21 Managing Application Onboarding
Use the application onboarding capability in Oracle Identity Self Service to create and manage applications, templates, flat file configuration for applications, instances of applications, manage jobs, upgrade the applications, and to clone applications.
This chapter contains the following sections:
Note:
The Design Console has been deprecated in this release. Use the new Applications page in Identity Self Service to do any of the following:
-
Application template-based install process should be used in ICF-based connector install package.
-
Install the template-based 12c connectors.
-
Manage IT resource instances for template-based applications.
21.1 About Application Onboarding
This section describes the following concepts:
21.1.1 What Is Application Onboarding?
Application onboarding is the process of registering or associating an application with Oracle Identity Governance so that Oracle Identity Governance can provision or reconcile user information in or from that application.
Oracle Identity Governance provides a quick and convenient way to onboard applications by using the Applications option on the Manage tab in Identity Self Service. You can perform all the necessary configurations to onboard an application from a single console.
This simplified solution has the following benefits:
-
You can configure new or existing applications by using a single user interface: Identity Self Service.
-
You can export configurations as application templates and configure applications by using these templates, instead of Oracle Identity Governance.
21.1.2 Application Onboarding Concepts
Some of the key concepts related to the Application onboarding are application authorization, types of application, application templates, disconnected connector applications, instance creation, cloning of applications, validation and transformation of provisioning and reconciliation attributes, and application template elements.
The concepts related to application onboarding are described in the following sections.
21.1.2.1 Application Authorization
Users can access the Application option in Identity Self Service if they have the following authorizations:
-
Any user with the Application Instance Administrator or System Administrator admin role can manage the application using the Application option.
-
Any user with the Application Instance Administrator admin role can manage the entire life cycle of the applications published within the user’s home organization and in the organizations that are within the scope of control of the admin role.
21.1.2.2 Application Types
You can create two types of applications:
-
Target Application: A target application allows user requests for provisioning accounts through the access request catalog. The target application can be either connected or disconnected. The disconnected applications must be manually provisioned.
-
Authoritative Application: For an authoritative application, Oracle Identity Governance manages accounts and represents them as users across different reconciliation jobs. Authoritative applications cannot be requested through the access request catalog. Therefore, Oracle Identity Governance pulls data and represents the applications as users, and then grants different target applications through requests or access policies. For example, the HRMS applications that are managed entirely by an HR department. The HRMS applications involve user account creation. Oracle Identity Governance pulls data from the HRMS application and represents these as user accounts. These user accounts are granted to various target applications through requests and approvals.
The application onboarding capability in Identity Self Service allows you to create applications in two ways:
-
From a connector package: Oracle Identity Governance provides predefined connectors with default templates, which includes all the target system-specific details, such as provisioning and reconciliation mappings, reconciliation actions, and reconciliation matching rules.
Note:
You can install the predefined connectors for which default templates are not available by using the Manage Connector option on the Provisioning Configuration tab in the Identity System Administration interface.
-
Using application templates: If saved application templates are present in the system, then you can create new applications by using these templates.
21.1.2.3 Application Templates
An application template is an XML representation of all the configurations that are relevant to an application instance. It contains all the information required for provisioning to a target system and reconciliation from a target system. In addition, it contains other details, such as publication information, connectivity details, and other advanced configurations that are specific to a target system. You can save an application configuration as a template and use it later to create an application. Application templates must be placed in a folder.
You can create application templates in the following ways:
-
Create a template by clicking the Save as Template option in the Create Application page. See Creating Applications.
-
Run the Application Template Generation Job scheduled task to generate the template. The folder in which this template is to be saved is passed as a parameter to the job. This may be useful for applications that are created by using the Connector Installer before or after an upgrade. By default, templates are not generated for these applications.
See Predefined Scheduled Tasks in Administering Oracle Identity Governance for information about this scheduled task.
-
Import templates by using the Import option in the Deployment Manager. See Importing Deployments in Administering Oracle Identity Governance for information about importing entities by using the Deployment Manager.
-
Create a template manually by using the sample template.
Note:
-
For authoritative applications, create an application instance by using the
ApplicationInstanceService.addApplicationInstance(ApplicationInstance appInst)
API, and then run the Application Template Generation Job to generate the template. See Java API Reference for Oracle Identity Governance for information about this API. -
The applications that are created through the Create Application option contains the schema attributes related to all the values present in the lookup. These schema attributes might include attributes that are previously derived attributes, such as
_NAME_
. When a new UI form is created, these attributes must be removed. To remove these attributes, customize the form by using a sandbox.See Managing Forms in Administering Oracle Identity Governance for more information on customizing forms by using sandboxes.
