The following components are required to build the ICF Connector Reconciliation (Target Reconciliation). They are
3. Resource Object Reconciliation Action Rules
This component is required for linking the OIM associated user based on the reconciliation rules. The following reconciliation action rules needs to be create:
Rule Condition - Action
1. No Matches Found = None
2. One Entity Match Found = Establish Link
3. One Process Match Found = Establish Link
This component is required fro to create the reconciliation profile into the oim repository.
The following way to create the Reconciliation Profile:
Login to the OIM Console --> Advance --> Import Deployment Manager File --> Select the Scheduler Task File --> Add File --> Import. It will import the XMl File into the OIM Repository.
8. Create the OIM Schedule Job
This component is required to create the schedule job to reconcile the users from target system to oim.
Login to the OIM Console --> Advance --> System Management --> Actions --> Create. It will display the following screen.
Enter the Job Name, Select Task the DataBaseICFConnectorReconciliation from the Task Lists. Afterselecting the Task Name from list and it will show the following schedule task parameters:
1. Filter
2. Incremental Recon Date Attribute
3. IT Resource Name
4. Object Type
5. Latest Token
6. Resource Object Name
Enter the Filter is equalTo('userLogin','Login'), IT Resource Name is <IT Resource Name>, Object Type is User, and Resource Object Name is Database ICF User. Replace Filter, IT Resource Name, Resource Object Name according to your naming convention.
After running the schedule job, it will fetch the data from the target resource and it will create the reconciliation event. If the the reconciliation rule matches, it will associate the owner to the target account.
Build the Incremental Reconciliation Data Base ICF Connector
1. Reconciliation Lookup Configuration
2. Resource Object Reconciliation Fields
3. Resource Object Reconciliation Action Rules
4. Process Definition Reconciliation Field Mappings
5. Reconciliation Rules
6. Creating Reconciliation Profiles
7. Importing the Schedule Task Reconciliation Metadata to OIM Repository.
8. Create the OIM Schedule Job
9. Restart the OIM Server
10. Run the Reconciliation Schedule Task
1. Reconciliation Lookup Configuration
The Lookup.dbcf.UM.ReconAttrMap component is required for mapping between the target resource and OIM ICF Connector Resource Object Reconciliation Fields. The lookup code name is Resource Object Reconciliation Field Name and Decode is Target Resource Schema.
1. Unique ID=__UID__
2. User Login=userLogin
3. First Name=firstName
4. Last Name=lastName
5. Middle Name=middleName
6. Status=status
6. Status=status
2. Resource Object Reconciliation Fields
This component is required for creating the OIM ICF Connector Process Form field Label names and also data types for Mapping the Reconciliation. We also defining the IT Resource Object and also Object Status Mapping. They are
1. Unique ID = string
2. User Login = string
3. First Name = string
4. Last Name = string
5. Middle Name = string
6. Status = string
7. IT Resource Key = number
Reconciliation request , the OIM built the reconciliation object based on the target data and also it adds the Status and IT Resource Key in the Reconciliation Request. The Status value should be Enabled or Disabled for the target reconciliation mapping. If the value is other than these you need to write the User Transformation For Recon java code.
The following way to create the reconciliation fields:
Login to the Design Console --> Resource Management --> Object Reconciliation --> Reconciliation Fields --> Add Field. It will display the following screen,
Enter the Field Name is Unique ID and Field Type is string. Click Save and Close button. It will create the reconciliation field mapping.
Repeat the steps to creating the reconciliation field mapping for remaining fields.
This component is required for linking the OIM associated user based on the reconciliation rules. The following reconciliation action rules needs to be create:
Rule Condition - Action
1. No Matches Found = None
2. One Entity Match Found = Establish Link
3. One Process Match Found = Establish Link
The following way to create the reconciliation action rules:
Login to the Design Console --> Resource Management --> Object Reconciliation --> Reconciliation Action Rules --> Add. It will display the following screen,
Select the Rule Condition is No Matches Found and Rule Action is None. Repeat the steps to create the Reconciliation Rule Actions for remaining fields.
