add new attributes:

Note:

If the connector is a DBAT connector, then you can use the auto-discovery feature. If the Test Connection option on the Basic Information page is successful, then click Discover in the Schema page to fetch the target schema. If you are using this feature for editing an application, then the current configurations are overridden and you must do the attribute mapping on this page again.
  1. Click Add Attribute to add a new row to the table. Provide the following Application Attribute details:

    • Identity Display Name: Select the display name for the attribute.

    • Target Attribute: Enter the target attribute name or select the attribute name from the list.

    • Data Type: Select the data type from the list.

  2. Provide the following Reconciliation Properties descriptions:

    • Mandatory: Select if the attribute is mandatory for target provisioning.

    • Key Field: Select if the attribute is used for entity matching during reconciliation.

  3. To add additional properties to the attribute, click Advanced Setting icon. The Advanced Settings window is displayed. Provide the default value and click OK.
21.3.2.3 Providing Settings Information for Authoritative Application

On the Settings page, you can review and customize the default settings related to reconciliation and organization publications. After you perform all required actions in the Settings page, click Next to go to the Finish page.

21.3.2.3.1 Updating the Reconciliation Configuration

On the Reconciliation tab, you can review or customize the required predefined matching rules, situations and responses, and reconciliation jobs.

Perform the following to update the reconciliation configuration:

21.3.2.3.1.1 Updating Identity Correlation Rules
In the Identity Correlation Rule section, you can review and if required, edit or add simple or complex correlation rules. To add a rule:
  1. If you want to add a simple rule, then select the Simple Correlation Rule option, and set the rule conditions. If the rule is based on more than one condition, then click Add Rule Element to include a new rule element. Each rule element matches one target attribute to a user or identity attribute. These rule elements are separated by the AND or OR operators.
  2. Otherwise, if you want to add a complex rule, then select the Complex Correlation Rule option, and enter the rule equation in JSON format. To validate the rule, click Validate JSON Syntax.

    Complex correlation rules are used when:

    • The rule has nested rules. The following is an example of a nested rule:

      {    
          "ruleOperator": "AND", 
          "ruleElement": [     
              {           
                    "targetAttribute": "__NAME__",
                    "userAttribute": "User Login",
                    "elementOperator": "Equals",                          
                    "transformName": "NONE"      
              },        
      ],    
      "identityCorrelationRule": [     
       {        
           "ruleOperator": "OR",
           "ruleElement": [            
              {                  
                     "targetAttribute": "Mid Name", 
                     "userAttribute": "Middle Name",
                     "elementOperator": "Equals",
                     "transformName": "NONE" 
              },     
              {
                     "targetAttribute": "Last Name",
                     "userAttribute": "Last Name",
                     "elementOperator": "Equals",
                     "transformName": "NONE",
                     "caseSensitive": true
              }
           ]   
        },
        {  
           "ruleOperator": "OR",
           "ruleElement": [            
               { 
      
                     "targetAttribute": "First Name",  
                     "userAttribute": "First Name",         
                     "elementOperator": "Equals",
                     "transformName": "NONE",
               }
           ]   
        }            
    ]
 }

    • When the target system must be configured to match part of the data value of a target attribute to the identity or user attribute value, some transformation can be specified in the rule. For example, to match a SubString of the target FirstName to the Oracle Identity Governance User FirstName. The supported transformations are:

      • Substring, for example start point or end point

      • Endstring, for example end point

      • Tokenize, for example Delimiters, Token Number, or Space Delimiter

      The following is an example for a rule that has transformName set to Tokenize and the rule maps target attribute _NAME_ to Oracle Identity Governance attribute User Login.

      {   
       "ruleOperator": "AND",
       "ruleElement": [ 
            {          
                "targetAttribute": "__NAME__",
                "userAttribute": "User Login",
                "elementOperator": "Equals",
                "transformName": "Tokenize",
                "transformParams": [ 
                    {   
                        "name": "Space Delimiter",
                        "value": "FALSE"            
                    },   
                    {    
                        "name": "Token Number", 
                        "value": "1"             
                    },   
                    {   
                       "name": "Delimiters",
                       "value": "'@'"              
                    }   
               ]     
            }    
       ]
 }
21.3.2.3.1.2 Updating Situations and Responses
In the Situations And Responses section, you can review, and if required, update or add new situations and responses. To do so:
  1. To add a new situation and response, click Add.
  2. Select the situation from the Situation list, for example No matches found or One entity match found.
  3. Select an appropriate response for the situation from the list of possible Response. See the following options:
    1. Create User
    2. Establish Link
    3. None
As part of AOB, OIM 12cPS4 the following responses are replaced by NONE.
  • Assign To Administrator With Least Load
  • Assign To Authorizer With Least Load
  • Assign To Authorizer With Highest Priority
21.3.2.3.1.3 Updating Validation and Transformation Scripts
In the Validation & Transformation section, review and if required, update or add new validation and transformation logic based on groovy scripts. Click Validation Script or click Transformation Script to open the editor to include scripts.