21.1.2.4 Disconnected Applications
Disconnected resources are targets for which there are no connectors. Therefore, you must provision these resources manually. You can create applications for disconnected resources from the Applications page in the Identity Self Service.
See Managing Disconnected Resources in Administering Oracle Identity Governance for information about disconnected resources and disconnected application instances.
21.1.2.5 Instance Creation
You can create an instance of an application that shares the configurations of the base application but includes different connectivity options.
The following configurations are shared between the base and instance applications:
-
Advanced configuration
-
Schema configuration
-
Provisioning configuration
-
Reconciliation configuration
An instance application has its own attributes and configurations for:
-
Application Name
-
Application Display Name
-
Application Description
-
Basic Configurations
-
Catalog attributes
-
Organization publication
Note:
Configurations that are shared with the base application cannot be modified by editing an application from the Applications page.
21.1.2.6 Cloning Applications
When an application is cloned, all the configurations of the base application are copied into the cloned application.
21.1.2.7 Validation and Transformation of Provisioning and Reconciliation Attributes
When you create an application from the Identity Self Service, you can apply, validate, and transform provisioning attributes before passing the attributes to the target system. Application onboarding capability in Identity Self Service lets you write Groovy script-based validation and transformation logic. See Creating a Target Application or Creating an Authoritative Application for more information on how to include these scripts.
Suppose you want to manage accounts on an Oracle Database target through Oracle Identity Governance. This situation has the following requirements:
-
The account fields are User ID, Organization, First Name, and Last Name.
-
The User ID field cannot be null.
-
The user ID must end with @example.com. For example, if the user ID is test, then during the request it must be transformed to test@example.com on the target.
-
If the user does not provide organization details, then the default value must be set to Server Technology.
To meet these requirements, you can create the following validation script and transformation script while creating the application.
Validation Groovy Script:
def errors = "";
if(User_Id == null || User_Id ==""){
errors = errors+" User Id cannot be null";
}
return errors;
Transformation Groovy Script:
if(Organization == null || Organization == "")
{
Organization = "Server Technology";
}
User_Id = User_Id.toString()+"@example.com";
Validation Groovy Script for Resource Exclusion:
In the validation script, you can specify a list of user IDs for accounts that must be excluded from reconciliation and provisioning operations. The following is a sample script to do so:
def errors = "";
def excludedUsers = ['user01','user02'];
def regexStr = /^[a-zA-Z0-9_]+/;
if(!User_Id.matches(regexStr)) errors = errors+" Invalid UserId";
if(excludedUsers.contains(User_Id)) errors = errors+" User Id lies in excluded list";
return errors;
See About Customizing Groovy Scripts for more sample scripts and information about transformation of attributes.
21.1.2.8 Important Elements in the Application Template XML
Some important elements and structures of the application template XML file are:
-
applicationName
: The application name. It must be unique and cannot be more than 200 characters. -
applicationDisplayName
: Display Name of the application. -
connectorDisplayName
: The connector display name is used for locating the connector bundle and is a read-only field for the user. The value is included with the default template in the connector bundle. -
connectorVersion
: The connector version is used for locating the connector bundle and is a read-only field for the user. The value is included with the default template in the connector bundle. -
basicConfigurations
: The connectivity details for a target system, such as host and port. The list of parameters varies from target to target. -
advanceConfigurations
: The target specific configurations, which are used by the bundle while performing provisioning or reconciliation to or from the target system. The list of parameters varies from target to target. -
objectClass
: Each template has at least one object class that represents the object on the target system to be provisioned or reconciled.-
provisioningConfig
: Provisioning related configurations:-
validationScript
: Groovy validation scripts that are executed before provisioning on the target system. -
transformationScript
: Groovy transformation scripts that are executed before provisioning the data. -
capabilities
: A list of operations supported by the bundle on the target system.
