The Oracle Database Connector supports both Provisioning and Identity.
- The Identity functionalities of this connector enable you as an Identity administrator to configure Oracle Database as a connected system and then make Identity users part of the Oracle Database system. This enables the user or Identity administrator to reset Oracle Database account passwords. This also enables you to enable and disable user accounts.
- The Provisioning functionalities of this connector enable exporting and importing user accounts on an Oracle Database system.
- Prerequisites
- Creating the Connected System
- Using the Connected System for Provisioning
- Lookup Data
Functionalities
Provisioning Integration
Data Format |
Export |
Create |
Modify |
Delete |
Trigger |
Tables |
Yes |
Yes |
Yes |
Yes |
Yes |
Api |
No |
Yes |
Yes |
Yes |
No |
Identity Integration
Product Feature |
Supported |
Authenticate (Test Connection) |
Yes |
Validate User |
Yes |
Enable/Disable User |
Yes |
Reset Password |
Yes |
Expire Password Immediately |
Yes |
Expire Password by Date |
No |
Prerequisites
Ensure that these prerequisites are satisfied:
- Oracle Database Version 10g is installed, configured, and running.
- An administrator account that can be used to establish a connection and has authority to manage accounts on the connected system.
Creating the Connected System in the Admin UI
Log in to Identity Administration and click the Systems tab.
-
On the Connected System View page, click the Add button and select the Oracle Database connected system from the Type drop-down list. The Connected System Details page displays the default values:
-
Enter the desired information:
Definition Supported Connectors
Displays whether the connected system is Identity only, Provisioning only, or both. Password Policy Displays the name of the password policy associated with the connected system.
Connected System Group
Displays the name of the system group that includes this connected system.
Note: If a password policy is associated with a connected system and then the connected system is placed in a group, the group’s password policy will override the connected system’s password policy. The password policy will be removed from the connected system.
Type Select the connected system type. Locale
Select the preferred language (default: English). Locale specific information such as Display Name and Description can be added only while modifying the connected system. Name The name for this connected system. Note: The name cannot be modified later. Display Name The display name of the new connected system. Description The description of the connected system. Associated With
Select how the connector associated with this system will run:
- Server (default) - Runs locally on the Provisioning/Identity Server.
- Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this list.
- See Using the Global Identity Gateway with Connected Systems for additional information.
Password Reset By Enables administrators to configure password management functions normally available to Users and OBO (On Behalf Of) Users: - OBO User Only - Connected system and account association information is displayed only in Self-Service user management (for OBO Users). OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). End users will not see their accounts on this connected system in Self-Service and Kiosk; therefore, they cannot reset passwords for accounts on this connected system.
- Users and OBO User - Connected system and account association information is displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset).
- External - Connected system and account association information is not displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users cannot reset passwords for accounts on this connected system.
Note: When user management configuration enables OBO Users to perform password resets, this definition must be set to OBO User Only or Users and OBO User. For connectors that support Provisioning only, there is no password reset capability.
Provisioning Option Select the provisioning option: - Automated (default) - The connected system functions as a normal connected system; there are no restrictions.
- Administrative - The connected system cannot be used as an object in a workflow.
Enable HPAM Support Select to make the connected system HPAM enabled (default: cleared). Note: This can only be set for systems that support Identity. Connection Information Host
The IP address or host name of the server (e.g., 10.102.200.20 or localhost).
Port
The database port number.
Service Account Name The name of the administrative user account used to connect to the server.
Service Account Password The administrative user password.
Connect Using
Select the connection option: SID or Service Name.
SID/Service Name
The SID or Service Name to connect.
Maximum Connection Pool Size
Select the maximum number of connections that can be created in the connection pool by the connector. As needed, the connection pool will grow only to this maximum limit.
Entitlement Search Information Entitlement Query
Specifies assignment of a role to an explicit enumerated list of members. The query can be modified to return other entries if there is a custom object class for group or roles.
Configuration Details Table Name
The name of the table that holds the list of user IDs and their passwords.
User Id Field
The database field used to store the user ID in the table (e.g., user_id).
User Id Field Type
The data type for the User Id Field.
Password Field
The database field name used to store the user password in the table (e.g., user_pswd).
Password Field Type
The data type for the Password Field.
Password Expiration Support
Expiration Options For Admin/OBO User Password Reset
Specify the password expiration: None, Immediate, or Immediate with Date. Note: If Immediate with Date is selected, Immediate is also available.
The Detect button creates a connection to the connected system using current configuration settings. The connector then attempts to deter- mine correct values for the settings, which are auto-detected, and then these settings are updated with detected values.
System Owner Adds or removes users assigned as the owners of the system. Displays the Connected System Owner Search page for selecting users. The HPAM column indicates whether the system owner is authorized to use the HPAM feature. The Approvers column indicates whether the system owner is an approver in the approval process.