Note:

  • You cannot add or manage scripts for the applications that are created through the Connector Installer. However, the Java- based transformation and validation provided by the Design Console continue to work.

  • You can access any provisioning attribute value in the Groovy script with its display name as defined in the schema section. To do this, replace spaces in the display name with underscore characters (_).

21.3.2.3.1.4 Updating Reconciliation Jobs
On the Reconciliation Jobs section, you can review and if required, update or add new reconciliation jobs. To add a job:
  1. Click Add Job to open the New Job window.
  2. Enter values for the Job Name fields and other required parameters, and click OK. You can add parameters to the existing jobs by clicking Add Parameter. This opens the Select Parameter Type window. Select the parameter type from the list, and click OK. Enter the required details, and click OK.

    The following reconciliation jobs can be set:

    • Full: This is used to reconcile all existing user records from the target system into Oracle Identity Governance.

    • Incremental: This is used to reconcile only records created or modified after the last reconciliation run.

    • Delete: This is used for reconciliation of deleted records.

    For flat file connectors, the following reconciliation jobs can be set:

    • Flat File Full: This is used to reconcile all existing user records from the target system into Oracle Identity Governance.

    • Flat File Diff Sync: This is used to perform diff-based reconciliation.

    • Flat File Delete Sync: This is used to perform a delete reconciliation run.

    • Flat File Delete: This is used for reconciliation of deleted records.

    • Flat File Entitlement: This is used for lookup field synchronization.

    Note:

    For information about the default set of reconciliation jobs for a given connector, refer to the corresponding Connector documentation available on the Oracle Help Center website at the following URL:

    https://docs.oracle.com/en/middleware/idm/identity-governance-connectors/12.2.1.3/index.html

21.3.2.3.2 Updating the Organization Configuration
On the Organization tab, select the organizations to which this application will be published. By default, the application is configured to be published to the Top organization. To add organizations:
  1. Click Add to open the Add Organization window.
  2. Search for the organization. Select the required organization from the search result table, and click Select.
  3. Select Hierarchy Aware if you want to publish this application to the organization and its child organizations.
21.3.2.4 Verifying the Authoritative Application Details
On the Finish page, review the details used to create the application. If anything needs to be changed, click Back and make the required changes. If the details are fine, then click Finish to create an application.

21.4 Creating Templates

You can use the Create Application option to create a target template or an authoritative template and save it in the database for future use.

Creating templates is described in the following sections:

21.4.1 Creating an Authoritative Template

To create an authoritative template:
  1. Perform all the steps described in the Creating an Authoritative Application till you open the Finish page of the Create Authoritative Application wizard.
  2. In the Finish page:

    1. Click Save as Template to create a template. The Save as Template window is displayed.

    2. Enter Template Name and Description, and click OK.

21.4.2 Creating a Target Template

To create a target template:
  1. Perform all the steps described in the Creating a Target Application till you open the Finish page of the Create Target Application wizard.
  2. In the Finish page:
    1. Click Save as Template to create a template. The Save as Template window is displayed.
    2. Enter Template Name and Description, and click OK.

21.5 Modifying Applications

You can edit applications that were created by using the Connector Installation Wizard or applications that were created by using the Create Application option.

The following sections describe how to edit applications:

21.5.1 Editing an Application That Was Created by Using the Connector Installation Wizard

When an authoritative application is created by using the Connector Installation wizard, no default application instance is created. Therefore, the application cannot be edited on the Applications page of the Identity Self Service. To edit an authoritative application that was created by using the Connector Installation wizard, follow these steps:

  1. Create an application instance for this application by using the ApplicationInstanceService.addApplicationInstance(ApplicationInstance appInst) API. See Java API Reference for Oracle Identity Governance for information about this API.

  2. After the application instance is created, run the Application Template Generation Job scheduled task that creates a template for the application.

    Note:

    You cannot add or manage scripts for applications that are created through Connector Installer. However, the Java-based transformation and validation that the Design Console provides continues to work.

