Discusses tips, tricks, revelations, and other items as we work to implement Oracle Identity Manager 11g to handle our provisioning and account management.
Thursday, October 21, 2010
Bundle Patch 1 for OIM 11.1.1.3 is now Available
The first bundle patch for OIM 11.1.1.3 has been released on My Oracle Support. Has quite a number of fixes listed.
Thursday, October 7, 2010
Entity Adapters on the USR Data Form
Just received word from Oracle that Entity Adapters/Rule Generators in OIM 11g are no longer usable on the USR form, you must create these using the new EventHandler mechanism.
Wednesday, October 6, 2010
Trusted Reconciliations
There have been some important changes in the Trusted Reconciliation processes for bringing in new accounts/changed accounts from some system of record such as an HR system using the Generic Technology Connector or custom reconciliation connectors.
The default mechanism for reconciliations is now a batched reconciliation, this processes many changed records much faster than before but also has some limitations. If you were previously using pre-insert or pre-update entity adapters, these will NOT fire in a batched reconciliation. The GTC in trusted reconciliation uses the batched mode exclusively and I have not yet identified a way to switch it to one-off events. This is important in that if you use pre adapters to calculate or modify certain values on the User form such as login, email address, expiration dates, etc. they won't trigger. You either have to switch these to a post operation which may cause a potential infinite loop condition or avoid batched mode.
If you use the APIs and/or a connector that creates reconciliation records then you have the ability to use a non-batched operation. In this mode, the pre entity adapters DO fire. Additionally pre adapters DO trigger on manual operations through the UI. In order to force a non-batched recon event. You must call the API method processReconciliationEvent after creating and/or finishing your event.
As in:
tcReconciliationOperationsIntf reconObj = Platform.getService(Thor.API.Operations.tcReconciliationOperationsIntf.class);
long rceKey = createReconciliationEvent("Resource Object Name", HashMap of attributes, true);
processReconciliationEvent(rceKey);
UPDATE:
You also need to close the event with a:
closeReconciliationEvent (rceKey);
or the batch will attempt to redo the linking when it executes. This will cause a failed orchestration task to linger out there.
In the next post, I'll give a concrete example of how to do a pre-modify EventHandler to compute some attributes.
The default mechanism for reconciliations is now a batched reconciliation, this processes many changed records much faster than before but also has some limitations. If you were previously using pre-insert or pre-update entity adapters, these will NOT fire in a batched reconciliation. The GTC in trusted reconciliation uses the batched mode exclusively and I have not yet identified a way to switch it to one-off events. This is important in that if you use pre adapters to calculate or modify certain values on the User form such as login, email address, expiration dates, etc. they won't trigger. You either have to switch these to a post operation which may cause a potential infinite loop condition or avoid batched mode.
If you use the APIs and/or a connector that creates reconciliation records then you have the ability to use a non-batched operation. In this mode, the pre entity adapters DO fire. Additionally pre adapters DO trigger on manual operations through the UI. In order to force a non-batched recon event. You must call the API method processReconciliationEvent after creating and/or finishing your event.
As in:
tcReconciliationOperationsIntf reconObj = Platform.getService(Thor.API.Operations.tcReconciliationOperationsIntf.class);
long rceKey = createReconciliationEvent("Resource Object Name", HashMap of attributes, true);
processReconciliationEvent(rceKey);
UPDATE:
You also need to close the event with a:
closeReconciliationEvent (rceKey);
or the batch will attempt to redo the linking when it executes. This will cause a failed orchestration task to linger out there.
In the next post, I'll give a concrete example of how to do a pre-modify EventHandler to compute some attributes.
Changes in Reconciliations
OIM 11g has brought many changes in the reconciliation engine. Many of the changes are to improve performance and streamline the recon process. For those of us familiar with or using OIM 9.1 some of these changes will require some thought as to how to migrate processes over. I will be detailing some of the differences and how we have tackled them in the next few posts.
Subscribe to:
Posts (Atom)