Chat now with support
Chat with Support

Identity Manager 9.2.1 - Administration Guide for Connecting to Oracle E-Business Suite

Mapping an Oracle E-Business Suite in One Identity Manager Synchronizing Oracle E-Business Suite
Setting up initial synchronization of Oracle E-Business Suite Customizing the synchronization configuration Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing E-Business Suite user accounts and persons Login credentials Managing entitlement assignments Mapping E-Business Suite objects in One Identity Manager Handling of E-Business Suite objects in the Web Portal Basic configuration data Configuration parameters for managing Oracle E-Business Suite Permissions required for synchronizing with Oracle E-Business Suite Default project templates for synchronizing an Oracle E-Business Suite Editing system objects Example of a schema extension file

Specifying server functions

NOTE: All editing options are also available in the Designer under Base Data > Installation > Job server.

The server function defines the functionality of a server in One Identity Manager. One Identity Manager processes are handled with respect to the server function.

NOTE: More server functions may be available depending on which modules are installed.
Table 40: Permitted server functions

Server function

Remark

Update server

This server automatically updates the software on all the other servers. The server requires a direct connection to the database server that One Identity Manager database is installed on. It can run SQL tasks.

The server with the One Identity Manager database installed on it is labeled with this functionality during initial installation of the schema.

SQL processing server

It can run SQL tasks. The server requires a direct connection to the database server that One Identity Manager database is installed on.

Several SQL processing servers can be set up to spread the load of SQL processes. The system distributes the generated SQL processes throughout all the Job servers with this server function.

CSV script server

This server can process CSV files using the ScriptComponent process component.

One Identity Manager Service installed

Server on which a One Identity Manager Service is installed.

SMTP host

Server from which One Identity Manager Service sends email notifications. Prerequisite for sending mails using One Identity Manager Service is SMTP host configuration.

Default report server

Server on which reports are generated.

Oracle E-Business Suite connector

Server on which the Oracle E-Business Suite connector is installed. This server synchronizes the Oracle E-Business Suite target system.

Related topics

Target system managers

A default application role exists for the target system manager in One Identity Manager. Assign identities to this application role who have permission to edit all E-Business Suite systems in One Identity Manager.

Define additional application roles if you want to limit the permissions for target system managers to individual systems. The application roles must be added under the default application role.

For more information about implementing and editing application roles, see the One Identity Manager Authorization and Authentication Guide.

Implementing application roles for target system managers
  1. The One Identity Manager administrator allocates identities to be target system administrators.

  2. These target system administrators add identities to the default application role for target system managers.

    Target system managers with the default application role are authorized to edit all the E-Business Suite systems in One Identity Manager.

  3. Target system managers can authorize other identities within their area of responsibility as target system managers and if necessary, create additional child application roles and assign these to individual E-Business Suite systems.

Table 41: Default application roles for target system managers
User Tasks

Target system managers

 

Target system managers must be assigned to the Target systems | Oracle E-Business Suite or a child application role.

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change, or delete target system objects.

  • Edit password policies for the target system.

  • Prepare entitlements to add to the IT Shop.

  • Can add identities that do not have the Primary identity identity type.

  • Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other identities within their area of responsibility as target system managers and create child application roles if required.

To initially specify identities to be target system administrators

  1. Log in to the Manager as a One Identity Manager administrator (Base role | Administrators application role)

  2. Select the One Identity Manager Administration > Target systems > Administrators category.

  3. Select the Assign identities task.

  4. Assign the identity and save the changes.

To add the first identities to the default application as target system managers

  1. Log in to the Manager as a target system administrator (Target systems | Administrators application role).

  2. Select the One Identity Manager Administration > Target systems > Oracle E-Business Suite category.

  3. Select the Assign identities task.

  4. Assign the identities you want and save the changes.

To authorize other identities as target system managers when you are a target system manager

  1. Log in to the Manager as a target system manager.

  2. Select the application role in the Oracle E-Business Suite > Basic configuration data > Target system managers category.

  3. Select the Assign identities task.

  4. Assign the identities you want and save the changes.

To specify target system managers for individual E-Business Suite systems

  1. Log in to the Manager as a target system manager.

  2. Select the Oracle E-Business Suite > Systems category.

  3. Select the system in the result list.

  4. Select the Change main data task.

  5. On the General tab, select the application role in the Target system manager menu.

    - OR -

    Next to the Target system manager menu, click to create a new application role.