21.5.2 Editing Applications

To edit an application:
  1. Log in to Oracle Identity Self Service.
  2. Click the Manage tab. Click the Applications box to open the Applications page.
  3. Select the application.
  4. In the Action menu, select Edit. Alternatively, click Edit on the toolbar.

    Note:

    In the table that lists the applications, the application name is a hyperlink. Clicking this hyperlink opens a page that contains the details of the application. You can edit the details on this page.

    The Base Application field in the table indicates whether the application is a base application or instance. The configurations that are shared with the base application cannot be modified by using the edit option.

  5. On the application detail page, change the values of the attributes on the Basic Information, Schema, or Settings tabs as required.

    Note:

    When you edit an application, if you are adding a new provisionable schema attribute or updating the display name of an existing provisionable schema attribute, then make sure to run the Form Upgrade Job scheduled job before you update an existing account for the application.

  6. Click Apply.

21.5.3 Editing Templates

You can modify a template by using the Create Application option. On the Basic Information tab, use the Template option to select the template. Make the changes, and use the Save as Template option to save them to the template.

21.6 Cloning Applications

When you clone an application, all the configurations of the base application are copied into the cloned application.

To clone an application:
  1. Login to Oracle Identity Self Service.
  2. Click the Manage tab. Click the Applications box to open the Applications page.
  3. Select the application.
  4. From the Actions menu, select Clone. Alternatively, click Clone on the toolbar to open the Clone Application page.
  5. On the Clone Application page:
    1. Enter the Application Name, Display Name, and Description for the clone application. Application Name and Display Name are mandatory fields. Application Name cannot include space. Display name is the name that is used to represent the application in the request catalog.
    2. Change the values of the attributes in the Basic Information, Schema, and Settings pages as required.

      Note:

      For security reasons, the values of the encrypted basic attributes are not copied from the parent application. Make sure to enter these values.
  6. Click Apply.

    If you are cloning a target application, then you are asked whether you want to create a default request form. Click Yes or No.

    If you choose to create a default request form, then the default form is created with the same name as the application. Default form cannot be modified later. Therefore, create a new form if you want to customize it. You have to re-login to the Identity Self Service to view the created default form. However, other users can view the default form once it is created.

    If you want to perform any sandbox-related changes after creating an application, then logout from the current Identity Self Service session and re-login.

21.7 Creating Instance Applications

You can create an application instance that has the same configurations as the base application.

Note:

The following configurations are shared between instance and base application:

  • Advance configurations

  • Schema configurations

  • Provisioning configuration

  • Reconciliation configuration

To create an instance application:
  1. Login to Oracle Identity Self Service.
  2. Click the Manage tab. Click the Applications box to open the Applications page.
  3. Select the application.
  4. From the Actions menu, select Create Instance. Alternatively, click Create Instance on the toolbar to open the Create Instance Application page.
  5. On the Basic Information tab:
    1. Enter the Application Name, Display Name, and Description for the instance application. Application Name and Display Name are mandatory fields. Application Name cannot include space. Display name is the name that is used to represent the application in the request catalog.

      The Base Application field displays the application for which you are creating an instance.

    2. Depending on the base application that is selected, Basic Configuration for the connector is displayed. Update the required parameters and check if the connection between the target system and the server is fine by clicking Test Connection.

      Note:

      For security reasons, the values of the encrypted basic attributes are not copied from the parent application. Make sure to enter these values.
  6. Depending on the base application that is selected, the Settings tab might include information that can be updated. If the base application is a target application, then the Organization and Catalog tabs are displayed. If the base application is an authoritative application, then the Organization tab is displayed. Change the values of the attributes as required.
  7. Click Reconciliation Jobs section, to copy, update, or add new reconciliation jobs.
    Copy Base Application Jobs: Select this option to copy the job for the Instance Application from the base application.

    Note:

    This selection is available after applying the bundle patch version 12.2.1.4.2110XX.
  8. Click Apply.

21.8 Creating Applications in Bulk

You can load base applications and instance applications in bulk by using the Application Bulk Create scheduled task.

See Predefined Scheduled Tasks in Administering Oracle Identity Governance for information about this scheduled task.

The templates are processed in the following way:

  • The templates that do not contain a base application name are processed first, and new applications are created synchronously.

  • The templates that do contain a base application name are used to create instance applications. These templates are processed asynchronously.

See Application Template for more information about templates and how they are created.

Note:

When you create applications by using a job run of the Application Bulk Create scheduled task, use a sandbox to create the UI form from Identity System Administration.