-
-
reconConfig
: Reconciliation related configurations:-
reconJobDetails
: A list of jobs that reconcile the data into Oracle Identity Governance. -
identityCorrelationRule
: The rule for owner matching. This rule is defined between the target attribute and the Oracle Identity Governance user attribute. -
situationResponses
: A list of situations and their corresponding responses. For example, for an Authoritative Application, in a situation of No Matches Found, the response may be Create User.For a Target Application, in a situation of No Matches Found, the response may be Establish Link.
-
validationScript
: Groovy validation scripts that are executed before reconciling the data into Oracle Identity Governance. -
transformationScript
: Groovy transformation scripts that are executed before reconciling the data into Oracle Identity Governance.
-
-
form
: Specifies one parent form perobjectClass
.-
schemaAttributes
: The schema configuration forobjectClass
. Each schema attribute has the following attributes:-
name
: The name of the attribute on the target system. -
dataType
: The data type of the attribute. For example, String. -
displayName
: The name of the attribute in Oracle Identity Governance. -
length
: The length of data that can be stored in the attribute. If this attribute is not supplied in the template, then it is configured with the default length. However, this attribute is not exposed in the interface.Note:
While creating an application, you can provide any value for this attribute. But while updating the application, the new length must be equal to or greater than the existing length. -
identityAttribute
: The name of the user attribute. Changes to this name forces the corresponding account attribute to be updated on the target system.Note:
The list of
schemaAttributes
does not include the user password. If you want to add this capability, then select the capability in the Settings tab, from the provisioning options. -
keyField
: Defines the reconciliation account matching rule. -
keyFieldCaseInsensitive
: Defines whether the reconcilication account matching rule is case insensitive or not. -
required
: Indicates whether or not the attribute is required. -
fieldType
: Displays the type of schema attribute. This attribute is for legacy purposes and is not exposed to the user. If the type is not specified in the template, then this attribute is configured with the default type. -
entitlement
: Marks the schema attribute as an entitlement. This property is inherited by child schema attributes. -
reconcileable
: Indicates whether or not the attribute can be reconciled. -
provisionable
: Indicates whether or not the attribute can be provisioned. This property is inherited from parent schema attributes. -
encrypted
: Indicates whether or not the attribute is encrypted. -
advanceFlags
: Advanced flags, such as Lookup, Date, and WriteBack.-
Lookup
: UseLookup
if the tilde character (~) must be removed from the attribute value before the value is sent to the target. -
Date
: UseDate
if thedatatype
attribute matches the date on the target. -
WriteBack
: UseWriteBack
if the attribute must be populated from the target after provisioning.
-
-
Account Discriminator
: Set the schema attribute as the discriminator for the accounts. You can select multiple provisionable fields as account discriminators. See Terminologies Used in Access Policies for more information about account discriminators. -
listOfValues
: The name of the Lookup attribute that lists the value for the attribute. -
defaultValue
: The value to be used during reconciliation when no value for the attribute is available on the target system. -
provideOldValueOnUpdate
: Set to true if the old value of this attribute must propagate to the target during the update. -
dependentAttribute
: The value of this attribute is supplied to the target application during the update of this attribute.
Note:
Both
provideOldValueOnUpdate
anddependentAttribute
attributes are not supported at the same time. Either the old value is passed to the target or the dependent attribute is passed to the target during the attribute update. -
-
form
: Specifies the child form (or forms) for the parent or root form. It corresponds to a multi-valued attribute.-
Use Bulk
: Select this option to configure the Update Child Table Values Bulk adapter for all child table-related operations.Some targets support only bulk updates of child values for all operations, including adding a new child, updating an existing child, and removing a child. For these targets, the Use Bulk option must be selected for each child form.
-
-
-
-
catalogAttributes
: List of catalog attributes.-
Audit Objective
: A text field that provides any relevant value or description for Oracle Identity Analytics (OIA) certification. -
Risk Level
: Level of risk for the entity. The values supported are Low Risk, Medium Risk, and High Risk. -
User Defined Tags
: A value that describes the catalog item and that can be used for searching the entity. -
Approver User
: User who can approve the catalog item. This is used at the time of processing the request for the catalog item or during attestation. -
Approver Role
: Role that can approve the catalog item. -
Certifier User
: User who can certify the catalog item. -
Certifier Role
: Role that can certify the catalog item. -
Fulfillment User
: User who can complete or fulfill the request for the catalog item. -
Fulfillment Role
: Role that can complete or fulfill the request for the catalog item. -
Certifiable
: Specifies whether or not a catalog item is certifiable.
