Lab 8: On-boarding Acquisition Users’ application accounts

via Reconciliation with basic Post Processing

Contents
Lab 8: On-boarding Acquisition Users’ application accounts via Reconciliation with basic Post Processing1

1. Introduction ............................................................................................................................................. 1

2. Contents.................................................................................................................................................... 4

2.1. Verify extended OIM User Schema ................................................................................................. 4

2.2. Configure Authoritative Reconciliation for DSEE Purpose ......................................................... 5
2.3. Execute Authoritative Reconciliation from flat file (FlatFileApp) ....................................... 20
2.4. Execute Authoritative Attribute Reconciliation from DSEE ...................................................... 26
2.5. Execute Account Reconciliation from DSEE ................................................................................ 32
2.6. Practice Reconciliation Event Re-evaluation and closure ........................................................... 34
2.7. Practice Reconciliation Event Ad-Hoc Linking and closure ...................................................... 48

1. Introduction
ACME CAPITAL is all set to extend the provisioning solution to accommodate extra applications coming onboard from
MEDICLAIM acquisition. FlatFileApp is the HRMS solution used by MEDICLAIM. IT functioning of this acquired enterprise has
not merged yet. ACME plans to use it as one of the authoritative source of identities and that is where a new enterprise user record

will be added first and HR attributes will be maintained moving forward. This repository contains the record for internal as well as

external users. Any new user joining the enterprise will have her user record created in FlatFileApp and synchronized to OIM. The

Account ID and Password of new user in OIM will be generated based on the User ID Generation Algorithm and
 OIM 11g Workshop - Lab 7

Password policy defined in OIM. New user will also be notified his/her initial user id and password via Email. Her
required accounts and entitlements will then be provisioned to IT applications using OIM workflow and provisioning modules.

The user population of the acquisition also has to be initially loaded into the provisioning engine OIM. Similar LCM of accounts is

also required for users existing in the organization before OIM came into picture. Hence, the primary step will be to initially load

the OIM repository with user records and their linked accounts and entitlement for each of these already existing users.

Also the Permanent Contact Number information for ACME OIM Users need to be maintained. ACME DSEE application is the

source of this information where homePhone attribute is being maintained with the required value.

Also as OIM has to be used to provision to ACME DSEE application instances () and LCM of the DSEE accounts of existing

MEDICLAIM users would also be done from OIM, moving forward, account reconciliation would be needed from initially from
DSEE to OIM.

This is how exactly OIM modules will be used to collect identity data from relevant IT applications:

FlatFileApp – This application has an option of generating flat file feed of employee records. A GTC based flat file reconciliation
connector has been created. The same will be used for Authoritative Reconciliation to reconcile internal as well as external users.

After initial load, from day2 onwards, this application will be used as the authoritative source of identity updates in ACME, which
will be reconciled into OIM. These users will be reconciled with their role memberships to drive their basic account provisioning

based on RBAC configurations (lab <provide later>). Roles will also be reconciled beforehand.

Oracle Directory Services Ent Edn (DSEE) – Identity attribute homePhone is maintained only in DSEE for which
authoritative reconciliation will also be configured from this application but OIM user update will be respected for only the

attribute Permanent Contact Number. Account Reconciliation module of OIM DSEE connector will be used to reconcile DSEE user

2
accounts (with role membership). Moving forward, OIM will be used to provision accounts and role memberships to this

application
 OIM 11g Workshop - Lab 7

2. Contents

2.1.Verify extended OIM User Schema

Purpose
This step is for verifying the presence of OIM custom user attribute Permanent Contact Number.

Steps
Ensure that the attribute Permanent Contact Number should be visible in the User Configuration

4
2.2.Configure Authoritative Reconciliation for DSEE Purpose

Purpose
This step includes the configuration required to extend DSEE connector for Authoritative Reconciliation of DSEE user account

attribute homePhone to update the OIM User attribute Permanent Contact Number. In this section, you will:

 Create Resource Object for reconciliation

 Create Process Definition
 Create Reconciliation Matching Rule
 Update Reconciliation Attribute Map

Steps
Create Resource Object for reconciliation

2.2.1. Create Resource Object for Authoritative Reconciliation with Reconciliation Fields and Action Rules

Name DSEE Auth Recon

Type Application
Trusted Source checked
 OIM 11g Workshop - Lab 7

Click Save Icon after entering values shown in screenshot.

6
 Create two Reconciliation Fields

2.2.2. In Resource Object screen, select Object Reconciliation tab and then, Reconciliation Fields. Add the following attributes:

Name Type Required checkbox

User ID String checked

Permanent Contact Number String -

 OIM 11g Workshop - Lab 7

8
2.2.3. Create two Reconciliation Action Rules

One Entity Match Found --> Establish Link

One Process Match Found --> Establish Link
 OIM 11g Workshop - Lab 7

Create Process Definition

2.2.4. Create Process Definition and Reconciliation Field Mappings

10
Name DSEE Auth Recon

Type Provisioning
Object Name DSEE Auth Recon

Default Process checkbox (checked)

 OIM 11g Workshop - Lab 7

Click Save Icon before proceeding.

12
2.2.5. Create Reconciliation Field Mappings

Field Name User Attribute Key Field for Reconciliation

Matching checkbox

User ID User Login (checked)

Permanent Contact Permanent -

Number Contact Number
 OIM 11g Workshop - Lab 7

14
 OIM 11g Workshop - Lab 7

Create Reconciliation Matching Rule

2.2.6. Under folder Development Tools  Reconciliation Rules  Button Add

Name DSEE Auth Recon

Object DSEE Auth Recon

Description DSEE Auth Recon

Click Save Icon

2.2.7. Add a Rule Element - User Login equals User ID (not case - sensitive)

2.2.8. First save the rule without checking the checkbox active. Once you save, the valid checkbox would get checked automatically. Finally,

check the checkbox active and save the rule definition

16
Update Reconciliation Attribute Map
 OIM 11g Workshop - Lab 7

2.2.9. To the relevant Attribute Map AttrName.Recon.Map.iPlanet, add the relevant entry- <Code Key : Permanent Contact Number, Decode :

homePhone>

2.2.10.Folder Administration  Form Lookup Definition  entry AttrName.Recon.Map.iPlanet  Button Add  Code Key : Permanent

Contact Number, Decode : homePhone and click Save icon.

18
2.2.11.Create Reconciliation profile

Wait for confirmation dialog box:

 OIM 11g Workshop - Lab 7

2.3.Execute Authoritative Reconciliation from flat file (FlatFileApp)

Purpose
This step shows how to execute authoritative reconciliation from FlatFileApp.

Steps

2.3.1. Identify the contents of the input file.

The file has 4 records for users who need to be reconciled into OIM. Notice all 4 users don't have email specified, so these users will

be created with blank email address. We have specified manager for all 4 users here, so email notification with system generated

password should go to manager. Recall from previous lab that you have specified your personal email address as email for this

manager. Because of this configuration, you will get email notification with system generated password for all these 4 users. Also

notice we have specified userID for first 3 users and kept the user ID blank for 4th user (Tim Geithner). This is to demonstrate

automatic generation of User Login if one is not specified as per our policy.

20
Note – The screenshot above shows the path /odrive/dummydata/files/parent which is wrong. The file is now present in
/odrive/dummydata/Lab 8/parent

[Optional] As a variation you can modify one record in the file and specify a valid email for one of the user. In that case email is sent

to both user and manager with system generated temporary password.

2.3.2. Find Scheduled Job.

Search for ‘FLATFILEAPP_AUTHRECON_GTC’

 OIM 11g Workshop - Lab 7

22
2.3.3. Run Scheduled Job.

Feel free to manually Refresh (button) to update the status of the execution.
 OIM 11g Workshop - Lab 7

2.3.4. Go to the Administration Console and search for users. All those users that are present in the file and highlighted in step 2.3.1 above,

should be also now created in OIM as a result of successful execution of FlatFileApp authoritative recon. These users are created in

org Contractor and have Emp-Type Contractor, so based on role membership rule and other configuration in previous lab, they

should have role "ACME Partner Contractor" assigned and should be provisioned to "DSEE Server ACME"

24
2.3.5. The user Tim Geithner was reconciled with a blank User ID. Click on this user from above screen to check if User ID has been

generated for this user. The User ID should be TIM.GEITHNER@ORACLE.COM

2.3.6. Also check your mailbox (email address of manager) for the email notification containing the temporary password for the users. You

should have 4 emails with temporary password for all 4 users.

 OIM 11g Workshop - Lab 7

2.3.7. Login with UserID and password of one of the users from email to verify if you can login. Upon login you would be forced to change

password and answer security questions.

2.4.Execute Authoritative Attribute Reconciliation from DSEE

Purpose
This step shows how to execute authoritative reconciliation from DSEE to update the value for the attribute Permanent Contact

Number for OIM Users

Steps
2.4.1. Identify Users that will be updated.

ldapsearch -v -h orclfmw.example.com -p 1389 -D 'cn=Directory Manager' -w abcd1234 -b

"dc=mydomain,dc=com" '(homePhone=*)'

26
Check the OIM user record for one of these users
 OIM 11g Workshop - Lab 7

28
2.4.2. Find and run Scheduled Job.

Search for scheduled job iPlanet User Trusted Recon Task and run it using Run Now option.
 OIM 11g Workshop - Lab 7

Note: If the job is Disabled, please click "Enable" before clicking "Run Now"

Checkpoint
Pull up all the users identified in step 2.4.1 and they should have their Permanent Contact Number correctly updated.

30
 OIM 11g Workshop - Lab 7

2.5.Execute Account Reconciliation from DSEE

Purpose
This step shows how to execute account reconciliation from DSEE to assign DSEE accounts to the owner OIM users, which can
then be managed from OIM moving forward.

Steps
2.5.1. Find and run Scheduled Job.

Search for scheduled job iPlanet User Target Recon Task and run it using Run Now option.

32
Checkpoint

Pull up one of the relevant users, like Anderson123 and check its Resource Profile. Reconciled account should show up here with
the correct data.
 OIM 11g Workshop - Lab 7

2.6.Practice Reconciliation Event Re-evaluation and closure

Purpose
This step shows how to use the "re-evaluate" and "close" operations provided on a Reconciliation Event.

Steps
2.6.1. Create a new user MLAMBERT123 in DSEE.

34
[oracle@idm11g ~]$ ldapmodify -v -a -h orclfmw.example.com -p 1389 -D 'cn=Directory Manager' -w abcd1234 -f
/odrive/dummydata/ldif/mlambert.ldif
 OIM 11g Workshop - Lab 7

2.6.2. Run Account recon first, an orphan reconciliation event would get created.

36
2.6.3. Navigate to the <recon event UI>. Search for reconciliation events by providing the value iPlanet User. Sort the simple search results

on the basis of Event ID and select the event with the highest value.
 OIM 11g Workshop - Lab 7

2.6.4. Create an OIM user MLAMBERT123 manually

2.6.5. Run Authoritative recon to get the OIM user MLAMBERT123 updated for the newly added DSEE user MLAMBERT123.

38
 OIM 11g Workshop - Lab 7

2.6.6. Go back to the orphan reconciliation event and re-evaluate it. Close the event finally.

40
 OIM 11g Workshop - Lab 7

42
 OIM 11g Workshop - Lab 7

44
2.6.7. Enter a right Justification like ‚Event re-evaluated successfully”
 OIM 11g Workshop - Lab 7

46
Checkpoint

Pull up the OIM User record of MLAMBERT123 and check his resource profile to ensure that the DSEE account was finally assigned
to him during reconciliation event re-evaluation.
 OIM 11g Workshop - Lab 7

2.7.Practice Reconciliation Event Ad-Hoc Linking and closure

Purpose
This step shows how to use the "ad-hoc link" and "close" operations provided on a Reconciliation Event.

Steps
2.7.1. Create a new user DKING123 in OIM.

48
2.7.2. Create a new user PMILLER123 in DSEE.

[oracle@idm11g ~]$ ldapmodify -v -a -h orclfmw.example.com -p 1389 -D 'cn=Directory Manager' -w

abcd1234 -f /odrive/dummydata/ldif/pmiller.ldif
 OIM 11g Workshop - Lab 7

2.7.3. Run Account recon, an orphan reconciliation event would get created for PMILLER123.

50
2.7.4. Navigate to the <recon event UI>. Search for reconciliation events by providing the value iPlanet User. Sort the simple search results

on the basis of Event ID and select the event with the highest value.
 OIM 11g Workshop - Lab 7

2.7.5. Ad-hoc link the orphan reconciliation event for PMILLER123 to OIM user DKING123. Close the event finally

52
 OIM 11g Workshop - Lab 7

54
Checkpoint

Pull up the OIM User record of DKING123 and check his resource profile to ensure that the DSEE account for PMILLER123 was

finally assigned to him during reconciliation event ad-hoc linking.

 OIM 11g Workshop - Lab 7

3. Conclusion
In this lab, you accomplished the following:

 Configuring and running trusted recon from flat file to create users

 Configuring and running trusted recon from DSEE for particular attributes

 Account Reconciliation

56
 Post processing done after reconciliation

 Re-evaluating recon events and ad-hoc linking