21.9 Configuring Flat Files

For connected applications, you can configure flat files by loading data from CSV files.

Configuring flat files involve providing basic information, loading data from a CSV file for a connected system, auto-discovery of schema from the source, and updating the reconciliation jobs for predefined job modes.

To create a flat file configuration for a connector application, login to Identity Self Service, go to the Manage tab and click the Applications box to open the Applications page. Use the search option to search for the application or click the search icon to list all the connector applications. Select the application for which you want to create a flat file configuration.

From the Actions menu, select Flat File, Configure. Alternatively, click Flat File on the toolbar, and select Configure to open the Configure Application using Flat File page.

From this point onward, page-wise instructions are provided in the following sections:

21.9.1 Providing Basic Information for Flat Files

On the Basic Information page, perform the following:
  1. Enter the Configuration Name, Display Name, and Description for the application. Configuration Name and Display Name are mandatory fields. Configuration Name cannot include a space.
  2. In the Basic Configuration and the Advanced Settings for the flat file, you can update the following:

    1. In the Basic Configuration section, you can select the Connector Server from the list. Click Test Connection to check if the connection between the target system and the server is fine.

    2. In the Advanced Setting section, enter the flat file location in the flatFileLocation field. Click Parse Headers to list the flat file schema fields from the CSV file mentioned in the flatFileLocation field.

      You can change the configurations of the following existing properties:

      1. If the attribute is a multivalued attribute, select MVA. The Add Attribute option is enabled. Click Add Attribute to create complex multivalued attribute. Enter the subfield details, and then click OK.

      2. Change the data type of the field from the Data Type list.

      3. Select Name if the attribute is to be mapped to _Name_.

      4. Select UID if the attribute is to be mapped to _UID_.

      5. Select Status if the attribute is to be mapped to _ENABLE_.

      6. If Name or UID option is selected, then Mandatory field is enabled. Select Mandatory to always get the value of this field from the target system.

      Note:

      For a disconnected application, you can add new fields to the schema, as described in Adding a New Field to the Schema for a Disconnected Application.
  3. Click Settings tab to open the Settings page.

21.9.2 Providing Settings Information for Flat Files

In the settings tab, under the User panel, click Preview Settings. In the Reconciliation Jobs section, you can review and if required, update or add new reconciliation jobs.

The following reconciliation job modes are supported:

  • Flat File Full: This is used to reconcile all existing user records from the target system into Oracle Identity Governance.

  • Flat File Diff Sync: This is used to perform difference-based reconciliation.

  • Flat File Delete Sync: This is used to perform a delete reconciliation run based on given Delete Attribute and Delete Attribute value.

  • Flat File Delete: This is used for reconciliation of deleted records.

  • Flat File Entitlement: This is used for lookup field synchronization.

To add a job:

  1. Click Add Job to open the New Job window.
  2. Enter values for the Job Name field and other required parameters, and click OK.
    You can add parameters to the existing jobs by clicking Add Parameter. This opens the Select Parameter Type window. Select the parameter type from the list, and click OK.
Click Apply to complete the flat file configuration.

21.9.3 Adding a New Field to the Schema for a Disconnected Application

For a disconnected application, you can add new fields to the schema. To do so:

  1. In the Flat File Schema Properties section, click Add Field.
    A new row is added below the existing list.
  2. In the Attributes field, enter the name of the flat file.
  3. If the attribute is a multi-valued attribute, select MVA. The Add Attribute button is enabled. Click Add Attribute to create complex multivalued attribute. Enter the subfield details, and then click OK.
  4. From the Data Type list, select the data type of the field.
  5. Select Name if the attribute has to be mapped to _Name_.
  6. Select UID if the attribute has to be mapped to _UID_.
  7. Select Status if the attribute has to be mapped to status.
  8. If Name or UID option is selected, then the Mandatory option is enabled. Select Mandatory to always get the value of this field from the target system.

21.10 Managing Flat File Configurations

You can edit the flat file configurations created for an application or you can manage jobs for the flat file configurations.

To manage a flat file configuration:
  1. Login to Oracle Identity Self Service.
  2. Click the Manage tab. Click the Applications box to open the Applications page.
  3. Use the Search option to search for the application or click the search icon to list all the connector applications. Select the application using which flat file configuration needs to be created.
  4. From the Actions menu, select Flat File, and then select Manage. Alternatively, click Flat File on the toolbar, and select Manage. The Manage Configurations page for the selected application is displayed.
  5. In the Manage Configurations page, use the search option to search and list the flat file configurations.