Add PswdPolicy / Remove PswdPolicy Adds/removes a password policy to/from this connected system. If the connected system is associated with a Connected System Group, the buttons will be unavailable - all password policy assignments are defined at the group level (refer to Admin UI _ Systems _ Groups option).
-
Click the Test Connection button to test the Connection Information:
- If successful, one or both of these messages may display:
Message: Connection from Provisioning to the connected system was established successfully.
Message: Connection from Identity to the connected system was established successfully.- If unsuccessful, one or both of these messages may display:
Error: Failed to establish connection from Provisioning to the connected system.
Error: Failed to establish connection from Identity to the connected system.
Note: If the connection fails, additional messages may display providing more information regarding the failure, and additional information may be posted to the Provisioning and Identity logs. -
(Optional) To select owners of the system, click the System Owner Add button. The Connected System Owner Search page displays:
-
Select the owners and then click the Select button. The system owner displays under the System Owner section:
Note: More than one user can be assigned as an owner.
To add additional system owners, click the Add button.
-
- On the Connected System Details page, click the Add button to save the configured connected system. The Object Category Association page displays a list of categories that are already associated and/or can be selected to add additional associations to this connected system:
Select one or more available object categories or provide search criteria and click the Search button to find specific categories to select. If there are no available categories to select, proceed to Step 7.
Click the Add Association button to associate the selected object categories to the connected system.
Click the Back button to return to the Connected System View page. The new connected system displays in the list.
See Copying, Modifying, and Deleting Connected Systems for additional information.
Creating the Connected System in the Studio
- Log in to the Workflow and Connectivity Studio and click Connectivity ► Add Systems on the menu bar. The Add Connected Systems window displays.
- Select the Oracle Database connected system from the Type drop-down list. The default values display:
-
Enter the desired information:
Definition Type Select the connected system type. Name The name for this connected system. Note: The name cannot be modified later. Display Name The display name of the new connected system. Description The description of the connected system. Supported Connectors
Displays whether the connected system is Identity only, Provisioning only, or both. Only connectors that support Provisioning are available here.
Associated With
Select how the connector associated with this system will run:
- Server (default) - Runs locally on the Provisioning/Identity Server.
- Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this list.
- See Using the Global Identity Gateway with Connected Systems for additional information.
Password Reset By Enables administrators to configure password management functions normally available to Users and OBO (On Behalf Of) Users: - OBO User Only - Connected system and account association information is displayed only in Self-Service user management (for OBO Users). OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). End users will not see their accounts on this connected system in Self-Service and Kiosk; therefore, they cannot reset passwords for accounts on this connected system.
- Users and OBO User - Connected system and account association information is displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset).
- External - Connected system and account association information is not displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users cannot reset passwords for accounts on this connected system.
Note: When user management configuration enables OBO Users to perform password resets, this definition must be set to OBO User Only or Users and OBO User. For connectors that support Provisioning only, there is no password reset capability.
Provisioning Option Select the provisioning option: - Automated (default) - The connected system functions as a normal connected system; there are no restrictions.
- Administrative - The connected system cannot be used as an object in a workflow.
Enable HPAM Support Select to make the connected system HPAM enabled (default: cleared). Note: This can only be set for systems that support Identity. Connection Information Host
The IP address or host name of the server (e.g., 10.102.200.20 or localhost).
Port
The database port number.
Service Account Name The name of the administrative user account used to connect to the server.
Service Account Password The administrative user password.
Connect Using
Select the connection option: SID or Service Name.
SID/Service Name
The SID or Service Name to connect.
Maximum Connection Pool Size
Select the maximum number of connections that can be created in the connection pool by the connector. As needed, the connection pool will grow only to this maximum limit.
Entitlement Search Information Entitlement Query
Specifies assignment of a role to an explicit enumerated list of members. The query can be modified to return other entries if there is a custom object class for group or roles.
Configuration Details Table Name
The name of the table that holds the list of user IDs and their passwords.
User Id Field
The database field used to store the user ID in the table (e.g., user_id).
User Id Field Type
The data type for the User Id Field.
Password Field
The database field name used to store the user password in the table (e.g., user_pswd).
Password Field Type
The data type for the Password Field.
Password Expiration Support
Expiration Options For Admin/OBO User Password Reset
Specify the password expiration: None, Immediate, or Immediate with Date. Note: If Immediate with Date is selected, Immediate is also available.
The Detect button creates a connection to the connected system using current configuration settings. The connector then attempts to deter- mine correct values for the settings, which are auto-detected, and then these settings are updated with detected values.
-
Click the Connect button to test the Connection Information:
- If successful, this message displays:
Connection from Studio to the connected system was established successfully.
- If unsuccessful, this message displays:
Failed to establish connection from Studio to the connected system.
Note: If the connection fails, additional messages may display providing more information regarding the failure, and additional information may be posted to the Provisioning and Identity logs.
-
Click the Apply button to apply changes. The Category Association window displays.
Select one or more object categories from the Available Categories list or enter a category name and click the Search button to find a specific category to select. If there are no available categories to select, proceed to Step 6.