-
-
organizations
: The list of organizations to which the application is published. -
parentApplicationName
: The name of the application on which the current application has a dependency. For example, if AD Exchange application has a dependency on the AD application, thenparentApplicationName
is set to the AD application.
21.2 Searching Applications
On the Applications page, you can search for applications based on the application name, display name, connector name, and base application.
21.3 Creating Applications
You can use the Create Application option to create a target application or an authoritative application
Creating applications is described in the following sections:
21.3.1 Creating a Target Application
Creating a Target Application includes steps such as, providing basic information, updating schema attributes, reviewing and updating settings for default attributes, and verifying the application information.
To navigate to the Create Application Wizard, login to Identity Self Service, go to the Manage tab and click the Applications box to open the Applications page. From the Actions menu, click Create, and then select Target. Alternatively, click Create on the toolbar, and select Target to open the Create Application wizard.
From this point onward, page-wise instructions are provided in the following sections:
21.3.1.1 Providing Basic Information for Target Application
21.3.1.2 Providing Schema Information for Target Application
On the Schema page, you can manage the account and entitlement schema attributes. You can edit or delete existing attributes from the schema. After you perform all required actions in the Schema page, click Next to go to the Settings page.
Note:
If the connector is a Database Application Tables (DBAT) connector, then you can use the auto-discovery feature to fetch the target schema. If the Test Connection option on the Basic Information page is successful, then click Discover on the Schema page to fetch the target schema. If you are using this feature for editing an application, then the current configurations are overridden and you must do the attribute mapping on this page again.Adding attributes and child form is described in the following sections:
21.3.1.2.2 Adding Child Forms
- Click Add Child Form. The Add Child Form window is displayed.
- Enter the Form name, and click OK. The new child form is created.
- Enter the attribute details. This is similar to the attribute details in Adding Attributes.
- Provide the following application attribute details: Display Name, Target Attribute, and Data Type.
- Provide the following Provisioning Property: Mandatory
- Provide the following Reconciliation Properties: Recon Field, Key Field, and Case Insensitive.
- To add additional properties to the attribute, click the icon. The Advanced Settings window is displayed. Provide the following advanced settings: Lookup, Date, WriteBack, and Entitlement (Select if this attribute must be marked as an entitlement).
- For targets that support only bulk update of child values, select the Use Bulk option.
- Click Delete Form to remove the child form.
21.3.1.3 Providing Settings Information for Target Application
On the Settings page, you can review and customize the default settings related to provisioning, reconciliation, catalog, and organization publications. After you perform all required actions on the Settings page, click Next to go to the Finish page.
Expand the Preview Settings tab and perform the following:
21.3.1.3.1 Updating the Provisioning Configuration
21.3.1.3.2 Updating the Reconciliation Configuration
On the Reconciliation tab, you can review or customize the required predefined matching rules, situations and responses, and reconciliation jobs.
Perform the following to update the reconciliation configuration:
21.3.1.3.2.1 Updating Identity Correlation Rules
21.3.1.3.2.2 Updating Situations and Responses
- To add a new situation and response, click Add.
- Select the situation from the Situation list, for example No matches found or One entity match found.
- Select an appropriate response for the situation from the list of possible Response. See the following options:
- Create User
- Establish Link
- None
- Assign To Administrator With Least Load
- Assign To Authorizer With Least Load
- Assign To Authorizer With Highest Priority
21.3.1.3.2.3 Updating Validation and Transformation Scripts
Note:
-
You cannot add or manage scripts for the applications that are created through the Connector Installer. However, the Java- based transformation and validation provided by the Design Console continue to work.
-
You can access any provisioning attribute value in the Groovy script with its display name as defined in the schema section. To do this, replace spaces in the display name with underscore characters (_).
21.3.1.3.3 Updating the Organization Configuration
- Click Add to open the Add Organization window.
- Search for the organization. Select the required organization from the search result table, and click Select.
- Select Hierarchy Aware if you want to publish this application to the organization and its child organizations.
21.3.1.3.4 Updating the Catalog Configuration
In the Catalog tab, you can set various configuration-related Catalog metadata.
You can update the following attributes:
-
Category: Enter the category for the application.
-
User Defined Tags: Enter the user defined tag for this attribute.
-
Audit Objective: Enter the objective of the audit.
-
Auditable: Select Yes if the application is auditable or No if it is not.