    You can edit the flat file configurations or mange jobs for the flat file configurations from this page.

    To edit flat file configurations:

    1. Select the flat file configurations you want to update, and click Edit. The Flat File Configuration details page is displayed.

      In the search result table, name is a hyperlink. Alternatively, click this hyperlink to open Flat File Configuration details page.

    2. In the Flat File Configuration details page, change the values of the attributes on the Basic Information or Settings tab as required. Click Apply.

    To manage jobs for the flat file configurations:

    1. Select the flat file configurations you want to manage jobs for, and click Manage Jobs. The Manage jobs page is displayed. For more information on Manage Jobs, see Managing Jobs.

21.11 Managing Jobs

You can add, update, and run the reconciliation jobs for applications from Identity Self Service.

To manage jobs for an application:
  1. Login to Oracle Identity Self Service.
  2. Click the Manage tab. Click the Applications box to open the Applications page.
  3. Use the Search option to search for the application or click the search icon to list all the connector applications. Select the application for which you want to manage jobs.
  4. From the Actions menu, click Manage Jobs. Alternatively, click Manage Jobs on the toolbar. The Manage Jobs page for the selected application is displayed.
  5. The Manage jobs page lists all the reconciliation job modes based on the type of application. You can add jobs, edit jobs, enable or disable jobs, run jobs, stop jobs, and delete jobs from this page.

    To add a job:

    1. Expand the job mode for which you want to add a new job.

    2. Click Add Job to open the New Job section.

    3. Enter values for the Job Name field and other required parameters, and click Save.

    4. You can add parameters to the job by clicking Add Parameter. This opens the Select Parameter Type window. Select the parameter type from the list, and click OK.

      Note:

      To save and immediately run the job, click Save and Run.

    To update a job:

    1. Expand the job mode for which you want to edit the details.

    2. Select the Job you want to edit. Update details or add new parameters. Click Apply.

    To enable a job:

    1. Expand the job mode for which you want to edit the details.

    2. Select the job you want to enable. Click Enable.

      Note:

      You can disable, run, stop, or delete jobs by clicking the respective options.

  6. You can view the job history, such as job details, error details, milestones for the job, and job report in the Job History section.

21.12 Upgrading Connector Applications

You can use the Upgrade option to upgrade the applications and the application instances created through application onboarding, and view the upgrade process status.

This section contains the following topics:

21.12.1 About Upgrading Applications

You can upgrade the applications that are created through application onboarding.

Before starting the upgrade, replace the old connector package with the new connector package in the Connector Default Directory, which is MW_HOME/idm/server/ConnectorDefaultDirectory/. During the upgrade process, the available upgrade files are listed based on the version comparison with the master template, which is the default template that is shipped with the connector package, and the template present in the Connector Default Directory.

The upgrade process lists the difference between the old template and the new template. This allows you to accept or reject the upgraded parameters or attributes in basic configurations, advanced configurations, schema attributes, child forms, reconciliation jobs, and capabilities.

Note:

  • The difference in the Pre-config.xml file is not shown here.

  • The templates created by using the Save as Template option in the Create Application page cannot be upgraded by using this Upgrade option.

21.12.2 Upgrading Applications

You can upgrade the applications that are created through application onboarding by using the Upgrade option on the Applications page.

To upgrade an application:
  1. Login to Oracle Identity Self Service.
  2. Click the Manage tab. Click the Applications box to open the Applications page.
  3. From the Actions menu, select Upgrade, and then select New. Alternatively, click Upgrade on the toolbar, and select New. The Upgrade page is displayed.
  4. In the Bundle Select tab, from the Select Bundle list, select the connectors available for upgrade. A message is displayed showing the current version of the connector and to which version it is being upgraded to.

    Click Next. The Target Application tab is displayed.

    Note:

    This tab is disabled if there are no Target Applications available in the system for upgrade.
  5. In the Target Application tab:

    1. In the Basic Information tab, the changed properties are listed under two sections, Added and Removed.

      1. The Added section lists properties that are new and not present in the older version. Select Remove corresponding to the property to exclude it.

      2. The Remove section lists properties that are not present in the new version but are in the older version. Select Keep corresponding to the property to retain it.

    2. In the Schema tab, the changed schema attributes are listed under two sections, Added and Removed.

      1. The Added section lists the attributes that are new and not present in the older version. Select Remove corresponding to the attribute to exclude it.

      2. The Remove section lists the attributes that are not present in the new version but are in the older version. Select Keep corresponding to the attribute to retain it.