Click the Add button to associate the selected object categories to the connected system.
Click OK to accept selected categories.
See Copying, Modifying, and Deleting Connected Systems for additional information.
Using the Connected System for Identity
Perform these procedures to configure the connector:
- Connector Details for Identity
- Identity Password Management
Connector Details for Identity
This table lists values to enter when associating the Identity user with an existing user in the connected system:
Field |
System Attribute |
Example Value |
Login ID |
username |
BLANE |
Account ID |
username |
BLANE |
Identity Password Management
See User Management for details on password management.
Using the Connected System for Provisioning
Perform these procedures to configure the connector:
Note: If the number of records to be processed exceeds one thousand, we recommend configuring the workflow to use bulk mode, which lowers the memory consumption of the system by streaming data to files. Because data is streamed for every task, performance of the workflow execution will be decreased due to increased read-write operations. See the Workflow and Connectivity Studio document for details on how to configure bulk mode.
Configuring for Export
Perform these procedures to configure the connector for data export:
From the Workflow and Connectivity Studio, select the Oracle Database UserExport workflow listed under the projects folder.
If a workflow does not already exist, create an export workflow. See Workflow and Connectivity Studio documentation for details on creating export workflows.
Configuring the Export Connector
- In the Design pane, double-click the export object (the first workflow object after the Start object). The Configure Data Source window displays:
-
From the Configure Plug-in tab, set these properties as required:
Associated Connected System
Select the connected system from the list. The export operation will be done from this connected system. Data Formats Select the type of data format to use: Worker (default), WorkerFromTransactionLogs, Reference or Report DeltaExportMode Select the type of attribute to export if a change takes place (this works in conjunction with ExportMode when DeltaExport is selected):
- OnlyChangedAttributes - Performs a partial export of only the changed attributes from the last time the query was run.
- ChangedAndMandatoryAttributes (default) - Performs a partial export of both changed and mandatory attributes from the last time the query was run. Mandatory attributes are exported whether they have been changed or not.
- AllAttributes - Performs a full export of all attributes that contain a value.
This property is not available for WorkerFromTransactionLogs data format.
DynamicConnectedSystem Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicCon- nectedSystemOption when GlobalVariable is selected.
DynamicConnectedSystemOption Select how to control Dynamic System Support:
- None - There will not be any Dynamic System Support.
- Transaction-SystemName - The value of the Transaction- SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction- SystemName; if it is missing in data, the operation will fail.
ExcludeEmptyFields
Select how to process null fields:
- FALSE - Returns null fields with empty values.
- TRUE - Ignores null fields.
ExportMode Select the type of data to export:
- FullExport - Exports all
- DeltaExport - Exports changed, mandatory, or all attributes, depending on the DeltaExportMode property setting. This property is not available for WorkerFromTransactionLogs data format since this data format always uses Full Export mode.
MaximumRows
The maximum number of records to return on the export.
Note: Hover the pointer over a property to view its description.
- Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane.
-
Click OK to save any changes and return to the Workflow and Connectivity Studio window.
Configuring the Export Link
-
In the Design pane, double-click the export link between the export object (the first workflow object after the Start object) and the Data Mapper object. The Configure Link window displays:
Element Description Database
Select the database name:
- Static - Select from the Database Name drop-down list.
- Dynamic - Select from the Global Variable drop-down list.
Select the database source for the selected fields: Tables or Views.
Tables
Lists the schema tables available for export.
Fields
Lists the fields available for export.
Check attributes for delta export.
Selected Fields
Lists the selected schema table fields for export.
Note: The check boxes are used only for delta export operations. These checked attributes will always be exported whether they were changed or not.
The Format button specifies a desired date/time format to be applied to a selected date type field. Only selected date fields will be able to apply a date/ time format to their value.
Advanced Settings
Displays the Configure Attributes window for selecting any attributes that need to be encrypted.
SQL Query
Displays the SQL query run against the database. The Edit button edits the query.
Preferred Key(s)
Select the field(s) in the Selected Fields list:
- Set Key - Sets the primary key.
- Get Key - Gets the Preferred Key(s) of the selected table/view.
- From the Datasource tab, perform these steps.
-
Select a database from the Schema Select whether the source is Tables or Views. Select the table or view from the Tables/Views list. Select the fields from the Fields list to export and add them to the Selected Fields list. Select the field(s) from the Selected Fields list that require a date and/or time format and click the Format button. The Format Date window displays.
- Select the Include Time check box to add the timestamp with the date. Select the 24 Hour or 12 Hour option button and then select the required date/time format. Click OK to save the selected format. The Configure Link window displays.
- Perform one of the steps.
- Select the field(s) in the Selected Fields list and click the Set Key button to set the primary key.
Or - Click the Get Key button to get the Preferred Key(s) of the selected table/view.
- Select the field(s) in the Selected Fields list and click the Set Key button to set the primary key.
-
The SQL Query list displays the SQL query run against the database. You can edit the query here or click the Edit button.