    1. Enter the application role name and assign the Target systems | Oracle E-Business Suite parent application role.

    2. Click OK to add the new application role.

  6. Save the changes.
  7. Assign identities to this application role who are permitted to edit the system in One Identity Manager.

Related topics

Configuration parameters for managing Oracle E-Business Suite

The following configuration parameters are additionally available in One Identity Manager after the module has been installed.

Table 42: Configuration parameters

Configuration parameter

Meaning

TargetSystem | EBS

Preprocessor relevant configuration parameter for controlling database model components for Oracle E-Business Suite target system administration. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled.

If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

TargetSystem | EBS | Accounts

Parameter for configuring E-Business Suite user account data.

TargetSystem | EBS | Accounts |
InitialRandomPassword

Specifies whether a random password is generated when a new user account is added. The password must contain at least those character sets that are defined in the password policy.

TargetSystem | EBS | Accounts |
InitialRandomPassword | SendTo

Specifies to which identity the email with the random generated password should be sent (manager cost center/department/location/role, identity’s manager or XUserInserted). If no recipient can be found, the email is sent to the address stored in the configuration parameter TargetSystem | EBS | DefaultAddress.

TargetSystem | EBS | Accounts |
InitialRandomPassword | SendTo |
MailTemplateAccountName

Mail template name that is sent to supply users with the login credentials for the user account. The Identity - new user account created mail template is used.

TargetSystem | EBS | Accounts |
InitialRandomPassword | SendTo |
MailTemplatePassword

Mail template name that is sent to supply users with the initial password. The Identity - initial password for new user account mail template is used.

TargetSystem | EBS | Accounts |
MailTemplateDefaultValues

Mail template used to send notifications about whether default IT operating data mapping values are used for automatically creating a user account. The Identity - new user account with default properties created mail template is used.

TargetSystem | EBS | Accounts |
PrivilegedAccount

Allows configuration of privileged user account settings.

TargetSystem | EBS | Accounts |
PrivilegedAccount |
AccountName_Postfix

Postfix for formatting the login name of privileged user accounts.

TargetSystem | EBS | Accounts |
PrivilegedAccount |
AccountName_Prefix

Prefix for formatting a login name of privileged user accounts.

TargetSystem | EBS |
DefaultAddress

Default email address of the recipient for notifications about actions in the target system.

TargetSystem | EBS |
MaxFullsyncDuration

Maximum runtime of a synchronization in minutes. No recalculation of group memberships by the DBQueue Processor can take place during this time. If the maximum runtime is exceeded, group membership are recalculated.

TargetSystem | EBS |
PersonAutoDefault

Mode for automatic identity assignment for user accounts added to the database outside synchronization.

TargetSystem | EBS |
PersonAutoDisabledAccounts

Specifies whether identities are automatically assigned to disabled user accounts. User accounts are not given an account definition.

TargetSystem | EBS |
PersonAutoFullsync

Mode for automatic identity assignment for user accounts that are added to or updated in the database by synchronization.

TargetSystem | EBS |
PersonExcludeList

Listing of all user account without automatic identity assignment. Names are listed in a pipe (|) delimited list that is handled as a regular search pattern.

Example:

ADMINISTRATOR|GUEST|KRBTGT|TSINTERNETUSER|IUSR_.*|IWAM_.*|SUPPORT_.*|.* | $

The following configuration parameters are also required.

Table 43: Additional configuration parameters

Configuration parameter

Meaning

Common | Journal | Delete | BulkCount

Number of entries to be deleted in any operation.

Common | Journal | Delete | TotalCount

Total number of entries to be deleted in any processing run.

Common | Journal | LifeTime

Use this configuration parameter to specify the maximum amount of time (in days) that a system journal entry can be stored in the database. Older entries are deleted from the database.

Common | MailNotification | DefaultSender

Sender's default email address for sending automatically generated notifications.

Syntax:

sender@example.com

Example:

NoReply@company.com

You can enter the sender's display name in addition to the email address. In this case, ensure that the email address is enclosed in chevrons (<>).

Example:

One Identity <NoReply@company.com>

DPR | Journal | LifeTime

This configuration parameter specifies the synchronization log's retention period (in days). Older logs are deleted from the database.

QER | CalculateRiskIndex

Preprocessor relevant configuration parameter controlling system components for calculating the risk index. Changes to the parameter require recompiling the database.

If the parameter is enabled, values for the risk index can be entered and calculated.

If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

QER | Person | TemporaryDeactivation

This configuration parameter specifies whether user accounts for an identity are locked if the identity is temporarily or permanently disabled.

