8/13/2019 Lab 3 - Recon

1/61

Lab 3: On-boarding, Reconciliation from applications

(FlatFileApp, DSEE) used by the acquisition (MEDICLAIM)

Last Updated: July 16, 2010

Next: Lab 4: Custom Workflow Creation and Deployment

Previous: Lab 2: Install DSEE connector and extend it

Note: Please view the PDF version as 150% for the clearest display of the screenshots.

1. IntroductionACME CAPITAL is all set to extend the provisioning solution to accommodate extra applications coming onboard fromMEDICLAIM acquisition. FlatFileApp is the HRMS solution used by MEDICLAIM. IT functioning of this acquiredenterprise has not merged yet. ACMEplans to use it as one of the authoritative source of identities and that is where anew enterprise user record will be added first and HR attributes will be maintained moving forward. This repositorycontains the record for internal as well as external users. Any new user joining the enterprise will have her user recordcreated in FlatFileAppand synchronized to OIM. Her required accounts and entitlements will then be provisioned to ITapplications using OIM workflow and provisioning modules.The user population of the acquisition also has to be initially loaded into the provisioning engine OIM. Similar LCM of

accounts is also required for users existing in the organization before OIM came into picture. Hence, the primary step willbe to initially load the OIM repository with user records and their linked accounts and entitlement for each of these alreadyexisting users.Also the Permanent Contact Numberinformation for ACME OIM Users need to be maintained. ACMEDSEEapplicationis the source of this information where homePhone attribute is being maintained with the required value.Also as OIM has to be used to provision to ACME DSEEapplication instances () and LCM of the DSEEaccounts ofexisting MEDICLAIMusers would also be done from OIM, moving forward, account reconciliation would be needed frominitially from DSEEto OIM.

8/13/2019 Lab 3 - Recon

2/61

This is how exactly OIM modules will be used to collect identity data from relevant IT applications:o FlatFileAppThis application has an option of generating flat file feed of employee records. A GTC based flat file

reconciliation connector has been created. The same will be used for Authoritative Reconciliation to reconcile

internal as well as external users. After initial load, from day2 onwards, this application will be used as theauthoritative source of identity updates in ACME, which will be reconciled into OIM. These users will be reconciledwith their role memberships to drive their basic account provisioning based on RBAC configurations (lab ). Roles will also be reconciled beforehand.

o Oracle Directory Services Ent Edn (DSEE)Identity attribute homePhoneis maintained only in DSEE for whichauthoritative reconciliation will also be configured from this application but OIM user update will be respected foronly the attribute Permanent Contact Number. Account Reconciliation module of OIM DSEE connector will beused to reconcile DSEE user accounts (with role membership). Moving forward, OIM will be used to provisionaccounts and role memberships to this application.

2. Contents

1. Verify extended OIM User Schema2. Configure Authoritative Reconciliation for DSEE3. Execute Authoritative Reconciliation from flat file4. Execute Authoritative Attribute Reconciliation from DSEE5. Execute Account Reconciliation from DSEE6. Practice Reconciliation Event Re-evaluation and closure7. Practice Reconciliation Event Ad-Hoc Linking and closure

2.1 Verify extended OIM User Schema

Purpose

This step is for verifying the presence of OIM custom user attribute Permanent Contact Number.

8/13/2019 Lab 3 - Recon

3/61

Steps

Ensure that the attribute Permanent Contact Number should be visible in the User Configuration

8/13/2019 Lab 3 - Recon

4/61

2.2 Configure Authoritative Reconciliation for DSEE

Purpose

This step includes the configuration required to extend DSEE connector for Authoritative Reconciliation of DSEEuser account attribute homePhoneto update the OIM User attribute Permanent Contact Number.