Notes:
- Query modifications can also be done manually after all fields are selected. This field also supports copy/paste from other sources.
- When formatting a SQL query with functions such as rtrim, ltrim, convert, and to_char, you must write the query as in this example before formatting:
Select PSOPRDEFN_DF.EMPLID, PSOPRDEFN_DF.OPRID from PSOPRDEFN_DF
After formatting:
Select rtrim(PSOPRDEFN_DF.EMPLID)
as EMPLID, PSOPRDEFN_DF.OPRID
from PSOPRDEFN_DF- You can set up a dynamic database query when one workflow is initiated by another workflow or trigger. For example, when a data change occurs you can set the query to dynamically substitute the trigger data in the query. This will return only specific records for the substituted value.
- To filter the search data, enter a WHERE or AND clause at the end of the query or in the Where Clause text area with syntax such as COLUMN='##CN##'. Note that single quotation marks ( ' ) must be used outside of the ## syntax for a database.
- Check the boxes in the Selected Fields list to set mandatory attributes.
-
Select a database from the Schema Select whether the source is Tables or Views. Select the table or view from the Tables/Views list. Select the fields from the Fields list to export and add them to the Selected Fields list. Select the field(s) from the Selected Fields list that require a date and/or time format and click the Format button. The Format Date window displays.
- Click OK to save any changes and return to the Workflow and Connectivity Studio window.
- Deploy the workflow by selecting Deploy _ New Deployment.
See the Workflow and Connectivity Studio document for details of deployment options.
-
Manage and run the deployed workflow from the Admin UI ► Server tab.
See the Identity Suite Administration Guide for details.
Configuring for Import
There are two types of imports for the connector:
- Tables - Classified by add (insert), modify (update), or delete (delete). These operations are dynamically performed, based on the changetype of the incoming changetypes can be set automatically from the incoming process or dynamically using the Data Mapper. The connector runs the appropriate query against the tables and fields specified in the link configuration.
- Api - Stored procedure imports enable the connector to run stored procedures in the database based on selected
Perform these procedures to configure the connector for data import:
From the Workflow and Connectivity Studio, select the Oracle Database UserAdd, UserModify, or UserDelete workflow listed under the projects folder.
If a workflow does not already exist, create an import workflow. See the Workflow and Connectivity Studio documentation for details on creating import workflows.
Configuring the Import Connector
- In the Design pane, double-click the import object (the last workflow object). The Configure Data Source window displays:
-
From the Configure Plug-in tab, set these properties as required:
Associated Connected System
Select the connected system from the list. The export operation will be done from this connected system. Data Formats Select the type of data format to use: Worker (default), WorkerFromTransactionLogs, Reference or Report DynamicConnectedSystem Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicCon- nectedSystemOption when GlobalVariable is selected.
DynamicConnectedSystemOption Select how to control Dynamic System Support:
- None - There will not be any Dynamic System Support.
- Transaction-SystemName - The value of the Transaction- SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction- SystemName; if it is missing in data, the operation will fail.
Id *
Enter the attribute that contains the value used to uniquely identify the user account user ID on the connected system. loginId *
Enter the attribute that contains the value used to uniquely identify the user account login ID on the connected system.
ModifyIfEntryExists
Select whether to perform a modify operation if an add operation fails (default: FALSE).
Notes:
* Id and loginId are used by the Provisioning Policy and IdentityHub features to populate the ACCOUNT_ID and ACCOUNT_USERNAME columns of the FISC_USER_ACCOUNT table of the Product database. See the ‘Provisioning Policy’ and ‘Provisioning Using the IdentityHub’ chapters of the Identity Suite Administration Guide for details.
Hover the pointer over a property to view its description.
-
(Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane.
- Click OK to save any changes and return to the Workflow and Connectivity Studio window.
Configuring the Import Link
This procedure depends on whether Tables or Api is selected as the data format in Step2, Perform one of these procedures to configure the import link:
Table Data Format
-
In the Design pane, double-click the import link between the Data Mapper object and the import object (the last workflow object). The Configure Link window displays:
Element Description Database
Select the database name:
- Static - Select from the Database Name drop-down list.
- Dynamic - Select from the Global Variable drop-down list.
Select the database source for the selected fields: Tables or Views.
Tables
Lists the schema tables available for import.
Fields
Lists the fields available for import.
Check for attribute-level auditing.
If auditing is enabled and these fields below are checked, Provisioning will log all events for auditing purposes.Fields
Lists the fields available for import.
Selected Fields
Lists the selected schema table fields for import.
The Set As Function button specifies system functions in the insert/update value in the import query for the selected attribute (e.g., sysdate, now).
The Format button specifies a desired date/time format to be applied to a selected date type field. Only selected date fields will be able to apply a date/ time format to their value.
SQL Query
Displays the SQL query run against the database. The Edit button edits the query.
Import using template format
Generates the import query using the given format. The actual query is generated by substituting the ##attribute name## with the values given to the import task.