    3. In the Settings tab, the changed Reconciliation and the Provisioning Jobs attributes are listed.

      Under the Reconciliation section, you can see Added Jobs and Removed Jobs.

      1. The Added Jobs section lists the jobs that are new and not present in the older version. Select Remove corresponding to the job to exclude it.

      2. The Remove Jobs section lists the jobs that are not present in the new version but are in the older version. Select Keep corresponding to the job to retain it.

      Under the Provisioning section, you can see the list of capabilities in two sections, Added and Removed.

      1. The Added section lists the capabilities that are new and not present in the older version. Select Remove corresponding to the capability to exclude it.

      2. The Remove section lists the capabilities that are not present in the new version but are in the older version. Select Keep corresponding to the capability to retain it.

    4. Click Next. The Authoritative Application tab is displayed.

      Note:

      This tab is disabled if there are no Authoritative Applications available in the system for upgrade.
  6. In the Authoritative Application tab:

    1. In the Basic Information tab, the changed properties are listed under two sections, Added and Removed.

      1. The Added section lists properties that are new and not present in the older version. Select Remove corresponding to the property to exclude it.

      2. The Remove section lists properties that are not present in the new version but are in the older version. Select Keep corresponding to the property to retain it.

    2. In the Schema tab, the changed schema attributes are listed under two sections, Added and Removed.

      1. The Added section lists the attributes that are new and not present in the older version. Select Remove corresponding to the attribute to exclude it.

      2. The Remove section lists the attributes that are not present in the new version but are in the older version. Select Keep corresponding to the attribute to retain it.

    3. In the Settings tab, the changed Reconciliation Job attributes are listed.

      Under the Reconciliation section, you can see Added Jobs and Removed Jobs.

      1. The Added Jobs section lists the jobs that are new and not present in the older version. Select Remove corresponding to the job to exclude it.

      2. The Remove Jobs section lists the jobs that are not present in the new version but are in the older version. Select Keep corresponding to the job to retain it.

    4. Click Next. The Summary page is displayed.

  7. In the Summary page, you can review the options selected in the previous tabs and the list of applications that will be part of the upgrade. Click Upgrade. The Status for Connector Upgrade page is displayed. You can check the upgrade status and take further action.

    The Upgrade process status can be one of the following:

    • Initiated: This indicates connector upgrade is initiated and applications are being merged and validated.

    • Intermediate: This indicates that there is an error in either merging or validating one of the applications, and upgrade is halted.

      If the status is Intermediate, then the upgrade process can be re-initiated. To do so, click Retry.

    • Success: This indicates that the connector upgrade is successful and all the applications have been successfully upgraded.

    • Failure: This indicates that the merge and validation of applications are complete with no error, but there is an error in upgrading the applications.

      If the status is Failure, then some of the applications have corrupted, and the database has to be restored.

    The Upgrade status for the application can be one of the following:

    • Merge-Initiated: This indicates that the merging of the application with the delta has initiated.

    • Merge-Failed: This indicates that the merging of the application has failed and error can be seen against that application.

    • Merge-Completed: This indicates that the merging of the application has completed.

    • Validation-Completed: This indicates that the validation of the application has completed.

    • Validation-Failed: This indicates that the validation of the application has failed and error can be seen against that application.

    • Upgraded: This indicates that the application has upgraded successfully.

    • Upgrade-Failed: This indicates that the upgrade of the application has failed, and an error can be seen against that application.

Note:

  • If there are changes to the application schema during upgrade, then UI form must be manually changed. See Modifying Forms in Administering Oracle Identity Governance for information about modifying forms.

  • After upgrade, Transformation and Validation Scripts must be manually changed for each application by editing the application. See Modifying Applications.

21.12.3 Viewing the Upgrade Status

You can view the status of overall connector upgrade and the upgrade status of all the applications.

To view the upgrade status:
  1. Login to Oracle Identity Self Service.
  2. Click the Manage tab. Click the Applications box to open the Applications page.
  3. From the Actions menu, select Upgrade, Status. Alternatively, click Upgrade on the toolbar, and select Status. The Upgrade Status page is displayed.

    The upgrade process status can be one of the following:

    • Initiated: This indicates connector upgrade is initiated and applications are being merged and validated.

    • Intermediate: This indicates that there is an error in either merging or validating one of the applications, and upgrade is halted.

    • Success: This indicates that the connector upgrade is successful and all the applications have been successfully upgraded.

    • Failure: This indicates that the merge and validation of applications are complete with no error, but there is an error in upgrading the applications.