4. Process Definition Reconciliation Field Mappings
This component is required to populate the data from target resource to OIM Connector Process form to evaluate the reconciliation rules. The following fields needs to be mapped:
Resource Reconciliation Field - Process Form Column Name
1. Unique ID = UD_DBICF_USR_UNIQUE_ID
2. User Login = UD_DBICF_USR_LOGIN
3. First Name = UD_DBICF_USR_FIRST_NAME
4. Last Name = UD_DBICF_USR_LAST_NAME
5. Middle Name = UD_DBICF_USR_MIDDLE_NAME
6. Status = OIM_OBJECT_STATUS
7. IT Resource Key = UD_DBICF_USR_SERVER
Replace Process Form Column Name with your own process form column Name. Status field mapping always OIM_OBJECT_STATUS.
The following way to create the Process Definition Reconciliation Field Mappings:
Login to the Design Console --> Process Definition --> Search Process Definition --> Select Process Definition in the Process Definition Table --> Reconciliation Field Mappings --> Add Field Map. It will display the following screen,
Select the Field Name is Unique ID and Process Data Field is UD_DBICF_USR_UNIQUE_ID. Click Save and Close Icon and It will create the Reconciliation Field Mappings. Repeat the steps to create the Reconciliation Field Mapping for remaining fields.
Configuring the Reconciliation Key Field
This configuration is required for maintain the uniqueness while doing the reconciliation. The configuration as follows:
5. Reconciliation Rules
This component is required to evaluate the OIM Data based on the Reconciliation Target Data and Linking the OIM User to Target User.
OIM User - Target User
1. User Login = User Login.
The following way to create the Process Definition Reconciliation Field Mappings:
Login to the Design Console --> Development Tools --> Reconciliation Rules. It will display the following screen,
Enter the Name , Select the Object and Description. Click Save and It will display the following screen.
Click Add Rule Element and It will Display the following screen.
Select the User Profile Data is User Login, Operator is Equals, Attribute is User Login, Click Save and Close Button. It will create the reconciliation rule. Replace User Profile Data, Operator, and Attribute according to your requirement.
After configuring the reconciliation rule look like this:
Select Active Check Box and Click Save Icon. It will activate the Reconciliation rule.
6. Creating Reconciliation Profiles
The following way to create the Reconciliation Profile:
Login to the Design Console --> Resource Management --> Object Reconciliation --> Create Reconciliation Profile. It will create the reconciliation profile.
7. Importing the Schedule Task Reconciliation Metadata to OIM Repository.
This component is required to reconcile the user from the target system.
The following xml needs to be imported to create the schedule task:
\<?xml version = '1.0' encoding = 'UTF-8'?>
<xl-ddm-data version="2.0.1.0" user="XELSYSADM" database="jdbc:oracle:thin:@localhost:5524/estView.regress.rdbms.dev.us.oracle.com" exported-date="1307546406635" description="FF">
<scheduledTask repo-type="MDS" name="DataBaseICFConnectorReconciliation" mds-path="/db" mds-file="DataBaseICFConnectorReconciliation.xml">
<completeXml>
<scheduledTasks xmlns="http://xmlns.oracle.com/oim/scheduler">
<task>
<name>DataBaseICFConnectorReconciliation</name>
<class>oracle.iam.connectors.icfcommon.recon.SearchReconTask</class>
<description>DataBaseICFConnectorReconciliation</description>
<retry>0</retry>
<parameters>
<string-param required="false" encrypted="false" helpText="Filter">Filter</string-param>
<string-param required="false" encrypted="false" helpText="Incremental Recon Date Attribute">Incremental Recon Date Attribute</string-param>
<string-param required="false" encrypted="false" helpText="IT Resource Name">IT Resource Name</string-param>
<string-param required="false" encrypted="false" helpText="Object Type">Object Type</string-param>
<string-param required="false" encrypted="false" helpText="Latest Token">Latest Token</string-param>
<string-param required="false" encrypted="false" helpText="Resource Object Name">Resource Object Name</string-param>
</parameters>
</task>
</scheduledTasks>
</completeXml>
</scheduledTask>
</xl-ddm-data>
Login to the OIM Console --> Advance --> Import Deployment Manager File --> Select the Scheduler Task File --> Add File --> Import. It will import the XMl File into the OIM Repository.