-
Requestable: Select Yes if the application is requestable or No if it is not. The following fields are enabled if Requestable is set to Yes:
-
Fulfillment Role: Click the Search icon to search and select the fulfillment role.
-
Approver User: Click the Search icon to search and select the user.
-
Approver Role: Click the Search icon to search and select approver role.
-
Fulfillment User: Click the Search icon to search and select the fulfillment user.
-
-
Certifiable: Select Yes if the attribute is certifiable or No if it is not. The following fields are enabled if Certifiable is set to Yes:
-
Certifier User: Click the Search icon to search and select the certifier user.
-
Certifier Role: Click the Search icon to search and select the certifier role.
-
-
Risk Level: Select the risk levels, which are High Risk, Medium Risk, or Low Risk.
21.3.1.4 Verifying the Target Application Details
On the Finish page, review the details used to create the application. If anything needs to be changed, click Back and make the required changes. If the details are fine, then click Finish to create an application.
When you are prompted whether you want to create a default request form, click Yes or No.
If you choose to create a default request form, then the default form is created with the same name as the application. The default form cannot be modified later. Therefore, if you want to customize it, you must create a new one. To view the new default form, you must log in again to Oracle Identity Self Service. However, other users can view the default form as soon as it is created.
If you want to perform any sandbox- related changes after you create an application, then you must log out from the current Oracle Identity Self Service session and log in again.
21.3.2 Creating an Authoritative Application
Creating an Authoritative Application includes steps such as, providing basic information, updating schema attributes, reviewing and updating settings for default attributes, and verifying the application information.
To navigate to the Create Application Wizard, login to Identity Self Service, go to the Manage tab and click the Applications box to open the Applications page. From the Actions menu, click Create, and then select Authoritative. Alternatively, click Create on the toolbar, and select Authoritative to open the Create Application wizard.
From this point onward, page-wise instructions are provided in the following sections:
21.3.2.1 Providing Basic Information for Authoritative Applications
21.3.2.2 Providing Schema Information for Authoritative Application
Note:
If the connector is a DBAT connector, then you can use the auto-discovery feature. If the Test Connection option on the Basic Information page is successful, then click Discover in the Schema page to fetch the target schema. If you are using this feature for editing an application, then the current configurations are overridden and you must do the attribute mapping on this page again.21.3.2.3 Providing Settings Information for Authoritative Application
On the Settings page, you can review and customize the default settings related to reconciliation and organization publications. After you perform all required actions in the Settings page, click Next to go to the Finish page.
21.3.2.3.1 Updating the Reconciliation Configuration
On the Reconciliation tab, you can review or customize the required predefined matching rules, situations and responses, and reconciliation jobs.
Perform the following to update the reconciliation configuration:
21.3.2.3.1.1 Updating Identity Correlation Rules
21.3.2.3.1.2 Updating Situations and Responses
- To add a new situation and response, click Add.
- Select the situation from the Situation list, for example No matches found or One entity match found.
- Select an appropriate response for the situation from the list of possible Response. See the following options:
- Create User
- Establish Link
- None
- Assign To Administrator With Least Load
- Assign To Authorizer With Least Load
- Assign To Authorizer With Highest Priority
21.3.2.3.1.3 Updating Validation and Transformation Scripts
Note:
-
You cannot add or manage scripts for the applications that are created through the Connector Installer. However, the Java- based transformation and validation provided by the Design Console continue to work.
-
You can access any provisioning attribute value in the Groovy script with its display name as defined in the schema section. To do this, replace spaces in the display name with underscore characters (_).
21.3.2.3.2 Updating the Organization Configuration
- Click Add to open the Add Organization window.
- Search for the organization. Select the required organization from the search result table, and click Select.
- Select Hierarchy Aware if you want to publish this application to the organization and its child organizations.
21.4 Creating Templates
You can use the Create Application option to create a target template or an authoritative template and save it in the database for future use.
Creating templates is described in the following sections:
21.4.2 Creating a Target Template
- Perform all the steps described in the Creating a Target Application till you open the Finish page of the Create Target Application wizard.
- In the Finish page:
- Click Save as Template to create a template. The Save as Template window is displayed.
- Enter Template Name and Description, and click OK.
21.5 Modifying Applications
You can edit applications that were created by using the Connector Installation Wizard or applications that were created by using the Create Application option.