    The upgrade status for the application can be one of the following:

    • Merge-Initiated: This indicates that the merging of the application with the delta has initiated.

    • Merge-Failed: This indicates that the merging of the application has failed, and error can be seen against that application.

    • Merge-Completed: This indicates that the merging of the application has completed.

    • Validation-Completed: This indicates that the validation of the application has completed.

    • Validation-Failed: This indicates that the validation of the application has failed, and an error can be seen against that application.

    • Upgraded: This indicates that the application is upgraded successfully.

    • Upgrade-Failed: This indicates that the upgrade of the application has failed, and an error can be seen against that application.

21.13 Deleting Applications

You cannot delete applications from Oracle Identity Self Service.

In some situations, such as when the application creation process fails, the system may contain partially committed applications. To remove partially committed applications from the system, run the connector uninstall utility, as described in Uninstalling Connectors in Administering Oracle Identity Governance.

21.14 About Customizing Groovy Scripts

The Groovy Helper in Oracle Identity Governance provides options for transforming and validating data during reconciliation or provisioning operations.

The following options are available:

  • Provisioning Mechanism Information: Call the context.provisionMechanism method to get the following provisioning mechanism information from the Groovy Helper.

    • REQUEST

    • ADMIN

    • POLICY

    These values are case-sensitive.

  • Operation Information: Call the context.operationType method to get the following types of operations from the Groovy Helper.

    • create

    • modify

    These values are case-sensitive.

  • Common Data Container Information: This includes the following:

    • Requester Information: Call the context.requester method to identify the requester information (for the user initiating the provisioning request) from the Groovy Helper. The user object from which any user attribute can be obtained is returned. For example, context.requester.getAttribute(“User Login”) returns the user ID of the requester.

    • Requester Manager Information: Call the context.requesterManager method to identify the requester’s manager information (for the manager of the user initiating the provisioning request) from the Groovy Helper. The user object from which any user attribute can be obtained is returned. For example, context.requesterManager.getAttribute(“User Login”) returns the user ID of the requester’s manager.

    • Beneficiary Information: Call the context.beneficiary method to identify the beneficiary information (for the user for whom the provisioning request is initiated) from the Groovy Helper. The user object from which any user attribute can be obtained is returned. For example, context.beneficiary.getAttribute(“User Login”) returns the user ID of the beneficiary.

    • Beneficiary Manager Information: Call the context.beneficiaryManager method to identify the beneficiary’s manager information (manager of the user for whom the provisioning request is initiated) from the Groovy Helper. The user object from which any user attribute can be obtained is returned. For example, context.beneficiaryManager.getAttribute(“User Login”) returns the user ID of the beneficiary’s manager.

    • Beneficiary Password Information: Call the context.beneficiaryPassword method to identify the beneficiary’s password from the Groovy Helper.

      Note:

      For more information on how to access user attributes, see the User Management APIs.

You can use the Groovy Helper methods in the following way:

  • Derived attributes: You can form attributes that are dependent on two or more other attributes. For example, the full name attribute is a combination of the first name, middle name, and last name attributes. 

    User_Id = context.beneficiary.getAttribute("User Login");
First_Name = context.beneficiary.getAttribute("First Name");
Last_Name = context.beneficiary.getAttribute("Last Name");
Middle_Name = context.beneficiary.getAttribute("Middle Name");
Full_Name = First_Name  + ". " + Middle_Name + ". " + Last_Name;

  • Default value attributes: You can form attributes whose default value must be populated. For example, if the user does not provide organization details, then the default value is set to Server Technology. 

    If (Organization == null || Organization == "")
{
         Organization = "Server Technology";
}

  • Transformed attributes: You can form attributes whose value is transformed. For example,@example.com is appended to the User ID attribute. 

    User_Id = User_Id.toString()+"@example.com";

In the following sample script, based on the type of provisioning, such as REQUEST, POLICY, or ADMIN, and on the type of operation being performed, such as creation or modification, data is transformed. All the variable values are initialized and available for provisioning and reconciliation operations, except resultList, which is defined and declared in the script itself. 