8. Create the OIM Schedule Job
This component is required to create the schedule job to reconcile the users from target system to oim.
Login to the OIM Console --> Advance --> System Management --> Actions --> Create. It will display the following screen.
1. Filter
2. Incremental Recon Date Attribute
3. IT Resource Name
4. Object Type
5. Latest Token
6. Resource Object Name
Enter the Filter is equalTo('userLogin','Login'), IT Resource Name is <IT Resource Name>, Object Type is User, and Resource Object Name is Database ICF User. Replace Filter, IT Resource Name, Resource Object Name according to your naming convention.
9. Restart the OIM Server
Login to the OIM Server and go to the $DOMAIN_HOME/bin directory and execute the following files:
./stopManagedWebLogic.sh oim_server1 t3://weblogicadminhost:port
./startManagedWebLogic.sh oim_server1 t3://weblogicadminhost:port
10. Run the Reconciliation Schedule Task
After running the schedule job, it will fetch the data from the target resource and it will create the reconciliation event. If the the reconciliation rule matches, it will associate the owner to the target account.
Build the Incremental Reconciliation Data Base ICF Connector
Does Unique ID data label can be another string as "my data field" , and if yes I need to put in the Lookup.dbcf.UM.ReconAttrMap ?
ReplyDeleteWhat is the purpose of Unique ID label ?
Thanks in advance.
Hi
ReplyDeleteI have used Unique ID label because the this id is auto generated while provisioning user and also synching with Process Form after creating the user. This unique id is being used to update the data in target resource.
The Unique ID is a primary Key in data base and it is auto generated.
If your building new connector, for example Exchange Connector, The guid is unique across the exchange server, you can map guid to Unique ID.
Let me know if you need more help.
Hi again I´ll follow the steps of this tutorial with my own database with his domain class for table (I map the table IcfTest with my class IcfUsr)
ReplyDelete@Entity
@Table(name = "ICF_USR")
@XmlRootElement
public class IcfUsr implements Serializable {
private static final long serialVersionUID = 1L;
// @Max(value=?) @Min(value=?)//if you know range of your decimal fields consider using these annotations to enforce field validation
@Id
@Basic(optional = false)
@Column(name = "ID")
private Long id;
@Column(name = "NUMEROCLIENTEALTAMIRA")
private String numeroclientealtamira;
@Column(name = "NOMBREUSUARIO")
private String nombreusuario;
@Column(name = "USERPASSWORD")
private String userpassword;
@Column(name = "NOMBREPILA")
private String nombrepila;
@Column(name = "APELLIDOCLIENTE")
private String apellidocliente;
@Column(name = "SEGUNDONOMBRECLIENTE")
private String segundonombrecliente;
@Column(name = "STATUS")
private String status;
public IcfUsr() {
}
public IcfUsr(Long id) {
this.id = id;
}
public Long getId() {
return id;
}
public void setId(Long id) {
this.id = id;
}
public String getNumeroclientealtamira() {
return numeroclientealtamira;
}
public void setNumeroclientealtamira(String numeroclientealtamira) {
this.numeroclientealtamira = numeroclientealtamira;
}
public String getNombreusuario() {
return nombreusuario;
}
public void setNombreusuario(String nombreusuario) {
this.nombreusuario = nombreusuario;
}
public String getUserpassword() {
return userpassword;
}
public void setUserpassword(String userpassword) {
this.userpassword = userpassword;
}
public String getNombrepila() {
return nombrepila;
}
public void setNombrepila(String nombrepila) {
this.nombrepila = nombrepila;
}
public String getApellidocliente() {
return apellidocliente;
}
public void setApellidocliente(String apellidocliente) {
this.apellidocliente = apellidocliente;
}