Template - Generates the template for the import query in the SQL Query text area.
Where Clause
Displays the where clause in the SQL Query. Note: This text area is editable only when the Update Manually option button is selected.
Update
Select one of these update option buttons:
- Automatically - The where clause is updated automatically.
- Manually - The where clause can be edited manually in the text area.
Advanced Settings
Displays the Configure Attributes window for selecting any attributes that need to be encrypted.
Preferred Key(s)
Select the field(s) in the Selected Fields list:
- Set Key - Sets the primary key.
- Get Key - Gets the Preferred Key(s) of the selected table/view.
Audit Key
Select the attribute to associate with the Audit Key.
- From the Datasource tab, perform these steps.
- Select a Schema from the drop-down list. Select the table from the Tables Select the fields from the Fields list.
- Perform one of these steps:
- Select the field(s) in the Selected Fields list and click the Set Key button to set the primary key.
Or
- Click the Get Key button to get the Preferred Key(s) of the selected table/view.
- Select the field(s) in the Selected Fields list and click the Set Key button to set the primary key.
- Check the boxes in the Selected Fields list to enable auditing of the attributes.
- Select a Schema from the drop-down list. Select the table from the Tables Select the fields from the Fields list.
- Click OK to save any changes and return to the Workflow and Connectivity Studio window.
- Deploy the workflow by selecting Deploy ► New Deployment.
See the Workflow and Connectivity Studio document for details of deployment options.
Manage and run the deployed workflow from the Admin UI ► Server tab. See the Identity Suite Administration documentation for details.
API Data Format
- In the Design pane, double-click the import link between the Data Mapper object and the import object (the last workflow object). If you selected the Api data format in Step 2, this Configure Link window displays:
A list of APIs supported by this connector displays. Adding, modifying, or deleting APIs is optional. See the appendix Working with Database APIs for detailed information.Element Description Select API variables to be imported.
Database
Select the database name:
- Static - Select from the Database Name drop-down list.
- Dynamic - Select from the Global Variable drop-down list.
Select the database source for the selected fields: Tables or Views.
API
Lists the APIs available for import.
API Variables
Lists the variables available for import.
Check variables for audit.
Format
Sets the format for date variables.
Selected Variables
Lists the selected schema table fields for import. If auditing is enabled and these variables below are checked, Provisioning will log all events for auditing purposes.
Modify APIs
Adds or modifies APIs. Displays the Modify API window.
Advanced Settings
Displays the Configure Attributes window for selecting any attributes that need to be encrypted.
- Perform these steps.
-
Select the API in the API Select API variable(s) in the API Variables field. Add the selected variables to the Selected Variables field.
-
Click the Modify APIs button to add or modify the API. The Modify API window displays:
Element Description API Names
Displays configured APIs. Select the API to modify or delete.
API Variables
Displays the API variables corresponding to the selected API. Select the API variable to modify or delete.
Use API Format
Select the method to build the API at runtime with this check box:
- If not selected (default), each variable will be listed in the API Variable Order list box. The variables will be used in the API Variable Order while generating the API. The Up and Down buttons can be used to change the order.
- If selected, the format can be specified in the API Format text area that becomes visible. Specify the variables inside ## (e.g., ##sp_adduser.loginame##). The API will be generated by substituting the values of the variables in the API format. The Edit button that becomes visible, displays the Api Format dialog.
Use the Get Template button to generate a default format for the variables configured in the API; this has to be modified based on the API requirement.
API Variable Order
Change the variable order with the Up and Down buttons.
Primary Key
Select the value to use to uniquely identify an object (e.g., user or group).
Failure Message Attribute
The output attribute that returns the failure reason. This is an optional setting and if specified, the return value is used to set the status description on API execution failure.
Role Attribute
Sets the Role attribute.
- Click OK after modifying the API to save changes, exit, and return to the Configure Link window.
See the appendix Working with Database APIs for additional information about adding, modifying, and deleting APIs.
Select the API name in the API field. Select the API variable in the API Variables field. Add the selected API variables to the Selected Variables field
.
-
Select the API in the API Select API variable(s) in the API Variables field. Add the selected variables to the Selected Variables field.
- Click OK to save any changes and return to the Workflow and Connectivity Studio window.
Deploy the workflow by selecting Deploy ► New Deployment.
See the Workflow and Connectivity Studio document for details of deployment options.Manage and run the deployed workflow from theAdmin UI _ Server tab.
See the Identity Suite Administration Guide for details.
Connector Details for Provisioning
Configuration import properties Id and loginId are used by the Provisioning Policy and IdentityHub features to populate the ACCOUNT_ID and ACCOUNT_USERNAME columns of the FISC_USER_ACCOUNT table of the Product database. See the ‘Provisioning Policy’ and ‘Provisioning Using the IdentityHub’ chapters of the Identity Suite Administration Guide for details.