The following sections describe how to edit applications:
21.5.1 Editing an Application That Was Created by Using the Connector Installation Wizard
When an authoritative application is created by using the Connector Installation wizard, no default application instance is created. Therefore, the application cannot be edited on the Applications page of the Identity Self Service. To edit an authoritative application that was created by using the Connector Installation wizard, follow these steps:
-
Create an application instance for this application by using the
ApplicationInstanceService.addApplicationInstance(ApplicationInstance appInst)
API. See Java API Reference for Oracle Identity Governance for information about this API. -
After the application instance is created, run the Application Template Generation Job scheduled task that creates a template for the application.
Note:
You cannot add or manage scripts for applications that are created through Connector Installer. However, the Java-based transformation and validation that the Design Console provides continues to work.
21.6 Cloning Applications
When you clone an application, all the configurations of the base application are copied into the cloned application.
21.7 Creating Instance Applications
You can create an application instance that has the same configurations as the base application.
Note:
The following configurations are shared between instance and base application:
-
Advance configurations
-
Schema configurations
-
Provisioning configuration
-
Reconciliation configuration
21.8 Creating Applications in Bulk
You can load base applications and instance applications in bulk by using the Application Bulk Create scheduled task.
See Predefined Scheduled Tasks in Administering Oracle Identity Governance for information about this scheduled task.
The templates are processed in the following way:
-
The templates that do not contain a base application name are processed first, and new applications are created synchronously.
-
The templates that do contain a base application name are used to create instance applications. These templates are processed asynchronously.
See Application Template for more information about templates and how they are created.
Note:
When you create applications by using a job run of the Application Bulk Create scheduled task, use a sandbox to create the UI form from Identity System Administration.21.9 Configuring Flat Files
For connected applications, you can configure flat files by loading data from CSV files.
Configuring flat files involve providing basic information, loading data from a CSV file for a connected system, auto-discovery of schema from the source, and updating the reconciliation jobs for predefined job modes.
To create a flat file configuration for a connector application, login to Identity Self Service, go to the Manage tab and click the Applications box to open the Applications page. Use the search option to search for the application or click the search icon to list all the connector applications. Select the application for which you want to create a flat file configuration.
From the Actions menu, select Flat File, Configure. Alternatively, click Flat File on the toolbar, and select Configure to open the Configure Application using Flat File page.
From this point onward, page-wise instructions are provided in the following sections:
21.9.1 Providing Basic Information for Flat Files
21.9.2 Providing Settings Information for Flat Files
In the settings tab, under the User panel, click Preview Settings. In the Reconciliation Jobs section, you can review and if required, update or add new reconciliation jobs.
The following reconciliation job modes are supported:
-
Flat File Full: This is used to reconcile all existing user records from the target system into Oracle Identity Governance.
-
Flat File Diff Sync: This is used to perform difference-based reconciliation.
-
Flat File Delete Sync: This is used to perform a delete reconciliation run based on given Delete Attribute and Delete Attribute value.
-
Flat File Delete: This is used for reconciliation of deleted records.
-
Flat File Entitlement: This is used for lookup field synchronization.
To add a job:
21.10 Managing Flat File Configurations
You can edit the flat file configurations created for an application or you can manage jobs for the flat file configurations.
21.11 Managing Jobs
You can add, update, and run the reconciliation jobs for applications from Identity Self Service.
21.12 Upgrading Connector Applications
You can use the Upgrade option to upgrade the applications and the application instances created through application onboarding, and view the upgrade process status.
This section contains the following topics:
21.12.1 About Upgrading Applications
You can upgrade the applications that are created through application onboarding.
Before starting the upgrade, replace the old connector package with the new connector package in the Connector Default Directory, which is MW_HOME/idm/server/ConnectorDefaultDirectory/
. During the upgrade process, the available upgrade files are listed based on the version comparison with the master template, which is the default template that is shipped with the connector package, and the template present in the Connector Default Directory.
The upgrade process lists the difference between the old template and the new template. This allows you to accept or reject the upgraded parameters or attributes in basic configurations, advanced configurations, schema attributes, child forms, reconciliation jobs, and capabilities.
Note:
-
The difference in the
Pre-config.xml
file is not shown here. -
The templates created by using the Save as Template option in the Create Application page cannot be upgraded by using this Upgrade option.
21.12.2 Upgrading Applications
You can upgrade the applications that are created through application onboarding by using the Upgrade option on the Applications page.
Note:
-
If there are changes to the application schema during upgrade, then UI form must be manually changed. See Modifying Forms in Administering Oracle Identity Governance for information about modifying forms.
-
After upgrade, Transformation and Validation Scripts must be manually changed for each application by editing the application. See Modifying Applications.
21.13 Deleting Applications
You cannot delete applications from Oracle Identity Self Service.
In some situations, such as when the application creation process fails, the system may contain partially committed applications. To remove partially committed applications from the system, run the connector uninstall utility, as described in Uninstalling Connectors in Administering Oracle Identity Governance.
21.14 About Customizing Groovy Scripts
The Groovy Helper in Oracle Identity Governance provides options for transforming and validating data during reconciliation or provisioning operations.
The following options are available:
-
Provisioning Mechanism Information: Call the
context.provisionMechanism
method to get the following provisioning mechanism information from the Groovy Helper.-
REQUEST
-
ADMIN
-
POLICY
These values are case-sensitive.
-
-
Operation Information: Call the
context.operationType
method to get the following types of operations from the Groovy Helper.-
create
-
modify
These values are case-sensitive.
-
-
Common Data Container Information: This includes the following:
-
Requester Information: Call the
context.requester
method to identify the requester information (for the user initiating the provisioning request) from the Groovy Helper. The user object from which any user attribute can be obtained is returned. For example,context.requester.getAttribute(“User Login”)
returns the user ID of the requester. -
Requester Manager Information: Call the
context.requesterManager
method to identify the requester’s manager information (for the manager of the user initiating the provisioning request) from the Groovy Helper. The user object from which any user attribute can be obtained is returned. For example,context.requesterManager.getAttribute(“User Login”)
returns the user ID of the requester’s manager. -
Beneficiary Information: Call the
context.beneficiary
method to identify the beneficiary information (for the user for whom the provisioning request is initiated) from the Groovy Helper. The user object from which any user attribute can be obtained is returned. For example,context.beneficiary.getAttribute(“User Login”)
returns the user ID of the beneficiary. -
Beneficiary Manager Information: Call the
context.beneficiaryManager
method to identify the beneficiary’s manager information (manager of the user for whom the provisioning request is initiated) from the Groovy Helper. The user object from which any user attribute can be obtained is returned. For example,context.beneficiaryManager.getAttribute(“User Login”)
returns the user ID of the beneficiary’s manager. -
Beneficiary Password Information: Call the
context.beneficiaryPassword
method to identify the beneficiary’s password from the Groovy Helper.Note:
For more information on how to access user attributes, see the User Management APIs.
-
You can use the Groovy Helper methods in the following way:
-
Derived attributes: You can form attributes that are dependent on two or more other attributes. For example, the full name attribute is a combination of the first name, middle name, and last name attributes.
User_Id = context.beneficiary.getAttribute("User Login"); First_Name = context.beneficiary.getAttribute("First Name"); Last_Name = context.beneficiary.getAttribute("Last Name"); Middle_Name = context.beneficiary.getAttribute("Middle Name"); Full_Name = First_Name + ". " + Middle_Name + ". " + Last_Name;
-
Default value attributes: You can form attributes whose default value must be populated. For example, if the user does not provide organization details, then the default value is set to Server Technology.
If (Organization == null || Organization == "") { Organization = "Server Technology"; }
-
Transformed attributes: You can form attributes whose value is transformed. For example,
@example.com
is appended to the User ID attribute.User_Id = User_Id.toString()+"@example.com";
In the following sample script, based on the type of provisioning, such as REQUEST, POLICY, or ADMIN, and on the type of operation being performed, such as creation or modification, data is transformed. All the variable values are initialized and available for provisioning and reconciliation operations, except resultList
, which is defined and declared in the script itself.
