Upload
antwan-bell
View
219
Download
0
Embed Size (px)
Citation preview
8/13/2019 Lab 3 - Recon
1/61
Lab 3: On-boarding, Reconciliation from applications
(FlatFileApp, DSEE) used by the acquisition (MEDICLAIM)
Last Updated: July 16, 2010
Next: Lab 4: Custom Workflow Creation and Deployment
Previous: Lab 2: Install DSEE connector and extend it
Note: Please view the PDF version as 150% for the clearest display of the screenshots.
1. IntroductionACME CAPITAL is all set to extend the provisioning solution to accommodate extra applications coming onboard fromMEDICLAIM acquisition. FlatFileApp is the HRMS solution used by MEDICLAIM. IT functioning of this acquiredenterprise has not merged yet. ACMEplans to use it as one of the authoritative source of identities and that is where anew enterprise user record will be added first and HR attributes will be maintained moving forward. This repositorycontains the record for internal as well as external users. Any new user joining the enterprise will have her user recordcreated in FlatFileAppand synchronized to OIM. Her required accounts and entitlements will then be provisioned to ITapplications using OIM workflow and provisioning modules.The user population of the acquisition also has to be initially loaded into the provisioning engine OIM. Similar LCM of
accounts is also required for users existing in the organization before OIM came into picture. Hence, the primary step willbe to initially load the OIM repository with user records and their linked accounts and entitlement for each of these alreadyexisting users.Also the Permanent Contact Numberinformation for ACME OIM Users need to be maintained. ACMEDSEEapplicationis the source of this information where homePhone attribute is being maintained with the required value.Also as OIM has to be used to provision to ACME DSEEapplication instances () and LCM of the DSEEaccounts ofexisting MEDICLAIMusers would also be done from OIM, moving forward, account reconciliation would be needed frominitially from DSEEto OIM.
8/13/2019 Lab 3 - Recon
2/61
This is how exactly OIM modules will be used to collect identity data from relevant IT applications:o FlatFileAppThis application has an option of generating flat file feed of employee records. A GTC based flat file
reconciliation connector has been created. The same will be used for Authoritative Reconciliation to reconcile
internal as well as external users. After initial load, from day2 onwards, this application will be used as theauthoritative source of identity updates in ACME, which will be reconciled into OIM. These users will be reconciledwith their role memberships to drive their basic account provisioning based on RBAC configurations (lab ). Roles will also be reconciled beforehand.
o Oracle Directory Services Ent Edn (DSEE)Identity attribute homePhoneis maintained only in DSEE for whichauthoritative reconciliation will also be configured from this application but OIM user update will be respected foronly the attribute Permanent Contact Number. Account Reconciliation module of OIM DSEE connector will beused to reconcile DSEE user accounts (with role membership). Moving forward, OIM will be used to provisionaccounts and role memberships to this application.
2. Contents
1. Verify extended OIM User Schema2. Configure Authoritative Reconciliation for DSEE3. Execute Authoritative Reconciliation from flat file4. Execute Authoritative Attribute Reconciliation from DSEE5. Execute Account Reconciliation from DSEE6. Practice Reconciliation Event Re-evaluation and closure7. Practice Reconciliation Event Ad-Hoc Linking and closure
2.1 Verify extended OIM User Schema
Purpose
This step is for verifying the presence of OIM custom user attribute Permanent Contact Number.
8/13/2019 Lab 3 - Recon
3/61
Steps
Ensure that the attribute Permanent Contact Number should be visible in the User Configuration
8/13/2019 Lab 3 - Recon
4/61
2.2 Configure Authoritative Reconciliation for DSEE
Purpose
This step includes the configuration required to extend DSEE connector for Authoritative Reconciliation of DSEEuser account attribute homePhoneto update the OIM User attribute Permanent Contact Number.