Steps

2.2.1 Create Resource Object for Authoritative Reconciliation with Reconciliation Fields and Action Rules

Name : DSEE Auth ReconType : Application

Trusted Source flag checked

8/13/2019 Lab 3 - Recon

5/61

8/13/2019 Lab 3 - Recon

6/61

Create two Reconciliation Fields1. User ID

Type StringRequired checkboxchecked

2. Permanent Contact NumberType String

Create two Reconciliation Action RulesOne Entity Match Found --> Establish LinkOne Process Match Found --> Establish Link

8/13/2019 Lab 3 - Recon

7/61

8/13/2019 Lab 3 - Recon

8/61

2.2.2 Create Process Definition and Reconciliation Field Mappings

Create Process Definition

Name: DSEE Auth ReconType: ProvisioningObject Name: DSEE Auth ReconDefault Process checkbox (checked)

8/13/2019 Lab 3 - Recon

9/61

8/13/2019 Lab 3 - Recon

10/61

Create Reconciliation Field MappingsField Name --> User IDUser Attribute --> User Login

Key Field for Reconciliation Matchingcheckbox (checked)

Field Name--> Permanent Contact NumberUser Attribute--> Permanent Contact Number

8/13/2019 Lab 3 - Recon

11/61

8/13/2019 Lab 3 - Recon

12/61

2.2.3 Create Reconciliation Matching Rule

Name - DSEE Auth Recon

Object - DSEE Auth Recon

Add a Rule Element - User Login equals User ID (not case - sensitive)

First save the rule without checking the checkbox active. Once you save, the valid checkbox would get checkedautomatically. Finally, check the checkbox active and save the rule definition

8/13/2019 Lab 3 - Recon

13/61

8/13/2019 Lab 3 - Recon

14/61

2.2.4 Update Reconciliation Attribute Map

To the relevant Attribute Map AttrName.Recon.Map.iPlanet, add the relevant entry-

Folder AdministrationForm Lookup Definitionentry AttrName.Prov.Map.iPlanetButton AddCode Key: Permanent Contact Number, Decode : homePhoneand click Saveicon.

8/13/2019 Lab 3 - Recon

15/61

8/13/2019 Lab 3 - Recon

16/61

2.2.5 Create Reconciliation profile

8/13/2019 Lab 3 - Recon

17/61

8/13/2019 Lab 3 - Recon

18/61

Checkpoint

2.3 Execute Authoritative Reconciliation from flat file (FlatFileApp)

Purpose

This step shows how to execute authoritative reconciliation from FlatFileApp.

Steps

2.3.1 Identify the contents of the input file.

2.3.2 Find Scheduled Job.Search for FLATFILEAPP_AUTHRECON_GTC.

8/13/2019 Lab 3 - Recon

19/61

8/13/2019 Lab 3 - Recon

20/61

2.3.2 Run Scheduled Job.

Feel free to manually Refresh (button) to update the status of the execution.

8/13/2019 Lab 3 - Recon

21/61

Checkpoint

Go to the Administration Console and search for users. All those users that are present in the file and highlighted instep 2.3.1 above, should be also now created in OIM as a result of successful execution of FlatFileAppauthoritative recon

8/13/2019 Lab 3 - Recon

22/61

8/13/2019 Lab 3 - Recon

23/61

2.4 Execute Authoritative Attribute Reconciliation from DSEE

Purpose

This step shows how to execute authoritative reconciliation from DSEEto update the value for the attributePermanent Contact Numberfor OIM Users

Steps

2.4.1 Identify Users that will be updated.

ldapsearch -v -h orclfmw.example.com -p 1389 -D 'cn=Directory Manager' -w abcd1234 -b "dc=mydomain,dc=com"'(homePhone=*)'

8/13/2019 Lab 3 - Recon

24/61

Check the OIM user record for one of these users

8/13/2019 Lab 3 - Recon

25/61

2.4.2 Find and run Scheduled Job.

8/13/2019 Lab 3 - Recon

26/61

Search for scheduled job iPlanet User Trusted Recon Task and run it using Run Now option.

8/13/2019 Lab 3 - Recon

27/61

8/13/2019 Lab 3 - Recon

28/61

8/13/2019 Lab 3 - Recon

29/61

Checkpoint

Pull up all the users identified in step 2.4.1 and they should have their Permanent Contact Number correctlyupdated.

8/13/2019 Lab 3 - Recon

30/61

8/13/2019 Lab 3 - Recon

31/61

8/13/2019 Lab 3 - Recon

32/61

2.5 Execute Account Reconciliation from DSEE

Purpose

This step shows how to execute account reconciliation from DSEEto assign DSEE accounts to the owner OIMusers, which can then be managed from OIM moving forward.

2.5.1 Find and run Scheduled Job.

Search for scheduled job iPlanet User Target Recon Task and run it using Run Now option.

8/13/2019 Lab 3 - Recon

33/61

8/13/2019 Lab 3 - Recon

34/61

Checkpoint

Pull up one of the relevant users, like Anderson123 and check its Resource Profile. Reconciled account should show up

here with the correct data.

8/13/2019 Lab 3 - Recon

35/61

8/13/2019 Lab 3 - Recon

36/61

2.6 Practice Reconciliation Event Re-evaluation and closure

Purpose

This step shows how to use the "re-evaluate" and "close" operations provided on a Reconciliation Event.

2.6.1 Create a new user MLAMBERT123in DSEE.

8/13/2019 Lab 3 - Recon

37/61

2.6.2 Run Account recon first, an orphan reconciliation event would get created.

8/13/2019 Lab 3 - Recon

38/61

Navigate to the . Search for reconciliation events by providing the value iPlanet User. Sort the simplesearch results on the basis of Event ID and select the event with the highest value.

8/13/2019 Lab 3 - Recon

39/61

2.6.3 Create an OIM user MLAMBERT123manually

8/13/2019 Lab 3 - Recon

40/61

2.6.4 Run Authoritative recon to get the OIM user MLAMBERT123updated for the newly added DSEE user

MLAMBERT123.

8/13/2019 Lab 3 - Recon

41/61

8/13/2019 Lab 3 - Recon

42/61

8/13/2019 Lab 3 - Recon

43/61

2.6.4 Go back to the orphan reconciliation event and re-evaluate it. Close the event finally

8/13/2019 Lab 3 - Recon

44/61

8/13/2019 Lab 3 - Recon

45/61

8/13/2019 Lab 3 - Recon

46/61

8/13/2019 Lab 3 - Recon

47/61

8/13/2019 Lab 3 - Recon

48/61

Enter a right Justification like Event re-evaluated successfully

8/13/2019 Lab 3 - Recon

49/61

Checkpoint

8/13/2019 Lab 3 - Recon

50/61

Pull up the OIM User record of MLAMBERT123and check his resource profile to ensure that the DSEE account wasfinally assigned to him during reconciliation event re-evaluation.

8/13/2019 Lab 3 - Recon

51/61

2.7 Practice Reconciliation Event Ad-Hoc Linking and closure

Purpose

This step shows how to use the "ad-hoc link" and "close" operations provided on a Reconciliation Event.

2.7.1 Create a new user DKING123in OIM.

2.7.2 Create a new user PMILLER123in DSEE.

8/13/2019 Lab 3 - Recon

52/61

2.7.3 Run Account recon, an orphan reconciliation event would get created for PMILLER123.

8/13/2019 Lab 3 - Recon

53/61

Navigate to the . Search for reconciliation events by providing the value iPlanet User. Sort the simplesearch results on the basis of Event ID and select the event with the highest value.

8/13/2019 Lab 3 - Recon

54/61

2.7.4 Ad-hoc link the orphan reconciliation event for PMILLER123to OIM user DKING123. Close the event finally

8/13/2019 Lab 3 - Recon

55/61

8/13/2019 Lab 3 - Recon

56/61

8/13/2019 Lab 3 - Recon

57/61

8/13/2019 Lab 3 - Recon

58/61

8/13/2019 Lab 3 - Recon

59/61

8/13/2019 Lab 3 - Recon

60/61

Checkpoint

Pull up the OIM User record of DKING123and check his resource profile to ensure that the DSEE account for

PMILLER123 was finally assigned to him during reconciliation event ad-hoc linking.

8/13/2019 Lab 3 - Recon

61/61

3. Conclusion

In this lab, you accomplished the following:

Multi-Authoritative Source ReconciliationAccount ReconciliationReconciliation event Re-evaluationReconciliation event Ad-Hoc linking

Relevant features that you should explore further

Delete ReconciliationUsing ignoreEvent API

Using Reconciliation mode - CHANGELOG/REGULARFuture Dated Reconciliation - Authoritative and AccountStatus Reconciliation - Authoritative and AccountReconciliation Reports