def resultList;
if (binding.variables.containsKey("context")) 
{ 
  if(context.operationType.equals("create"))
  { 
     if(context.provisionMechanism.equals("POLICY"))
     { 
         User_Id = context.beneficiary.getAttribute("User Login");
         First_Name = context.beneficiary.getAttribute("First Name");
         Last_Name = context.beneficiary.getAttribute("Last Name");
         Middle_Name = context.beneficiary.getAttribute("Middle Name");
         Full_Name = First_Name  + ". " + Middle_Name + ". " + Last_Name;
         Common_Name = Full_Name;
         Password = context.beneficiaryPassword; 
      }
      else if(context.provisionMechanism.equals("REQUEST") || context.provisionMechanism.equals("ADMIN"))
      {              
         Full_Name = First_Name  + ". " + Middle_Name + ". " + Last_Name;
         Common_Name = Full_Name;
      }              
      if(Organization_Name != null && Organization_Name.indexOf("~") != -1)
      {
         resultList = Organization_Name.tokenize("~");
         User_Full_DN = "CN=" + Common_Name + "," + resultList[1];
      }              
  } 
  else if(context.operationType.equals("modify"))
  {
      Full_Name = First_Name  + ". " + Middle_Name + ". " + Last_Name;
      Common_Name = Full_Name;
      if(Organization_Name != null && Organization_Name.indexOf("~")  !=  -1)
      {
         resultList = Organization_Name.tokenize("~");
         User_Full_DN = "CN=" + Common_Name + "," + resultList[1];
      }            
   }
}

The following is a sample Validation Groovy Script that displays an error message if the User ID is not provided. 

def effors = "";
if(User_Id == null || User_Id =="")
{ 
   errors = errors+" User Id cannot be null";
}
return errors;

In the validation script, you can specify a list of accounts that are excluded from reconciliation and provisioning operations. Accounts, whose user IDs are specified in the exclusion list, are not affected by reconciliation and provisioning operations.

The following is a sample Validation Groovy Script for Resource Exclusion script: 

def errors = "";
def excludedUsers = ['user01','user02'];
def regexStr = /^[a-zA-Z0-9_]$/;
   if(!User_Id.matches(regexStr)) errors = errors+" Invalid UserId";
   if(excludedUsers.contains(User_Id)) errors = errors+" User Id lies in excluded list";
return errors;

Action scripts are configured to run before or after create, update, enable, disable, change user password, and delete provisioning operations. For example, you can configure a script to run before a user is created.

The following action script creates a text file on the target system with a given name. You can configure this script for the Active Directory Connector.

echo create >> C:\%givenName%.txt

21.15 Troubleshooting Application Onboarding

Problems that you encounter while performing application onboarding may be related to authorization or may reflect issues with template creation.

This section describes the troubleshooting procedures to follow as you resolve issues during application onboarding.

Problem

A user who is a member of an organization other than the default organization cannot create an application.

Solution

Make sure that the user has the correct administration roles. Only users who have the ApplicationInstanceAdministrator administration role can perform the following actions from the Applications page of Identity Self Service:

  • Create, modify, delete, or search applications within organizations that are defined under the scope of control of the administration roles.

  • Create, modify, delete, or search applications within the parent organization.

For more information on administration roles, see Managing Administration Roles.

Problem

You can generate a template for applications that were created through Connector Installer before or after you upgraded the applications by running the Application Template Generation Job scheduled job.

Solution

Lookup.AOB.Certified.Bundles must have an entry for the bundle of the application for which the template is being generated. Lookup.AOB.Certified.Bundles must be updated with the following inputs:

  • Key: The name of the bundle that contains advanced configuration information.

  • Value: The connector display name. The CONNECTOR_NAME-CI.xml file must be present in the configuration folder.

    The connector display name and the connector version are set in the generated template. If it is not possible to identify the unique connector display name for a given bundle name, then the value in Lookup is set to Unidentified, and the connector display name and connector version are not set when the template is generated. It is the Application Administrator’s responsibility to set the correct connector display name and version.

Note:

Only certified bundles are part of this lookup.

Problem

The resource history for a provisioned account shows additional process tasks for field updates.

Solution

This is expected. Process tasks are created for all fields in the schema attribute except for Writeback and SoD fields. These process tasks are for single updates of fields. In some cases, such as when a derived attribute and its value are updated as a part of a transformation script, the process task is triggered. In this case, the resource history for a provisioned account may show additional process tasks for derived attributes.

Problem

Logging of application onboarding with the package oracle.iam.application is enabled, but log for the entire flow is not available.

Solution

Application onboarding relies on the existing provisioning, reconciliation, scheduler, and catalog engines. To enable logging for application onboarding, logging of all the underlying engines should be enabled.

Problem

When you try to manage an application, which is created from the Applications page in Identity Self Service, from the Design Console, it shows unexpected behavior.

Solution

Applications that are created from the Applications page in Identity Self Service must not be managed from the Design Console.