Steps
2.2.1 Create Resource Object for Authoritative Reconciliation with Reconciliation Fields and Action Rules
Name : DSEE Auth ReconType : Application
Trusted Source flag checked
8/13/2019 Lab 3 - Recon
5/61
8/13/2019 Lab 3 - Recon
6/61
Create two Reconciliation Fields1. User ID
Type StringRequired checkboxchecked
2. Permanent Contact NumberType String
Create two Reconciliation Action RulesOne Entity Match Found --> Establish LinkOne Process Match Found --> Establish Link
8/13/2019 Lab 3 - Recon
7/61
8/13/2019 Lab 3 - Recon
8/61
2.2.2 Create Process Definition and Reconciliation Field Mappings
Create Process Definition
Name: DSEE Auth ReconType: ProvisioningObject Name: DSEE Auth ReconDefault Process checkbox (checked)
8/13/2019 Lab 3 - Recon
9/61
8/13/2019 Lab 3 - Recon
10/61
Create Reconciliation Field MappingsField Name --> User IDUser Attribute --> User Login
Key Field for Reconciliation Matchingcheckbox (checked)
Field Name--> Permanent Contact NumberUser Attribute--> Permanent Contact Number
8/13/2019 Lab 3 - Recon
11/61
8/13/2019 Lab 3 - Recon
12/61
2.2.3 Create Reconciliation Matching Rule
Name - DSEE Auth Recon
Object - DSEE Auth Recon
Add a Rule Element - User Login equals User ID (not case - sensitive)
First save the rule without checking the checkbox active. Once you save, the valid checkbox would get checkedautomatically. Finally, check the checkbox active and save the rule definition
8/13/2019 Lab 3 - Recon
13/61
8/13/2019 Lab 3 - Recon
14/61
2.2.4 Update Reconciliation Attribute Map
To the relevant Attribute Map AttrName.Recon.Map.iPlanet, add the relevant entry-
Folder AdministrationForm Lookup Definitionentry AttrName.Prov.Map.iPlanetButton AddCode Key: Permanent Contact Number, Decode : homePhoneand click Saveicon.
8/13/2019 Lab 3 - Recon
15/61
8/13/2019 Lab 3 - Recon
16/61
2.2.5 Create Reconciliation profile
8/13/2019 Lab 3 - Recon
17/61
8/13/2019 Lab 3 - Recon
18/61
Checkpoint
2.3 Execute Authoritative Reconciliation from flat file (FlatFileApp)
Purpose
This step shows how to execute authoritative reconciliation from FlatFileApp.
Steps
2.3.1 Identify the contents of the input file.
2.3.2 Find Scheduled Job.Search for FLATFILEAPP_AUTHRECON_GTC.
8/13/2019 Lab 3 - Recon
19/61
8/13/2019 Lab 3 - Recon
20/61
2.3.2 Run Scheduled Job.
Feel free to manually Refresh (button) to update the status of the execution.
8/13/2019 Lab 3 - Recon
21/61
Checkpoint
Go to the Administration Console and search for users. All those users that are present in the file and highlighted instep 2.3.1 above, should be also now created in OIM as a result of successful execution of FlatFileAppauthoritative recon
8/13/2019 Lab 3 - Recon
22/61
8/13/2019 Lab 3 - Recon
23/61
2.4 Execute Authoritative Attribute Reconciliation from DSEE
Purpose
This step shows how to execute authoritative reconciliation from DSEEto update the value for the attributePermanent Contact Numberfor OIM Users
Steps
2.4.1 Identify Users that will be updated.
ldapsearch -v -h orclfmw.example.com -p 1389 -D 'cn=Directory Manager' -w abcd1234 -b "dc=mydomain,dc=com"'(homePhone=*)'
8/13/2019 Lab 3 - Recon
24/61
Check the OIM user record for one of these users
8/13/2019 Lab 3 - Recon
25/61
2.4.2 Find and run Scheduled Job.
8/13/2019 Lab 3 - Recon
26/61
Search for scheduled job iPlanet User Trusted Recon Task and run it using Run Now option.
8/13/2019 Lab 3 - Recon
27/61
8/13/2019 Lab 3 - Recon
28/61
8/13/2019 Lab 3 - Recon
29/61
Checkpoint
Pull up all the users identified in step 2.4.1 and they should have their Permanent Contact Number correctlyupdated.
8/13/2019 Lab 3 - Recon
30/61
8/13/2019 Lab 3 - Recon
31/61
8/13/2019 Lab 3 - Recon
32/61
2.5 Execute Account Reconciliation from DSEE
Purpose
This step shows how to execute account reconciliation from DSEEto assign DSEE accounts to the owner OIMusers, which can then be managed from OIM moving forward.
