Wednesday Feb 04, 2015

OIM11gR2PS2: Disconnected System Resource status based on manual fulfillment outcome

When an OIM disconnected system application is provisioned to a user, a manual fulfillment activity is generated and can be viewed in the inbox. This task indicates the person has to complete the provisioning activity manually on the target system and mark the status in OIM. The task to outcomes possible:

  1. Complete
  2. Reject  

When the activity is in pending for completion, the resource/account status is 'Provisioning'. Depending on the outcome from SOA, OIM account status is set.

  1. If the fulfillment person has completed the task and clicked 'Complete' in OIM, the resource status changes to 'Provisioned' from 'Provisioning'. 
  2. If the fulfillment person decides to reject and clicked 'Reject' in OIM, the resource status remains in 'Provisioning' status. This status at this point is not apt. A meaningful status at this point could be 'Cancelled' , 'Rejected' or 'Revoked'.
[Note:For a full view, open the image in a new tab]

While OIM supports custom object status, it is a bit tricky to induce the new status into the object life cycle. Hence, it is simpler to set the object status as 'Revoked' than any other. In the following section lets understand what has to be done to achieve this.

Notice that OIM Provisioning process definition of a disconnected system is auto generated and has the following tasks(Has many other tasks, but list shows what we are interested in):

  1.  ManualProvisioningStart
  2. ManualProvisiongEnd 

The ManualProvisioningStart process task is invoked when the resource is provisioned to the user as this is the process task marked as 'Required For Completion'. This will invoke a SOA composite 'DisconnectedProvisioning' and create a human task. The process task is completed successfully and a manual task is pending for approval. This doesn't have any impact on the resource/account status

 When an action is taken on the pending human task, the process task ManualProvisiongEnd is triggered. This task is responsible for setting the object status. The OOB setting in the Responses of this process task is shown here:

 On the 'Task to Object Status Mapping', the status 'X' is mapped to 'None' OOB. This has to be mapped to 'Revoked' for the object status to be set as 'Rejected' when the fulfillment person Rejects the task. The following screenshot illustrates this configuration change:

 This is a very simple change doesn't require any downtime. Even if the manual fulfillment human task has an expiry setting, this approach works !!

Thursday Mar 21, 2013

OIM11g R2: Reconciling a Disconnected System Account

Reconciliation of disconnected system account is same as reconciling a connected system account. The main difference lies in the source of reconciliation. In case of a connected system, a connection is established with the actual target system and data is pulled to OIM. Where as in case of a disconnected system, the data is made available to OIM using a CSV, Flat File or a database table. Reconciliation on both these types of systems look same in case of initial load. Some implementations make data available externally during initial load for all types of target systems.

 In any type of System's reconciliation, including IT Resource attribute among the RO attributes and recon data is mandatory. In case this information(IT Resource in the recon data) is missed in the recon data when submitting reconciliation event, the reconciliation event is created and linked successfully. The status on the recon event shows 'Creation Succeeded'. However, when navigated to the 'Accounts' tab or 'My Access' tab, the resource is not shown. The reconciliation rules are evaluated, the event gets linked, but the resource doesn't appear on the user's resource profile. Yes, you read it correctly.

Also, when another recon event is created for the same account, the event shows 'Update Succeeded' , but again no resource is seen is the user's resource profile.

The code snippet for submitting a simple recon even is here:

ReconOperationsService reconOp = client.getService(ReconOperationsService.class);
        System.out.println("reconOp="+reconOp);

         Map<String,Object> roDataMap = new HashMap<String,Object> ();

          roDataMap.put("User Name","name");
          roDataMap.put("Email","name@xyz.com");
roDataMap.put("IT Resource","ITR"); - This is most important

          try {

           EventAttributes ea=new EventAttributes();
           ea.setEventFinished(true);

           long eventKey = reconOp.createReconciliationEvent(RESOURCE_OBJECT, roDataMap , ea);
           reconOp.processReconciliationEvent(eventKey);
           System.out.println("eventKey="+eventKey);

          } catch (Exception e) {

              e.printStackTrace();
          }

About

OIM11gR2 Blog by NA-TAG Offshore IDAM team

Search

Categories
Archives
« August 2015
SunMonTueWedThuFriSat
      
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
     
Today