Versions Compared

Old Version 7

changes.mady.by.user Kim Landis

Saved on

compared with

New Version 8

changes.mady.by.user Kim Landis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Connecting to Oracle

EmpowerID includes an Oracle connector that allows organizations to bring the user data (user accounts, profiles and roles) in their Oracle system to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. When EmpowerID inventories Oracle, it creates an account in the EmpowerID Identity Warehouse for each Oracle user, a group for each Oracle profile, and an EmpowerID Business Role for each Oracle role.

The Oracle connector allows organizations to bring the user data in their Oracle system to EmpowerID, where you can manage and synchronize it with data in any connected back-end user directories. Once connected, you can manage this data from EmpowerID in the following ways:

  • Provision new users
  • Edit user attributes
  • Delete users

This topic demonstrates how to connect EmpowerID to Oracle.

To create an account store for Oracle via the web site

  • In the Navigation Sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
    • Click the Actions tab, and then click the Create Account Store action.
    Image Removed
    Search for and select Oracle Users from the list of system types and click Submit.
    Image Removed
    On the Oracle Settings page that appears, enter settings to connect to your Oracle instance to allow EmpowerID to discover and connect to it.
  • In the Name and Display Name fields, enter a name for the account store.
  • In the User Name field, enter the user name of an Oracle administrator.
  • In the Password field, enter the Oracle admin's password.
  • In the Server field, enter the FQDN or IP address of the Oracle system's server.
  • In the Database field, enter the name of the Oracle database.
    • Click Submit.
  • The Account Store and associated Resource System are created and appear in both the web application and in the Management Console.

    • To edit account store settings on the web

  • In the Navigation Sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
    • On the Account Stores tab, search for the account store you just created and click the link to go to its details page.
    Image Removed
    On the Account Store Details page, click the Edit button or the name of the account store.
    Image Removed
    In the edit view of the page, you can edit values in any of the enabled fields. In the General section, these are:
  • Display Name – Edit the name of the account store as it appears in the list of account stores.
  • Proxy Connection Account – Change the instance, user name, and password for the Oracle connection.
  • Account Store Proxy Shared Credential – Click in this box and press Enter to see a list of shared credentials in your system to use for the proxy connection.
  • Password Manager Policy – Select a password manager policy to use for the account. If not selected, it uses the Default Password Manager Policy.
  • Application ID – If the account store is a one-to-one match with a Tracking Only application, enter the Application Resource GUID of the application. (This value is supplied automatically if you select the Create a New Account Directory option when creating a Tracking Only application.)
  • Tenant ID – Enter the Tenant ID, if supplied by the connection account. (AWS uses this.)
  • Use Secure Binding – Toggle to bind accounts with encryption.
  • Show in Tree – Toggle to show the account store in the Locations tree.
  • Default User Creation Path  – Select a location in which to create users if none is specified.
  • Default Group Creation Path – Select a location in which to create groups if none is specified.
  • EmpowerID Group Creation Path – Select a location in which to create EmpowerID groups if none is specified.
    • Max Accounts per Person – Enter the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. We recommended setting this value to 1 unless users commonly have multiple accounts and you want them to be joined to the same person.
    Image Removed
    In the Features section, you can select any of these values:
  • Use for Authentication – 
  • Allow Search for User Name in Authentication – 
  • Allow Password Sync – Toggle to allow EmpowerID to sync password changes discovered during inventory.
  • Queue Password Changes – Toggle to have EmpowerID send password changes to the Account Password Reset Inbox for batch processing.
  • Queue Password Changes on Failure – Toggle to have EmpowerID send password changes to the Account Password Reset Inbox only when the change fails.
  • Allow Account Creation on Membership Request – Toggle to allow users without accounts to request group membership and automatically have an account created.
  • Batch Calls – 
  • Allow Attribute Flow – Toggle to allow attribute changes to flow between EmpowerID and the account store.
  • Allow Person Provisioning – Toggle to allow EmpowerID to create Person objects from the user records discovered during inventory.
  • Allow Provisioning – Toggle to allow EmpowerID to create new Groups in Oracle from requests discovered during inventory.
  • Allow Deprovisioning – Toggle to allow EmpowerID to delete Groups in Oracle based on requests discovered during inventory.
  • Automatic Person Join – Toggle to allow EmpowerID to join newly discovered accounts to people during the inventory process if they meet the Join Rule as specified by the Custom_Account_InventoryInboxJoinBulk SQL stored procedure.
  • Automatic Person Provision – Toggle to allow EmpowerID to provision EmpowerID people for new accounts discovered during the inventory process if they meet the Provision Rule specified by theCustom_Account_InventoryInboxGetAccountsToProvision SQL stored procedure.
  • Default Provision Business Role – Set a default Business Role to assign people if none is specified.
  • Default Provision Location – Set a default Location to assign people if none is specified.
  • Allow Business Role and Location Re-Evaluation – Toggle if you have multiple account stores to manage and want to specify a priority for each.
  • Business Role and Location Re-Evaluation Order – Enter a number to specify the priority of the account store for determining the Business Roles and Locations to assign to a Person. Account Stores with a higher value take precedence.
    • Recertify All Group Changes – Toggle to allow EmpowerID to generate recertification review tasks for all changes in Oracle Groups.
    Image Removed
  • When you have finished editing, click Save.

    • To connect EmpowerID to your Oracle system

  • Log in to the EmpowerID Management Console as an administrator.
  • From the EmpowerID Management Console, click the EmpowerID icon, and select Configuration Manager from the menu.
    • In Configuration Manager, select the Account Stores node and then click the Add New button above the grid.
    Image Removed
  • In Configuration Manager, select the Account Stores node and then click the Add New button above the grid.
  • Click the Add New button above the grid.
    • In the Add New Security Boundary window that opens, select the Oracle Users Security Boundary type from the drop-down list and then click OK.
    Image Removed
    In the Account Store Details window that appears, do the following:
  • Type a name for the Account Store in the Account Store Name field.
  • Type the name of an admin user in the User Name field.
  • Type the password for the above admin user in the Password field.
  • Type the FQDN or IP address to the server with the Oracle system.
  • Type the name of the Oracle database in the Database field.
    • Click Save.
    Image Removed
    Back in the main screen of Configuration Manager, search for the account store you just created and then double-click it or right-click it and select Edit from the context menu. 
    Image Removed
    This opens the Account Store Details screen for the Oracle connector. The use of this screen is discussed in the next section.
    Image Removed

    To configure the Oracle account store

    The Account Store Details screen contains three panes that are relevant to the Oracle connector--the General pane, the Inventory pane, and the Group Membership Reconciliation pane. To view reference information about a particular pane, expand the drop-down for that pane.

    Info
    iconfalse
    titleOracle Account Store Configuration
    Info

    Before configuring EmpowerID to manage the account store, determine whether you want EmpowerID to provision Person objects from the user records it discovers in the account store. If so, answer the following questions before turning on inventory.

    1. When do you want EmpowerID to provision Person objects for those user accounts? At inventory or at a later point in time?
    2. If inventory provisioning is desired, in what Business Role and Location should those Person objects be placed?
    3. How many user accounts can one Person have in the account store?
    4. If people can have more that one user account in the account store, do you want EmpowerID to attempt to automatically join any user accounts meeting the conditions of your Join rules to an existing Person during inventory?

    For a greater discussion of these points within the context of connecting EmpowerID to an account store, see Active Directory.

    From the General pane of the Account Store Details screen, enable each desired feature by toggling the icon to the right of each feature from a red sphere to a green check box. For example, if you want EmpowerID to provision an EmpowerID Person for each Oracle user, toggle the red sphere to the right of Allow Person Provisioning to a green check box.
    Image Removed
    In the Inventory pane of the Account Store Details screen for the account store, toggle the icon to the right of the Allow Automatic Person Provision On Inventory setting from a red sphere to a green check box if you enabled Allow Person Provisioning in the General pane and you want EmpowerID to automatically create a linked EmpowerID Person object for each new, unique Oracle user discovered during the inventory process.
    Image Removed
    If you are allowing automatic person provision on inventory, click the Edit button to the right of Business Role for New Inventory Provision and select an appropriate Business Role for each new Person provisioned during inventory.
    Image Removed
  • Click OK to close the Business Role Selector.
    • If you are allowing automatic person provision on inventory, click the Edit button to the right of Location For New Inventory Provision and select an appropriate Location for each Person EmpowerID provisions during inventory.
    Image Removed
  • Click OK to close the Location Selector.
    • To begin inventory, click the red sphere to the left of Enable Inventory so that the red sphere becomes a green check box.
    Image Removed
    After several minutes, refresh the Account Store data by pressing the Refresh Data button located a the top of the Account Store Details screen to see that EmpowerID has inventoried the Oracle user accounts and provisioned the requisite number of EmpowerID Persons for those accounts (if you selected the provisioning options discussed above).

    Connecting to Oracle

    EmpowerID includes an Oracle connector that allows organizations to bring the user data (user accounts, profiles and roles) in their Oracle system to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. When EmpowerID inventories Oracle, it creates an account in the EmpowerID Identity Warehouse for each Oracle user, a group for each Oracle profile, and an EmpowerID Business Role for each Oracle role.

    The Oracle connector allows organizations to bring the user data in their Oracle system to EmpowerID, where you can manage and synchronize it with data in any connected back-end user directories. Once connected, you can manage this data from EmpowerID in the following ways:

    • Provision new users
    • Edit user attributes
    • Delete users

    This topic demonstrates how to connect EmpowerID to Oracle.

    To create an account store for Oracle via the web site


    Info

    Before configuring EmpowerID to manage the account store, determine whether you want EmpowerID to provision Person objects from the user records it discovers in the account store. If so, answer the following questions before turning on inventory.

    1. When do you want EmpowerID to provision Person objects for those user accounts? At inventory or at a later point in time?
    2. If inventory provisioning is desired, in what Business Role and Location should those Person objects be placed?
    3. How many user accounts can one Person have in the account store?
    4. If people can have more that one user account in the account store, do you want EmpowerID to attempt to automatically join any user accounts meeting the conditions of your Join rules to an existing Person during inventory?

    For a greater discussion of these points within the context of connecting EmpowerID to an account store, see Active Directory.

    1. In the Navigation Sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
    2. Click the Actions tab, and then click the Create Account Store action.

      Image Added

    3. Search for and select Oracle Users from the list of system types and click Submit.

      Image Added

    4. On the Oracle Settings page that appears, enter settings to connect to your Oracle instance to allow EmpowerID to discover and connect to it.

      Image Added

      1. In the Name field, enter a name for the account store.
      2. In the User Name field, enter the user name of an Oracle administrator.
      3. In the Password field, enter the Oracle admin's password.
      4. In the Server field, enter the FQDN or IP address of the Oracle system's server.
      5. In the Database field, enter the name of the Oracle database.

      6. Click Submit.

    5. The Account Store and associated Resource System are created and appear in both the web application and in the Management Console.

    To edit account store settings on the web

    1. In the Navigation Sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
    2. On the Account Stores tab, search for the account store you just created and click the link to go to its details page.

      Image Added

    3. On the Account Store Details page, click the Edit button or the name of the account store.

      Image Added


    4. In the edit view of the page, you can edit values in any of the enabled fields on several tabs as detailed in the tables below. Do not enable inventory until the end.

      Note

      If you do not want all of the users and groups found during inventory to go in the same location in EmpowerID, we recommend Mapping EmpowerID Locations to External Locations before enabling inventory.


    5. When you have finished editing, click Save.

      Info

      Clicking the Save button on any of the tabs saves any changed settings on all of the tabs, so there is no need to save it after each tab.


    Settings Tab

    General section

    Setting Description
    Option 1 Specify an Account Proxy Click Edit to change the Domain (Server), User Name, and Password that was entered when the account store was created.
    Option 2 Select a Vaulted Credential as Account Proxy Click the drop-down arrow to select a vaulted credential to use as the account proxy.
    Inventoried Directory Server Click the drop-down arrow to select from any connected Oracle servers.


    Image Added

    Authentication and Password Settings section

    SettingDescription
    Password Manager Policy for Accounts without PersonSelect a password manager policy to use for the account. If not selected, it uses the Default Password Manager Policy.


    Image Added

    Provisioning Settings section

    SettingDescription
    Allow Attribute FlowToggle to allow attribute changes to flow between EmpowerID and the account store.
    Allow Provisioning (By RET)Toggle to allow EmpowerID to create users in the system that were created in EmpowerID.
    Allow Deprovisioning (By RET)Toggle to allow EmpowerID to delete users in the system that were deleted in EmpowerID.
    Default User Creation PathSelect an external location in which to create users when they are provisioned in EmpowerID.
    Default Group Creation PathSelect an external location in which to create groups when they are created in EmpowerID.
    Max Accounts per PersonEnter the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. We recommended setting this value to 1 unless users commonly have multiple accounts and you want them to be joined to the same person.
    Default Person Business RoleSelect a default Business Role to assign provisioned people if none is specified.
    Default Person LocationSelect a default Location to assign provisioned people if none is specified.


    Image Added

    Special Use Settings section

    SettingDescription
    RBAC Assign Group Members On First InventoryThis setting only pertains to Active Directory account stores.
    Automatically Join Account to a Person On Inventory (Skip Account Inbox)Toggle to allow EmpowerID to join newly discovered accounts to people during the inventory process if they meet the Join Rule as specified by the Custom_Account_InventoryInboxJoinBulk SQL stored procedure.
    Automatically Create a Person On Inventory (Skip Account Inbox)Toggle to allow EmpowerID to provision EmpowerID people for new accounts discovered during the inventory process if they meet the Provision Rule specified by the Custom_Account_InventoryInboxGetAccountsToProvision SQL stored procedure.
    Show in TreeToggle to show the account store in the Locations tree.
    Queue Password Changes on FailureToggle to have EmpowerID send password changes to the Account Password Reset Inbox only when the change fails.
    Use Secure LDAPS BindingToggle to bind accounts with encryption.


    Image Added

    Naming Fields section

    SettingDescription
    Application IDIf the account store is a one-to-one match with a Tracking Only application, enter the Application Resource GUID of the application. (This value is supplied automatically if you select the Create a New Account Directory option when creating a Tracking Only application.)
    Tenant IDEnter the Tenant ID, if supplied by the connection account. (AWS uses this.)


    Image Added


    Excerpt

    Inventory Tab

    The Inventory tab is where you set scheduling and enable EmpowerID to take inventory of the external system. If you do not want all of the users and groups found during inventory to go in the same location in EmpowerID, we recommend Mapping EmpowerID Locations to External Locations before enabling inventory.

    SettingDescription
    Inventory EnabledSelect this after everything is set up to your liking to allow EmpowerID to inventory the system. The Inventory Job must be enabled for inventory to occur. 
    Inventory Schedule Interval: StartSet the date on which to begin inventorying the system. By default, this is set to the creation date of the account store.
    Inventory Schedule Interval: EndSet the date on which to stop inventorying the system. By default, this is set to ten years after the creation date of the account store, but since Run Indefinitely is selected by default, this value is ignored unless you clear that checkbox.
    Inventory Schedule Interval: (units)

    Select the units for the interval at which to run inventory. By default, this is set to 10 minutes.

    • Once — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run inventory.
    • Hour Interval — If you select this value, enter the number of hours between inventory runs in the Interval box below.
    • Weekly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the day and time at which to run inventory.
    • Minute Interval — If you select this value, enter the number of minutes between inventory runs in the Interval box below.
    • Daily — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run inventory each day.
    • Monthly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the months, days, and time at which to run inventory.
    Run IndefinitelySelect to allow inventory to run indefinitely, ignoring the End date.
    Interval: (number)Set the number of units for the interval at which to run inventory. By default, this is set to 10 minutes.
    Inventory Next Compilation TimeIf you do not want to wait for the next regularly scheduled inventory run, specify the time and date to run it next.
    Inventory Batch SizeSpecify the number of records to process in each batch, to avoid hanging up your system when large numbers of records are processed. By default, this is set to 1,000 records.


    Image Added

    Membership Tab

    Group membership reconciliation is enabled by default to run every ten minutes, indefinitely. 

    SettingDescription
    Enable Group Membership ReconciliationSelect to allow EmpowerID to reconcile group membership with the system. This is enabled by default. 
    Membership Schedule Interval: StartSet the date on which to begin reconciling group membership with the system. By default, this is set to the creation date of the account store.
    Membership Schedule Interval: EndSet the date on which to stop reconciling group membership with the system. By default, this is set to ten years after the creation date of the account store, but since Run Indefinitely is selected by default, this value is ignored unless you clear that checkbox.
    Membership Schedule Interval: (units)

    Select the units for the interval at which to run inventory. By default, this is set to 10 minutes.

    • Once — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run reconciliation.
    • Hour Interval — If you select this value, enter the number of hours between reconciliation runs in the Interval box below.
    • Weekly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the day and time at which to run reconciliation.
    • Minute Interval — If you select this value, enter the number of minutes between reconciliation runs in the Interval box below.
    • Daily — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run reconciliation each day.
    • Monthly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the months, days, and time at which to run reconciliation.
    Run IndefinitelySelect to allow group membership reconciliation to run indefinitely, ignoring the End date.
    Interval: (number)Set the number of units for the interval at which to run rights inventory. By default, this is set to 10 minutes.


    Image Added

    Projection Tab

    The Projection tab is where you set scheduling and enable EmpowerID to sync resource role group membership with the account store.

    SettingDescription
    Resource Role Group Membership Projection EnabledSelect to allow EmpowerID to dynamically manage the membership of the organization's groups, adding and removing users to and from groups based on policy-based assignment rules. This is disabled by default.
    Rights Inventory Schedule Interval: StartSet the date on which to begin projection. By default, this is set to the creation date of the account store.
    Rights Inventory Schedule Interval: EndSet the date on which to stop projection. By default, this is set to ten years after the creation date of the account store, but since Run Indefinitely is selected by default, this value is ignored unless you clear that checkbox.
    Rights Inventory Schedule Interval: (units)

    Select the units for the interval at which to run projection. By default, this is set to 10 minutes.

    • Once — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run projection.
    • Hour Interval — If you select this value, enter the number of hours between projection runs in the Interval box below.
    • Weekly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the day and time at which to run projection.
    • Minute Interval — If you select this value, enter the number of minutes between projection runs in the Interval box below.
    • Daily — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run projection each day.
    • Monthly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the months, days, and time at which to run projection.
    Run IndefinitelySelect to allow projection to run indefinitely, ignoring the End date.
    Interval: (number)Set the number of units for the interval at which to run projection. By default, this is set to 10 minutes.
    Inventory Next Compilation TimeIf you do not want to wait for the next regularly scheduled projection run, specify the time and date to run it next.


    Image Added

    Rights Inventory Tab

    The Rights Inventory tab is where you set scheduling and enable EmpowerID to take inventory of rights in the native system. 

    SettingDescription
    Rights Inventory Is EnabledSelect to allow EmpowerID to inventory native rights in the system. This is disabled by default.
    Rights Inventory Schedule Interval: StartSet the date on which to begin inventorying rights in the system. By default, this is set to the creation date of the account store.
    Rights Inventory Schedule Interval: EndSet the date on which to stop inventorying rights in the system. By default, this is set to ten years after the creation date of the account store, but since Run Indefinitely is selected by default, this value is ignored unless you clear that checkbox.
    Rights Inventory Schedule Interval: (units)

    Select the units for the interval at which to run rights inventory. By default, this is set to 10 minutes.

    • Once — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run rights inventory.
    • Hour Interval — If you select this value, enter the number of hours between rights inventory runs in the Interval box below.
    • Weekly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the day and time at which to run rights inventory.
    • Minute Interval — If you select this value, enter the number of minutes between rights inventory runs in the Interval box below.
    • Daily — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run rights inventory each day.
    • Monthly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the months, days, and time at which to run rights inventory.
    Run IndefinitelySelect to allow rights inventory to run indefinitely, ignoring the End date.
    Interval: (number)Set the number of units for the interval at which to run rights inventory. By default, this is set to 10 minutes.
    Inventory Next Compilation TimeIf you do not want to wait for the next regularly scheduled rights inventory run, specify the time and date to run it next.

    Image Added

    Enforcement Tab


    Setting Description
    Resource Role Group Rights Enforcement Enabled 

    Select to allow EmpowerID to determine who should have access to what in Exchange based on their assignments to Access Levels in EmpowerID and to enforce it using domain local groups (Resource Role Groups).

    Enforcement TypeSelect to specify how EmpowerID is to enforce rights in native systems. 
    • No Action — No rights enforcement action occurs.
    • Projection with Enforcement — Changes to rights within EmpowerID occur within EmpowerID and are enforced within the native environment.
    • Projection with No Enforcement — Changes to rights within EmpowerID occur only within EmpowerID; they are not passed on to the native environment.
    • Projection with Strict Enforcement — EmpowerID overrides any changes made in the native environment. All changes made must occur within EmpowerID to be accepted. (Applies only to Active Directory groups.)
    Schedule: StartSet the date on which to begin enforcement. By default, this is set to the creation date of the account store.
    Schedule: EndSet the date on which to stop enforcement. By default, this is set to ten years after the creation date of the account store, but since Run Indefinitely is selected by default, this value is ignored unless you clear that checkbox.
    Interval: (units)

    Select the units for the interval at which to run enforcement. By default, this is set to 10 minutes.

    • Once — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run enforcement.
    • Hour Interval — If you select this value, enter the number of hours between enforcement runs in the Interval box below.
    • Weekly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the day and time at which to run enforcement.
    • Minute Interval — If you select this value, enter the number of minutes between enforcement runs in the Interval box below.
    • Daily — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run enforcement each day.
    • Monthly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the months, days, and time at which to run enforcement.
    Run IndefinitelySelect to allow enforcement to run indefinitely, ignoring the End date.
    Interval: (number)Set the number of units for the interval at which to run enforcement. By default, this is set to 10 minutes.
    Enforcement FrequencySet the re-enforcement frequency in minutes.


    Image Added







    Info
    iconfalse
    titleOracle Account Store Configuration







    Info
    iconfalse






    Div
    stylefloat: left; position: fixed; top: 70px; padding: 5px;
    idtoc
    classtopicTOC


    Div
    stylemargin-left: 40px; margin-bottom: 40px;

    Live Search
    spaceKeyE2D
    placeholderSearch the documentation
    typepage


    Div
    stylefont-size: 1rem; margin-bottom: -15px; margin-left: 40px;text-transform: uppercase;

    In this article



    Table of Contents
    stylenone