Connecting to Oracle
EmpowerID includes an Oracle connector that allows organizations to bring the user data (user accounts, profiles and roles) in their Oracle system to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. When EmpowerID inventories Oracle, it creates an account in the EmpowerID Identity Warehouse for each Oracle user, a group for each Oracle profile, and an EmpowerID Business Role for each Oracle role.
The Oracle connector allows organizations to bring the user data in their Oracle system to EmpowerID, where you can manage and synchronize it with data in any connected back-end user directories. Once connected, you can manage this data from EmpowerID in the following ways:
This topic demonstrates how to connect EmpowerID to Oracle.
Before configuring EmpowerID to manage the account store, determine whether you want EmpowerID to provision Person objects from the user records it discovers in the account store. If so, answer the following questions before turning on inventory.
For a greater discussion of these points within the context of connecting EmpowerID to an account store, see Active Directory. |
On the Oracle Settings page that appears, enter settings to connect to your Oracle instance to allow EmpowerID to discover and connect to it.
Click Submit.
In the edit view of the page, you can edit values in any of the enabled fields on several tabs as detailed in the tables below. Do not enable inventory until the end.
If you do not want all of the users and groups found during inventory to go in the same location in EmpowerID, we recommend Mapping EmpowerID Locations to External Locations before enabling inventory. |
When you have finished editing, click Save.
Clicking the Save button on any of the tabs saves any changed settings on all of the tabs, so there is no need to save it after each tab. |
Setting | Description |
---|---|
Option 1 Specify an Account Proxy | Click Edit to change the Domain (Server), User Name, and Password that was entered when the account store was created. |
Option 2 Select a Vaulted Credential as Account Proxy | Click the drop-down arrow to select a vaulted credential to use as the account proxy. |
Inventoried Directory Server | Click the drop-down arrow to select from any connected Oracle servers. |
Setting | Description |
---|---|
Password Manager Policy for Accounts without Person | Select a password manager policy to use for the account. If not selected, it uses the Default Password Manager Policy. |
Setting | Description |
---|---|
Allow Attribute Flow | Toggle to allow attribute changes to flow between EmpowerID and the account store. |
Allow Provisioning (By RET) | Toggle to allow EmpowerID to create users in the system that were created in EmpowerID. |
Allow Deprovisioning (By RET) | Toggle to allow EmpowerID to delete users in the system that were deleted in EmpowerID. |
Default User Creation Path | Select an external location in which to create users when they are provisioned in EmpowerID. |
Default Group Creation Path | Select an external location in which to create groups when they are created in EmpowerID. |
Max Accounts per Person | Enter the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. We recommended setting this value to 1 unless users commonly have multiple accounts and you want them to be joined to the same person. |
Default Person Business Role | Select a default Business Role to assign provisioned people if none is specified. |
Default Person Location | Select a default Location to assign provisioned people if none is specified. |
Setting | Description |
---|---|
RBAC Assign Group Members On First Inventory | This setting only pertains to Active Directory account stores. |
Automatically Join Account to a Person On Inventory (Skip Account Inbox) | Toggle to allow EmpowerID to join newly discovered accounts to people during the inventory process if they meet the Join Rule as specified by the Custom_Account_InventoryInboxJoinBulk SQL stored procedure. |
Automatically Create a Person On Inventory (Skip Account Inbox) | Toggle to allow EmpowerID to provision EmpowerID people for new accounts discovered during the inventory process if they meet the Provision Rule specified by the Custom_Account_InventoryInboxGetAccountsToProvision SQL stored procedure. |
Show in Tree | Toggle to show the account store in the Locations tree. |
Queue Password Changes on Failure | Toggle to have EmpowerID send password changes to the Account Password Reset Inbox only when the change fails. |
Use Secure LDAPS Binding | Toggle to bind accounts with encryption. |
Setting | Description |
---|---|
Application ID | If the account store is a one-to-one match with a Tracking Only application, enter the Application Resource GUID of the application. (This value is supplied automatically if you select the Create a New Account Directory option when creating a Tracking Only application.) |
Tenant ID | Enter the Tenant ID, if supplied by the connection account. (AWS uses this.) |
Inventory TabThe Inventory tab is where you set scheduling and enable EmpowerID to take inventory of the external system. If you do not want all of the users and groups found during inventory to go in the same location in EmpowerID, we recommend Mapping EmpowerID Locations to External Locations before enabling inventory.
Membership TabGroup membership reconciliation is enabled by default to run every ten minutes, indefinitely.
Projection TabThe Projection tab is where you set scheduling and enable EmpowerID to sync resource role group membership with the account store.
Rights Inventory TabThe Rights Inventory tab is where you set scheduling and enable EmpowerID to take inventory of rights in the native system.
Enforcement Tab
|
|
|