This table shows the default attributes specified for these properties for the connected system:
Import Property |
System Attribute |
Id |
CREATEUSER.USER_NAME |
loginId |
CREATEUSER.USER_NAME |
Connector Attributes
The items in the MV (multi-valued), Export, Create, Modify, and Delete columns have these meanings:
- Y = Yes (attribute is supported for this operation)
- N = No (attribute is not supported for this operation)
- R = Required (attribute is mandatory for this operation)
- NA = Not applicable
Name |
MV |
Export |
Create |
Modify |
Delete |
Description |
Accountstate_LockorUnlock |
NA |
Y |
Y |
Y |
N |
Account status. |
Default_Tablespace |
NA |
Y |
Y |
Y |
N |
Default Tablespace. |
Id |
NA |
NA |
CREAT EUSER .USER _NAME |
ALTER USER. USER_ NAME |
DROP USER. USER_ NAME |
Value used to uniquely identify the user account on the connected system. |
loginId |
NA |
NA |
CREAT EUSER .USER _NAME |
ALTER USER. USER_ NAME |
DROP USER. USER_ NAME |
Value used to uniquely identify the user account on the connected system. |
Profile_Name |
NA |
Y |
Y |
Y |
N |
Profile name for the user. |
Role_Name |
NA |
N |
Y |
Y |
N |
Role assigned to user. |
Temporary_Tablespace |
NA |
Y |
Y |
Y |
N |
Temporary Tablespace. |
User_Name |
NA |
Y |
R |
R |
R |
Name of database user and key attribute for all operations. |
User_Password |
NA |
N |
R |
Y |
N |
Password for the user. |
Note: These APIs/Tables are used for Provisioning operations:
|
Configuring Triggers
Perform these procedures to create a trigger:
- Prerequisites
- Trigger Setup Details
- Creating a Trigger
- Configuring a Trigger Agent
- Configuring a Trigger Link
Prerequisites
Ensure that these prerequisites are satisfied:
- Create an Oracle Database provisioning connector before creating an Oracle Database trigger (see the section Creating the Connected System in the Studio).
- Create and deploy workflows to be run by the Oracle Database trigger. See the ‘Creating Workflows’ and ‘Deploying Workflows’ sections in the Workflow Development chapter in the Workflow and Connectivity Studio document for details.
- Grant DBA role to the schema owner for loading the Java The DBA role can be removed after completing Step 7 below.
Trigger Setup Details
-
Grant these Role Privileges to a database user that will be used to deploy the trigger or the associated Oracle connected system user configured for this trigger. Run these commands after connecting as a DBA:
GRANT JAVADEBUGPRIV TO <database user>;
GRANT JAVAIDPRIV TO <database user>;
GRANT JAVASYSPRIV TO <database user>;
GRANT JAVAUSERPRIV TO <database user>;
GRANT JAVA_ADMIN TO <database user>;
GRANT JAVA_DEPLOY TO <database user>;
Where <database user> is your database user ID.
- Grant these Java permissions to the schema owner to which the trigger will be deployed. Run these commands after connecting as a DBA:
call dbms_java.grant_permission('<schema>', 'SYS:java.lang.RuntimePermission', 'getClassLoader','');
call dbms_java.grant_permission('<schema>', 'SYS:java.net.SocketPermission', '*', 'connect,resolve');
call dbms_java.grant_permission('<schema>', 'SYS:java.util.PropertyPermission', '*', 'read,write');
call dbms_java.grant_permission('<schema>', 'SYS:java.security.SecurityPermission', 'insertProvider.SunJSSE', '');Where <schema> is your schema owner name.
- Grant these System Privileges to the database user that will be used to deploy the trigger or the associated Oracle connected system user configured for this trigger. Run these commands after connecting as a DBA:
GRANT ALTER ANY PROCEDURE TO <database user>;
GRANT ALTER ANY TRIGGER TO <database user>;
GRANT CREATE ANY TRIGGER TO <database user>;
GRANT CREATE ANY PROCEDURE TO <database user>;
GRANT CREATE PUBLIC SYNONYM TO <database user>;
GRANT CREATE SESSION TO <database user>;
GRANT DROP ANY PROCEDURE TO <database user>;
GRANT DROP ANY TRIGGER TO <database user>;
GRANT DROP PUBLIC SYNONYM TO <database user>;
Where <database user> is your database user ID.
