立即与支持人员聊天
与支持团队交流

Identity Manager 9.2.1 - Administration Guide for Connecting to Oracle E-Business Suite

Mapping an Oracle E-Business Suite in One Identity Manager Synchronizing Oracle E-Business Suite
Setting up initial synchronization of Oracle E-Business Suite Customizing the synchronization configuration Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing E-Business Suite user accounts and persons Login credentials Managing entitlement assignments Mapping E-Business Suite objects in One Identity Manager Handling of E-Business Suite objects in the Web Portal Basic configuration data Configuration parameters for managing Oracle E-Business Suite Permissions required for synchronizing with Oracle E-Business Suite Default project templates for synchronizing an Oracle E-Business Suite Editing system objects Example of a schema extension file

Assigning E-Business Suite user accounts directly to an entitlement

To react quickly to special requests, you can assign the entitlements directly to user accounts.

To assign an entitlement directly to user accounts

  1. In the Manager, select the Oracle E-Business Suite > entitlements category.

  2. Select the entitlements in the result list.

  3. Select the Assign user accounts task.

The top area of the form displays all user accounts that have already been assigned, together with their validity periods. The overview shows the user accounts that have been assigned both directly and indirectly. For direct assignments, an Active from (direct) date is set; indirect assignments do not have a direct validity date.

To assign the entitlement to a user account:

  1. Click Add.

  2. Select the user account from the User account menu.

  3. In the Active from (direct) input field, enter the first date from on the direct entitlement assignment is valid.

  4. (Optional) In the Active to (direct) input field, enter the last date on which the direct entitlement assignment is valid.

  5. (Optional) Add further user accounts.

  6. Save the changes.

To edit a direct entitlement assignment

  1. In the overview, select the direct entitlement assignment that you want to edit.

  2. Change the values in the input fields Active from (direct), Active to (direct), or Description.

  3. Save the changes.

Only direct assignments can be edited. If you select and edit an indirect assignment in the overview, this creates an additional direct assignment.

Entitlement assignments cannot be deleted. Instead, there are two options for indicating that a direct assignment is no longer valid.

  • Enter the current date as the expiration date of the entitlement.

    Select this option, for example, if an entitlement assignment will become invalid on a defined date in the future.

    - OR -

  • Delete the entitlement assignment.

    Select this option, for example, if an inherited entitlement assignment also exists alongside the direct assignment, and you want the inherited entitlement assigned to replace the direct assignment.

To set the expiration date for a direct entitlement assignment

  1. In the overview, select the direct entitlement assignment that you no longer want to be effective.

  2. Next to the input field Active to (direct), click ....

  3. Click Today or define a different expiration date.

  4. Save the changes.

To remove a direct entitlement assignment

  1. In the overview, select the direct entitlement assignment that you no longer want to be effective.

  2. Click Delete.

  3. Save the changes.

    The first and last validity date of the direct assignment (Active from (direct) and Active to (direct)) are deleted. The final validity date (Active to (effective)) is recalculated. If no further valid assignments exist, the final validity date is set to a date in the past and XOrigin is assigned the value 16.

Detailed information about this topic
Related topics

Assigning E-Business Suite entitlements directly to a user account

To react quickly to special requests, you can assign entitlements directly to a user account. You cannot directly assign permissions that have the Only use in IT Shop option set.

To assign entitlements directly to a user account

  1. In the Manager, select the Oracle E-Business Suite > User accounts category.

  2. Select the user account in the result list.

  3. Select the Assign permission task.

The top area of the form displays all entitlements that have already been assigned, together with their validity periods. The overview shows the entitlements that have been assigned both directly and indirectly. For direct assignments, an Active from (direct) date is set; indirect assignments do not have a direct validity date.

To assign an entitlement to the user account

  1. Click Add.

  2. Select the entitlement you want to assign from the E-Business Suite Entitlement menu.

  3. In the Active from (direct) input field, enter the first date from on the direct entitlement assignment is valid.

  4. (Optional) In the Active to (direct) input field, enter the last date on which the direct entitlement assignment is valid.

  5. (Optional) Add further entitlements.

  6. Save the changes.

To edit a direct entitlement assignment

  1. In the overview, select the direct entitlement assignment that you want to edit.

  2. Change the values in the input fields Active from (direct), Active to (direct), or Description.

  3. Save the changes.

Only direct assignments can be edited. If you select and edit an indirect assignment in the overview, this creates an additional direct assignment.

Entitlement assignments cannot be deleted. Instead, there are two options for indicating that a direct assignment is no longer valid.

  • Enter the current date as the expiration date of the entitlement.

    Select this option, for example, if an entitlement assignment will become invalid on a defined date in the future.

    - OR -

  • Delete the entitlement assignment.

    Select this option, for example, if an inherited entitlement assignment also exists alongside the direct assignment, and you want the inherited entitlement assigned to replace the direct assignment.

To set the expiration date for a direct entitlement assignment

  1. In the overview, select the direct entitlement assignment that you no longer want to be effective.

  2. Next to the input field Active to (direct), click ....

  3. Click Today or define a different expiration date.

  4. Save the changes.

To remove a direct entitlement assignment

  1. In the overview, select the direct entitlement assignment that you no longer want to be effective.

  2. Click Delete.

  3. Save the changes.

    The first and last validity date of the direct assignment (Active from (direct) and Active to (direct)) are deleted. The final validity date (Active to (effective)) is recalculated. If no further valid assignments exist, the final validity date is set to a date in the past and XOrigin is assigned the value 16.

Detailed information about this topic
Related topics

Validity period of permission assignments

You can limit the time for which permission assignments are valid. A user account can receive permissions by direct assignment as well as through a variety of different inheritance paths. Each of these assignments can have a different validity period. One Identity Manager uses all validity periods to determine the actual validity period effective at the current time. This calculation considers all assignments with OriginIndirect = 0.

Table 24: Properties of a permission assignment

Property

Description

Active from (effective)

First date from which the assignment is valid. This date is calculated from all assignments (direct and indirect).

Active to (effective)

Last date on which the assignment is valid This date is calculated from all assignments (direct and indirect). If no date is specified, the assignment is unlimited.

Active from (direct)

First date from which the direct assignment is valid

Active to (direct)

Last date on which the direct assignment is valid If no date is specified, the assignment is unlimited.

Indirect

Specifies whether this assignment maps an indirect permission from the target system. You cannot edit indirect assignments in One Identity Manager.

Description

Text field for additional explanation.

Calculation of the effective validity period

In One Identity Manager, one user account-permission combination can have multiple assignments with different validity periods. However, only the effective assignment is transferred to Oracle E-Business Suite. One Identity Manager calculates the effective validity period from all the assignments. The different assignment types are incorporated into the calculation as follows:

Table 25: Determine validity period

Type of assignment

Validity period

Direct assignment

Active from (direct) and Active to (direct)

Request

Validity period of the request when the Valid from date of the request has been reached or exceeded.

For unlimited requests, 01.01.1900 is entered at the first validity date.

assignment request

Validity period of the request when the Valid from date of the request has been reached or exceeded.

For unlimited requests, 01.01.1900 is entered at the first validity date.

Inheritance by department, location, cost center, or business role (not an assignment request)

Unlimited only

The date of the assignment is set as the first date of the validity.

Inheritance through dynamic role

Unlimited only

The date of the assignment is set as the first date of the validity.

Inheritance by system role

Unlimited only

The date of the assignment is set as the first date of the validity.

The effective assignment is controlled by a schedule.

  • Active from (effective): earliest initial validity date of all the assignments

  • Active to (effective): latest last validity date of all limited assignments

    If the assignment is unlimited, Active to (effective) is empty.

Detailed information about this topic
Related topics

Effectiveness of entitlement assignments

When E-Business Suite entitlements are assigned to user accounts an identity may obtain two or more groups that are not permitted in this combination. To prevent this, you can declare mutually exclusive entitlements. To do this, you specify which of the two entitlements should become active on user accounts if both are assigned.

It is possible to assign an excluded entitlements directly, indirectly, or by IT Shop request at any time. One Identity Manager determines whether the assignment is effective.

NOTE:

  • You cannot define a pair of mutually exclusive entitlements. This means that the definition "Entitlement A excludes entitlement B" AND "Entitlement B excludes entitlement A" is not permitted.

  • Each entitlement to be excluded from another entitlement must be declared separately. Exclusion definitions cannot be inherited.

The effectiveness of the assignments is stored in the EBSUserInResp table using the ValidTo and XOrigin columns, and in the BaseTreeHasEBSResp table, using the XIsInEffect column.

Example of the effectiveness of entitlements
  • The entitlements A, B, and C are defined in an E-Business Suite system.

  • Entitlement A is assigned through the "Marketing" department, entitlement B through the "Finance" department, and entitlement C through the "Control group" business role.

Jo User1 has a user account in this system. They primarily belong to the "Marketing" department. The "Control group" business role and the "Finance" department are assigned to them secondarily. Without an exclusion definition, the user account obtains all the entitlements A, B, and C.

You must use appropriate measures to ensure that an identity cannot obtain entitlements A and B at the same time. This means that entitlements A and B are mutually exclusive. A user with entitlement C also cannot be assigned entitlement B. Entitlements B and C are therefore mutually exclusive.

Table 26: Definition of excluded entitlements (EBSRespExclusion table)

Effective entitlement

Excluded entitlement

Entitlement A

Entitlement B

Entitlement A

Entitlement C

Entitlement B

Table 27: Effective assignments

Identity

Member in role

Effective entitlement

Pat Identity1

Marketing

Entitlement A

Jan User3

Marketing, finance

Entitlement B

Jo User1

Marketing, finance, control group

Entitlement C

Chris User2

Marketing, control group

Entitlement A

Entitlement C

Only the entitlement C assignment is in effect for Jo User1 and is published in the target system. If Jo User1 leaves the "control group" business role at a later date, entitlement B also takes effect.

Entitlements A and C are in effect for Chris User2 because no exclusions are defined between these two entitlements. If this should not be allowed, define a further exclusion for entitlement C.

Table 28: Excluded entitlements and effective assignments

Identity

Member in role

Assigned entitlement

Excluded entitlement

Effective entitlement

Chris User2

 

Marketing

Entitlement A

 

Entitlement C

 

Control group

Entitlement C

Entitlement B

Entitlement A

Prerequisites
  • The QER | Structures | Inherite | GroupExclusion configuration parameter is set.

    In the Designer, set the configuration parameter and compile the database.

    NOTE: If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

  • Mutually exclusive entitlements belong to the same E-Business Suite system.

To exclude entitlements

  1. In the Manager, select the Oracle E-Business Suite > entitlements category.

  2. Select an entitlement in the result list.

  3. Select the Exclude E-Business Suite entitlements task.

  4. In the Add assignments pane, assign entitlements that are mutually exclusive to the entitlement.

    - OR -

    In the Remove assignments pane, remove the entitlements that are no longer mutually exclusive.

  5. Save the changes.
Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级