public String getSegundonombrecliente() {
return segundonombrecliente;
}
public void setSegundonombrecliente(String segundonombrecliente) {
this.segundonombrecliente = segundonombrecliente;
}
public String getStatus() {
return status;
}
public void setStatus(String status) {
this.status = status;
}
@Override
public int hashCode() {
int hash = 0;
hash += (id != null ? id.hashCode() : 0);
return hash;
}
@Override
public boolean equals(Object object) {
// TODO: Warning - this method won't work in the case the id fields are not set
if (!(object instanceof IcfUsr))
{
return false;
}
IcfUsr other = (IcfUsr) object;
if ((this.id == null && other.id != null) || (this.id != null && !this.id.equals(other.id)))
{
return false;
}
return true;
}
@Override
public String toString() {
return "identity.dbconnector.domain.IcfUsr[ id=" + id + " ]";
}
}
But we only get the next in the log:
And looks like that is good but the data in oim dont change.
Could you help me please.
Thanks.
Hi,
ReplyDeletePlease verify the following components for triggering the target reconciliation:
1. Connector Code:
Please implement the SearchOp and GetApiOp interfaces in the connector code
2. Building the ICF Connector Jar File:
The following parameters are should be exists in the manifest file in META_INF directory and deployed in the ICF Jar using UploadJar.sh:
ConnectorBundle-FrameworkVersion:
ConnectorBundle-Name: ConnectorName
ConnectorBundle-Version:
3. Connector Lookup Config:
Please verify the steps 2 values are mapped in the lookup configuration:
Bundle Version
Bundle Name
Connector Name
4. Please verify Reconciliation Lookup map for fields mapping from Process Form to Target Resource Fields:
5. Building the OIM Schedule Job:
Please verify the reconciliation schedule job deployed in the OIM Server.
6. Checking the Log:
Please verify the OIM Log file and fetching the data from the target connector for reconciliation
7. Check Reconciliation Event
Please verify all above steps and it will resolve the issue.
The step 6 is not so clear to me, the logger writes the records automatically in the oim console server ? or does I need to set up a FileHandler ?
ReplyDeleteAnd how can I do the 7 step ?
Thanks and regards.
Hi,
DeleteYou can verify the reconciliation data log in the oim server diagnostic logs or you can create a log handler to log your connector log information.
Step 7 you can verify the Reconciliation events in OIM Admin Console as Follows:
After login to OIM Admin Console Click Advanced --> Event Management --> Reconciliation --> Search Reconciliation. You can see all your reconciliation status with target resource data.
Please let me know if you need more help.
Bingo !!! I can reconciliate one user but I dont know exactly what is the second attribute in your Filter: equalTo('userLogin','Login').
ReplyDeleteIs 'Login' an value hardcoded or a variable in your database or OIM configuration ?
Thanks again.
Hi
DeleteThe userLogin is field is available in the UserProfile object and Login is a value. You can replace Login value with your own Login value.
You need to implement the SearchOp interface and override createFilterTranslator and executeQuery method to implement theOIM Scheduler for Reconciliation.
You want to query the user based on the filters from the target resource. For that reason you should extend the AbstractFilterTranslator class and override required filter methods for your reconciliation. For example I have used equalTo filter to retrieve the user from the target resource and lync with OIM user account. I have override the createEqualsExpression method to use equalTo filter in OIM scheduler.
Please let me know if you need more assistance.
Thanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic. ICF Materials
ReplyDelete