If the database user <database user> is different from the schema owner <schema>, these system privileges must also be granted to the schema owner <schema>:
GRANT ALTER ANY PROCEDURE TO <schema>;
GRANT ALTER ANY TRIGGER TO <schema>;
GRANT CREATE ANY TRIGGER TO <schema>;
GRANT CREATE ANY PROCEDURE TO <schema>;
GRANT CREATE PUBLIC SYNONYM TO <schema>;
GRANT DROP ANY PROCEDURE TO <schema>;
GRANT DROP ANY TRIGGER TO <schema>;
GRANT DROP PUBLIC SYNONYM TO <schema>;
GRANT CREATE SESSION TO <schema>; - Copy the Oracle trigger deployment zip file (zip):
From: IdM Suite Software folder\Provisioning\Resource\Triggers\Oracle
To: A temporary location on the Oracle Server (e.g., C:\temp)
- Unzip the trigger deployment file to the root directory (e.g., C:\). The unzip process creates a folder called OracleTrigger directory created by the unzip process.
and these files:
trigger.properties (the trigger configuration file)
\oracletriggercallback.jar (the jar file containing all trigger Java classes)
\data\ (the folder used to store trigger request data)
\log\ (the folder used to store log files)
-
Edit and save changes to the trigger properties file located in the OracleTrigger directory created by the unzip process:
TriggerWebServiceHost = 192.101.1.1 (the address of your Provisioning Server).
TriggerWebServicePort = 8080 (the port of your Provisioning Server).
LogLevel = Info (Debug/Info/Error).
LogFilePath = C:\OracleTrigger\log\Trigger.log (the location and name for your log file). EnableDataLogging = True (True or False).
DataFilePath = C:\OracleTrigger\data\Trigger.dat (the location and name for your data file).
Note: Modify LogFilePath and DataFilePath to an existing folder name.
- Load the oracletriggercallback.jar file to the schema owner to which the trigger will be deployed by running a loadjava command. The schema owner must have the DBA Role privilege to run this command, but it can be revoked after the oracletriggercallback.jar has been successfully loaded.
To grant DBA privilege to the schema owner, run this command:
GRANT DBA TO <schema>;
Where <schema> is your schema owner name.
To load the oracletriggercallback.jar file, run this command:
loadjava -r -v -s -g PUBLIC -u <schema>/<password>@<SID> oracletriggercallback.jarWhere:
<schema> is the name of your schema owner where the trigger will be deployed.
<password> is the password of your schema owner.
<SID> is your Oracle System Identifier/Instance Name (e.g., orcl) and must be included in your tnsnames.ora configuration file. - Ensure that all Java classes loaded are valid in the database.
-
To revoke DBA privilege to the schema owner after successfully running the loadjava command, run this command:
REVOKE DBA FROM <schema>;
Where <schema> is your schema owner name.
- (Optional) If you decide to use HTTPS for SOAP communication, configure TriggerWebServicePort, EnableSSL, TruststorePath, and TruststorePassword in the properties file. For example:
TriggerWebServicePort = 8443 [Provisioning SSL port]
EnableSSL = True
TruststorePath = D:\oracle\product\10.2.0\db_1\javavm\lib\security\cacerts
TruststorePassword = changeit
Creating a Trigger
Note: Ensure that you have completed all Prerequisites and Trigger Setup Details, before proceeding.
- From the Workflow and Connectivity Studio menu bar, click File ► New Trigger ► Oracle Database Trigger. The Create a New Trigger window displays.
- Enter a trigger name in the Name field.
- Click the Browse button to select a directory other than the default displayed in the Directory field. The directory should be a child of the default location in order to have the trigger listed under the projects folder of the Workflow and Connectivity Studio.
- Select one of the available systems in the System field.
Note: Only connected systems of the trigger type selected in Step 2. will be available. If there are no connected systems to select, then an Oracle Database provisioning connected system does not exist. This connected system must exist before creating a trigger.
- Enter descriptive text in the Description field and then click OK. A new trigger system object and link display in the Design pane.
Note: The trigger must be fully configured before it can be saved and deployed. Continue with the sections below to complete configuring the trigger.Configuring a Trigger Agent
-
In the Design pane, double-click the trigger system. The Configure Data Source window displays.
Note: To modify an existing trigger, on the menu bar click View ► Triggers, and then select one of the Oracle Database triggers listed under the projects folder.
-
Select one of the available systems in the Associated Connected System drop-down list for the trigger:
- (Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane.
- Click OK to save any changes and return to the Workflow and Connectivity Studio window.
Note: A trigger cannot be saved until a trigger link has been configured.
Configuring a Trigger Link
-
Double-click the link between the Start object and the Trigger system object. The Configure Link window displays.
Note: To modify an existing trigger, on the menu bar click View ► Triggers, and then select one of the Oracle Database triggers listed under the projects folder.Element
Description
Schemas
Sets the schema table where the trigger watches for selected database operations to occur.
Operations
Select which database operations cause the trigger to execute:
- Insert - Insertions of new records into the selected schema table.
- Update - Changes to existing records in the selected schema table.
- Delete - Deletions of existing records in the selected schema table.
Tables
Lists the schema tables available for trigger support.
Fields
Lists the fields available for trigger support.
Unique Key
Displays the attribute(s) that make the entry in the selected schema table unique.
Get Key
Retrieves a unique key from the selected schema table.
Set Key
Sets which attribute from the Selected Fields will make the entry unique.
Clear Key
Removes the current unique key attribute selection. No unique key attribute is defined after selecting this option.
Selected Fields
Lists the selected schema table fields for trigger support.
The Format button specifies a desired date/time format to be applied to a selected date type field. Only selected date fields will be able to apply a date/ time format to their value.
Check Mandatory Attributes - Check boxes in this field set mandatory attributes. These checked attributes will always be exported whether they were changed or not.
Advanced Settings
Displays the Configure Attributes window for selecting any attributes that need to be encrypted.
Callback Folder
Enter the physical directory where you copied the Provisioning agent files (e.g., C:\Dataforum).
Effective Date
Select these effective date options:
- Set - Sets an attribute from the selected attributes to apply an effective date offset to control when the triggered data is run. A condition can be provided that determines when or if an effective date offset should be applied. Set a condition and effective date offset from the Effective Date tab.
- Clear - Removes the selected attribute from being defined for effective date processing.
- Format - Specifies a desired date/time format to be applied to the selected effective date field. Any field type can be selected to apply a date/time format to the effective date value.
- From the Trigger Properties tab, perform these steps:
- Select a schema from the Schemas field.
- Select a table where the trigger is to be implemented from the Tables list.
- Select required fields from the Fields list and add them to the Selected Fields list. For the trigger to work properly you must have at least one field selected.
- Select the preferred key in the Unique Key field by clicking the Set Key button.
- Check the boxes in the Selected Fields list if the current data and the previous data before the change (called Original_field) are to be sent during the trigger.
Under Operations, select the operations (Insert, Update, or Delete) where the trigger is to be generated.
Enter the Callback Folder where the trigger configuration file (trigger.properties) resides.
Select an attribute from the Selected Fields and click Set in the Effective Date section to apply an effective date, if desired.
- Click the Format button to specify a particular date and time format for the selected Effective Date.
- Click the Effective Date tab to configure an effective date condition and/or offset value. If effective date processing is not required, proceed to Step 14.
- Click the Add buttonThe Set Trigger Data Condition window displays.
- Set an Effective Date Offset value and specify a condition when it will be used:
- For triggers - All conditions specified here will be evaluated for each incoming data The offset corresponding to the first condition that is satisfied will be applied to the date contained in the effective date attribute. An offset can be mapped to a condition that is specified as default. If none of the conditions in the list are satisfied, the offset corresponding to the default condition will be applied to the effective date.
- For Chained workflows - From the Chained workflow Configure Data Source window, specify the attribute that should have an effective date condition and offset value From the preceding Data Mapper, provide conditions and offset values to calculate the target effective date value and save this value to the effective date attribute as the target attribute.
- Click OK when finished.
- Set an Effective Date Offset value and specify a condition when it will be used:
- From the Target Workflow Selection tab, select the deployed workflow(s) to run when the trigger occurs, and then click the Add > button.
To remove a selected workflow from being run, highlight it under Selected Workflows and click the < Remove button.Notes:
- If more than one workflow is selected, the first listed workflow is run first, the second workflow next.
- If workflows are deployed in Asynchronous mode, all workflows are run together.
- If serialized execution of workflows is required, consider chaining them.
- Highlight a workflow from the Selected Workflows list and click the Set Condition button to set a condition before running Target workflows. The Set Lookup Condition window displays.
- Set a check condition before running workflows. Build a complex condition with logical AND/OR.
- Click OK to return to the Configure Link window.
- Set a check condition before running workflows. Build a complex condition with logical AND/OR.
- From the Lookup Workflow Selection tab, select the deployed workflow(s) to run when the trigger occurs, and then click the Add > button.
To remove a selected workflow from being run, highlight it under Selected Workflows and click the < Remove button.
Notes:- Lookup may be required to get additional attributes to run Target workflows. Lookup workflows run prior to Target workflows.
- If more than one workflow is selected, they are run in the order listed.
- Lookup workflows must be deployed in Synchronous mode; otherwise, lookup data may not be available before running Target workflows.
- Highlight a workflow from the Selected Workflows list and click the Set Primary button to set the primary workflow to be run.
- Highlight a workflow from the Selected Workflows list and click the Set Condition button to set a condition before running Lookup workflows. The Set Lookup Condition window displays. Set a check condition before running workflows. Build a complex condition with logical AND/OR. Click OK to return to the Configure Link window.
- Click OK to save any changes and return to the Workflow and Connectivity Studio window.
- Save the trigger.
- Deploy the trigger by clicking the (deploy) toolbar button. The Deploy Trigger window displays.
- Click the Deploy New The Deploy Trigger window displays:
- Select the Deploy Option:
- Execute (default) - Creates the trigger by the standard method.
-
Generate Script - Creates database scripts necessary to create the trigger under the <installation folder>\share\workfiles\trigger-dbscripts\<trigger>. The CreateProcedure.sql and CreateTrigger.sql scripts can be used to create the procedure and trigger before enabling the trigger.
- Click OK to deploy the trigger.
- Select the Deploy Option:
- Enable the trigger from the Server tab of the Admin UI.
See the Identity Suite Administration Guide for details on enabling triggers.