QER | Person | UseCentralPassword

Specifies whether the identity's central password is used in the user accounts. The identity’s central password is automatically mapped to the identity’s user accounts in all permitted target systems. This excludes privileged user accounts, which are not updated.

QER | Structures | Inherite |
GroupExclusion

Preprocessor-relevant configuration parameter for controlling the effectiveness of permissions. If this parameter is set, the assigned permissions can be reduced based on exclusion definitions. Changes to this parameter require the database to be recompiled.

Permissions required for synchronizing with Oracle E-Business Suite

The Oracle E-Business Suite requires read access rights to at least the following database objects in the Oracle Database to be connected.

Table 44: Tables and views with select entitlements

Tables

Views

  • ak.ak_attributes_tl

  • ak.ak_excluded_items

  • ak.ak_resp_security_attr_values

  • ak.ak_web_user_sec_attr_values

  • applsys.fnd_application

  • applsys.fnd_application_tl

  • applsys.fnd_data_groups

  • applsys.fnd_data_group_units

  • applsys.fnd_languages

  • applsys.fnd_menus

  • applsys.fnd_menus_tl

  • applsys.fnd_profile_options

  • applsys.fnd_profile_option_values

  • applsys.fnd_request_groups

  • applsys.fnd_resp_functions

  • applsys.fnd_responsibility

  • applsys.fnd_responsibility_tl

  • applsys.fnd_security_groups

  • applsys.fnd_security_groups_tl

  • applsys.fnd_user

  • apps.fnd_user_resp_groups_all

  • apps.fnd_user_resp_groups_direct

  • apps.fnd_user_resp_groups_indirect

  • apps.fnd_usr_roles

  • ak.ak_attributes_tl#

  • ak.ak_excluded_items#

  • ak.ak_resp_security_attr_values#

  • ak.ak_web_user_sec_attr_values#

  • applsys.fnd_application#

  • applsys.fnd_application_tl#

  • applsys.fnd_data_groups#

  • applsys.fnd_data_group_units#

  • applsys.fnd_languages#

  • applsys.fnd_menus#

  • applsys.fnd_menus_tl#

  • applsys.fnd_request_groups#

  • applsys.fnd_responsibility#

  • applsys.fnd_responsibility_tl#

  • applsys.fnd_security_groups#

  • applsys.fnd_security_groups_tl#

  • applsys.fnd_user#

Table 45: Stored procedures with run permissions

Stored procedures

  • apps.fnd_preference

    This grants permissions for the following procedures.

    • apps.fnd_preference.put

    • apps.fnd_preference.remove

  • apps.fnd_user_pkg

    This grants permissions for the following procedures.

    • apps.fnd_user_pkg.AddResp

    • apps.fnd_user_pkg.change_user_name

    • apps.fnd_user_pkg.changepassword

    • apps.fnd_user_pkg.CreateUser

    • apps.fnd_user_pkg.DelResp

    • apps.fnd_user_pkg.DisableUser

    • apps.fnd_user_pkg.UpdateUser

    • apps.fnd_user_pkg.user_synch

Table 46: Tables with select permissions for synchronizing identity data

Tables

Views

  • ap.ap_supplier_contacts

  • ar.hz_parties

  • hr.hr_all_organization_units

  • hr.hr_locations_all

  • hr.per_all_assignments_f

  • hr.per_all_people_f

  • hr.per_job_groups

  • hr.per_jobs

  • hr.per_org_structure_versions

  • hr.per_org_structure_elements

  • hr.per_roles

  • hr.per_sec_profile_assignments

  • hr.per_security_profiles

  • hr.hr_all_organization_units#

  • hr.hr_locations_all#

  • hr.per_all_assignments_f#

  • hr.per_all_people_f#

  • hr.per_job_groups#

  • hr.per_jobs#

  • hr.per_org_structure_versions#

  • hr.per_org_structure_elements#

  • hr.per_sec_profile_assignments#

  • hr.per_security_profiles#

Table 47: Tables with run permissions for synchronizing identity data

Tables

  • apps.per_sec_profile_asg_api
Table 48: Tables with select entitlements for schema types that are created in the connector schema, but are not contained in the default mapping

Tables

Views

  • applsys.fnd_request_group_units

  • applsys.fnd_request_sets

  • applsys.fnd_request_sets_tl

  • applsys.fnd_user_preferences

  • applsys.fnd_request_group_units#

  • applsys.fnd_request_sets#

  • applsys.fnd_user_preferences#

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating