Connecting to Oracle
EmpowerID includes an Oracle connector that allows organizations to bring the user data (user accounts, profiles and roles) in their Oracle system to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. When EmpowerID inventories Oracle, it creates an account in the EmpowerID Identity Warehouse for each Oracle user, a group for each Oracle profile, and an EmpowerID Business Role for each Oracle role.
EmpowerID The Oracle connector allows organizations to bring the user data in their Oracle system to EmpowerID, where it you can be managed manage and synchronized synchronize it with data in any connected back-end user directories. Once connected, you can manage this data from EmpowerID in the following ways:
- Provision new users
- Edit user attributes
- Delete users
This topic demonstrates how to connect EmpowerID to Microsoft Dynamics AXOracle.
To create an account store for Oracle via the web site
- In the Navigation Sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
- Click the Actions tab, and then click the Create Account Store action.
- Search for and select Oracle Users from the list of system types and click Submit.
On the Oracle Settings page that appears, enter settings to connect to your Oracle instance to allow EmpowerID to discover and connect to it.
- In the Name and Display Name fields, enter a name for the account store.
- In the User Name field, enter the user name of an Oracle administrator.
- In the Password field, enter the Oracle admin's password.
- In the Server field, enter the FQDN or IP address of the Oracle system's server.
- In the Database field, enter the name of the Oracle database.
Click Submit.
- The Account Store and associated Resource System are created and appear in both the web application and in the Management Console.
To edit account store settings on the web
- In the Navigation Sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
- On the Account Stores tab, search for the account store you just created and click the link to go to its details page.
- On the Account Store Details page, click the Edit button or the name of the account store.
- In the edit view of the page, you can edit values in any of the enabled fields. In the General section, these are:
- Display Name – Edit the name of the account store as it appears in the list of account stores.
- Proxy Connection Account – Change the instance, user name, and password for the Oracle connection.
- Account Store Proxy Shared Credential – Click in this box and press Enter to see a list of shared credentials in your system to use for the proxy connection.
- Password Manager Policy – Select a password manager policy to use for the account. If not selected, it uses the Default Password Manager Policy.
- Application ID – If the account store is a one-to-one match with a Tracking Only application, enter the Application Resource GUID of the application. (This value is supplied automatically if you select the Create a New Account Directory option when creating a Tracking Only application.)
- Tenant ID – Enter the Tenant ID, if supplied by the connection account. (AWS uses this.)
- Use Secure Binding – Toggle to bind accounts with encryption.
- Show in Tree – Toggle to show the account store in the Locations tree.
- Default User Creation Path – Select a location in which to create users if none is specified.
- Default Group Creation Path – Select a location in which to create groups if none is specified.
- EmpowerID Group Creation Path – Select a location in which to create EmpowerID groups if none is specified.
- Max Accounts per Person – Enter the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. We recommended setting this value to 1 unless users commonly have multiple accounts and you want them to be joined to the same person.
- In the Features section, you can select any of these values:
- Use for Authentication –
- Allow Search for User Name in Authentication –
- Allow Password Sync – Toggle to allow EmpowerID to sync password changes discovered during inventory.
- Queue Password Changes – Toggle to have EmpowerID send password changes to the Account Password Reset Inbox for batch processing.
- Queue Password Changes on Failure – Toggle to have EmpowerID send password changes to the Account Password Reset Inbox only when the change fails.
- Allow Account Creation on Membership Request – Toggle to allow users without accounts to request group membership and automatically have an account created.
- Batch Calls –
- Allow Attribute Flow – Toggle to allow attribute changes to flow between EmpowerID and the account store.
- Allow Person Provisioning – Toggle to allow EmpowerID to create Person objects from the user records discovered during inventory.
- Allow Provisioning – Toggle to allow EmpowerID to create new Groups in Oracle from requests discovered during inventory.
- Allow Deprovisioning – Toggle to allow EmpowerID to delete Groups in Oracle based on requests discovered during inventory.
- Automatic Person Join – Toggle to allow EmpowerID to join newly discovered accounts to people during the inventory process if they meet the Join Rule as specified by the Custom_Account_InventoryInboxJoinBulk SQL stored procedure.
- Automatic Person Provision – Toggle to allow EmpowerID to provision EmpowerID people for new accounts discovered during the inventory process if they meet the Provision Rule specified by theCustom_Account_InventoryInboxGetAccountsToProvision SQL stored procedure.
- Default Provision Business Role – Set a default Business Role to assign people if none is specified.
- Default Provision Location – Set a default Location to assign people if none is specified.
- Allow Business Role and Location Re-Evaluation – Toggle if you have multiple account stores to manage and want to specify a priority for each.
- Business Role and Location Re-Evaluation Order – Enter a number to specify the priority of the account store for determining the Business Roles and Locations to assign to a Person. Account Stores with a higher value take precedence.
- Recertify All Group Changes – Toggle to allow EmpowerID to generate recertification review tasks for all changes in Oracle Groups.
- When you have finished editing, click Save.
To connect EmpowerID to your Oracle system
- Log in to the EmpowerID Management Console as an administrator.
- From the EmpowerID Management Console, click the EmpowerID icon, and select Configuration Manager from the menu.
- In Configuration Manager, select the Account Stores node and then click the Add New button above the grid.
- In Configuration Manager, select the Account Stores node and then click the Add New button above the grid.
- Click the Add New button above the grid.
- In the Add New Security Boundary window that opens, select the Oracle Users Security Boundary type from the drop-down list and then click OK.
- In the Account Store Details window that appears, do the following:
- Type a name for the Account Store in the Account Store Name field.
- Type the name of an admin user in the User Name field.
- Type the password for the above admin user in the Password field.
- Type the FQDN or IP address to the server with the Oracle system.
- Type the name of the Oracle database in the Database field.
- Click Save.
- Back in the main screen of Configuration Manager, search for the account store you just created and then double-click it or right-click it and select Edit from the context menu.
This opens the Account Store Details screen for the Oracle connector. The use of this screen is discussed in the next section.
To configure the Oracle account store
The Account Store Details screen contains three panes that are relevant to the Oracle connector--the General pane, the Inventory pane, and the Group Membership Reconciliation pane. To view reference information about a particular pane, expand the drop-down for that pane.
| Info | ||||
|---|---|---|---|---|
| ||||
| Info |
|---|
Before configuring EmpowerID to manage the account store, determine whether you want EmpowerID to provision Person objects from the user records it discovers in the account store. If so, answer the following questions before turning on inventory.
For a greater discussion of these points within the context of connecting EmpowerID to an account store, see Active Directory. |
- From the General pane of the Account Store Details screen, enable each desired feature by toggling the icon to the right of each feature from a red sphere to a green check box. For example, if you want EmpowerID to provision an EmpowerID Person for each Oracle user, toggle the red sphere to the right of Allow Person Provisioning to a green check box.
- In the Inventory pane of the Account Store Details screen for the account store, toggle the icon to the right of the Allow Automatic Person Provision On Inventory setting from a red sphere to a green check box if you enabled Allow Person Provisioning in the General pane and you want EmpowerID to automatically create a linked EmpowerID Person object for each new, unique Oracle user discovered during the inventory process.
- If you are allowing automatic person provision on inventory, click the Edit button to the right of Business Role for New Inventory Provision and select an appropriate Business Role for each new Person provisioned during inventory.
- Click OK to close the Business Role Selector.
- If you are allowing automatic person provision on inventory, click the Edit button to the right of Location For New Inventory Provision and select an appropriate Location for each Person EmpowerID provisions during inventory.
- Click OK to close the Location Selector.
- To begin inventory, click the red sphere to the left of Enable Inventory so that the red sphere becomes a green check box.
- After several minutes, refresh the Account Store data by pressing the Refresh Data button located a the top of the Account Store Details screen to see that EmpowerID has inventoried the Oracle user accounts and provisioned the requisite number of EmpowerID Persons for those accounts (if you selected the provisioning options discussed above).
| Info | ||
|---|---|---|
| ||
| Div | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||
|