2.5.1 Find and run Scheduled Job.
Search for scheduled job iPlanet User Target Recon Task and run it using Run Now option.
8/13/2019 Lab 3 - Recon
33/61
8/13/2019 Lab 3 - Recon
34/61
Checkpoint
Pull up one of the relevant users, like Anderson123 and check its Resource Profile. Reconciled account should show up
here with the correct data.
8/13/2019 Lab 3 - Recon
35/61
8/13/2019 Lab 3 - Recon
36/61
2.6 Practice Reconciliation Event Re-evaluation and closure
Purpose
This step shows how to use the "re-evaluate" and "close" operations provided on a Reconciliation Event.
2.6.1 Create a new user MLAMBERT123in DSEE.
8/13/2019 Lab 3 - Recon
37/61
2.6.2 Run Account recon first, an orphan reconciliation event would get created.
8/13/2019 Lab 3 - Recon
38/61
Navigate to the . Search for reconciliation events by providing the value iPlanet User. Sort the simplesearch results on the basis of Event ID and select the event with the highest value.
8/13/2019 Lab 3 - Recon
39/61
2.6.3 Create an OIM user MLAMBERT123manually
8/13/2019 Lab 3 - Recon
40/61
2.6.4 Run Authoritative recon to get the OIM user MLAMBERT123updated for the newly added DSEE user
MLAMBERT123.
8/13/2019 Lab 3 - Recon
41/61
8/13/2019 Lab 3 - Recon
42/61
8/13/2019 Lab 3 - Recon
43/61
2.6.4 Go back to the orphan reconciliation event and re-evaluate it. Close the event finally
8/13/2019 Lab 3 - Recon
44/61
8/13/2019 Lab 3 - Recon
45/61
8/13/2019 Lab 3 - Recon
46/61
8/13/2019 Lab 3 - Recon
47/61
8/13/2019 Lab 3 - Recon
48/61
Enter a right Justification like Event re-evaluated successfully
8/13/2019 Lab 3 - Recon
49/61
Checkpoint
8/13/2019 Lab 3 - Recon
50/61
Pull up the OIM User record of MLAMBERT123and check his resource profile to ensure that the DSEE account wasfinally assigned to him during reconciliation event re-evaluation.
8/13/2019 Lab 3 - Recon
51/61
2.7 Practice Reconciliation Event Ad-Hoc Linking and closure
Purpose
This step shows how to use the "ad-hoc link" and "close" operations provided on a Reconciliation Event.
2.7.1 Create a new user DKING123in OIM.
2.7.2 Create a new user PMILLER123in DSEE.
8/13/2019 Lab 3 - Recon
52/61
2.7.3 Run Account recon, an orphan reconciliation event would get created for PMILLER123.
8/13/2019 Lab 3 - Recon
53/61
Navigate to the . Search for reconciliation events by providing the value iPlanet User. Sort the simplesearch results on the basis of Event ID and select the event with the highest value.
8/13/2019 Lab 3 - Recon
54/61
2.7.4 Ad-hoc link the orphan reconciliation event for PMILLER123to OIM user DKING123. Close the event finally
8/13/2019 Lab 3 - Recon
55/61
8/13/2019 Lab 3 - Recon
56/61
8/13/2019 Lab 3 - Recon
57/61
8/13/2019 Lab 3 - Recon
58/61
8/13/2019 Lab 3 - Recon
59/61
8/13/2019 Lab 3 - Recon
60/61
Checkpoint
Pull up the OIM User record of DKING123and check his resource profile to ensure that the DSEE account for
PMILLER123 was finally assigned to him during reconciliation event ad-hoc linking.
8/13/2019 Lab 3 - Recon
61/61
3. Conclusion
In this lab, you accomplished the following:
Multi-Authoritative Source ReconciliationAccount ReconciliationReconciliation event Re-evaluationReconciliation event Ad-Hoc linking
Relevant features that you should explore further
Delete ReconciliationUsing ignoreEvent API
Using Reconciliation mode - CHANGELOG/REGULARFuture Dated Reconciliation - Authoritative and AccountStatus Reconciliation - Authoritative and AccountReconciliation Reports