def resultList;
if (binding.variables.containsKey("context"))
{
if(context.operationType.equals("create"))
{
if(context.provisionMechanism.equals("POLICY"))
{
User_Id = context.beneficiary.getAttribute("User Login");
First_Name = context.beneficiary.getAttribute("First Name");
Last_Name = context.beneficiary.getAttribute("Last Name");
Middle_Name = context.beneficiary.getAttribute("Middle Name");
Full_Name = First_Name + ". " + Middle_Name + ". " + Last_Name;
Common_Name = Full_Name;
Password = context.beneficiaryPassword;
}
else if(context.provisionMechanism.equals("REQUEST") || context.provisionMechanism.equals("ADMIN"))
{
Full_Name = First_Name + ". " + Middle_Name + ". " + Last_Name;
Common_Name = Full_Name;
}
if(Organization_Name != null && Organization_Name.indexOf("~") != -1)
{
resultList = Organization_Name.tokenize("~");
User_Full_DN = "CN=" + Common_Name + "," + resultList[1];
}
}
else if(context.operationType.equals("modify"))
{
Full_Name = First_Name + ". " + Middle_Name + ". " + Last_Name;
Common_Name = Full_Name;
if(Organization_Name != null && Organization_Name.indexOf("~") != -1)
{
resultList = Organization_Name.tokenize("~");
User_Full_DN = "CN=" + Common_Name + "," + resultList[1];
}
}
}
The following is a sample Validation Groovy Script that displays an error message if the User ID is not provided.
def effors = "";
if(User_Id == null || User_Id =="")
{
errors = errors+" User Id cannot be null";
}
return errors;
In the validation script, you can specify a list of accounts that are excluded from reconciliation and provisioning operations. Accounts, whose user IDs are specified in the exclusion list, are not affected by reconciliation and provisioning operations.
The following is a sample Validation Groovy Script for Resource Exclusion script:
def errors = "";
def excludedUsers = ['user01','user02'];
def regexStr = /^[a-zA-Z0-9_]$/;
if(!User_Id.matches(regexStr)) errors = errors+" Invalid UserId";
if(excludedUsers.contains(User_Id)) errors = errors+" User Id lies in excluded list";
return errors;
Action scripts are configured to run before or after create, update, enable, disable, change user password, and delete provisioning operations. For example, you can configure a script to run before a user is created.
The following action script creates a text file on the target system with a given name. You can configure this script for the Active Directory Connector.
echo create >> C:\%givenName%.txt
21.15 Troubleshooting Application Onboarding
Problems that you encounter while performing application onboarding may be related to authorization or may reflect issues with template creation.
This section describes the troubleshooting procedures to follow as you resolve issues during application onboarding.
Problem
A user who is a member of an organization other than the default organization cannot create an application.
Solution
Make sure that the user has the correct administration roles. Only users who have the ApplicationInstanceAdministrator
administration role can perform the following actions from the Applications page of Identity Self Service:
-
Create, modify, delete, or search applications within organizations that are defined under the scope of control of the administration roles.
-
Create, modify, delete, or search applications within the parent organization.
For more information on administration roles, see Managing Administration Roles.
Problem
You can generate a template for applications that were created through Connector Installer before or after you upgraded the applications by running the Application Template Generation Job scheduled job.
Solution
Lookup.AOB.Certified.Bundles
must have an entry for the bundle of the application for which the template is being generated. Lookup.AOB.Certified.Bundles
must be updated with the following inputs:
-
Key: The name of the bundle that contains advanced configuration information.
-
Value: The connector display name. The
CONNECTOR_NAME-CI.xml
file must be present in the configuration folder.The connector display name and the connector version are set in the generated template. If it is not possible to identify the unique connector display name for a given bundle name, then the value in Lookup is set to
Unidentified
, and the connector display name and connector version are not set when the template is generated. It is the Application Administrator’s responsibility to set the correct connector display name and version.
Note:
Only certified bundles are part of this lookup.
Problem
The resource history for a provisioned account shows additional process tasks for field updates.
Solution
This is expected. Process tasks are created for all fields in the schema attribute except for Writeback and SoD fields. These process tasks are for single updates of fields. In some cases, such as when a derived attribute and its value are updated as a part of a transformation script, the process task is triggered. In this case, the resource history for a provisioned account may show additional process tasks for derived attributes.
Problem
Logging of application onboarding with the package oracle.iam.application
is enabled, but log for the entire flow is not available.
Solution
Application onboarding relies on the existing provisioning, reconciliation, scheduler, and catalog engines. To enable logging for application onboarding, logging of all the underlying engines should be enabled.
Problem
When you try to manage an application, which is created from the Applications page in Identity Self Service, from the Design Console, it shows unexpected behavior.
Solution
Applications that are created from the Applications page in Identity Self Service must not be managed from the Design Console.