Aliases, Maiden Names and Nicknames

You know, I've never really understood how nicknames are worked out.  It makes sense that Jon can be short for Jonathon.  But how do you get from John to Jack?  And from William to Bill?


Regardless of the mystifying linguistic antecedents, you can accomodate this state of affairs for user management with the combination of Oracle Internet Directory and the E-Business Suite.

Linking Apps Users with OID Users

If you've been following our series of articles on using Single Sign-On and Oracle Internet Directory 10g with the E-Business Suite, you know that we link user accounts in Oracle Internet Directory with their corresponding user accounts in the E-Business Suite, like this:

Link Apps Account to OID 2:

Every user in Oracle Internet Directory has a Global Unique Identifier (GUID).  The E-Business Suite stores this Global Unique Identifier in its own user directory (FND_USER), creating a unique link between the two accounts.

Using Different Names in Apps and OID

Since the users are linked by a numerical Global Unique Identifier, it doesn't matter if their actual userids in the two namespaces don't match exactly.  In addition to accomodating those mystifying nicknames, aliases, and maiden names, this is useful for integrating the E-Business Suite with LDAP directories with different userid naming conventions.

In the example above, the user's ID in Oracle Internet Directory is "john.smith", whereas his userid in Apps is "jsmith".  The user logs on to Single Sign-On using his "john.smith" userid and transparently passes through to Apps with responsibilities tied to his "jsmith" account. 

Assuming Multiple Identities

One of our largest E-Business Suite customers -- one of the world's largest multinationals -- has centralized their global business services.  In this business model, a single purchasing agent acts as the purchaser for different geographic organizations. 

Each of these different organizations have their own business setups, so separate user accounts have been created for each organization.  A given purchasing agent logs into the E-Business Suite using different accounts.

The brute-force approach to handling this is to require the purchasing agent to remember different passwords for each account.  A more elegant solution is to link his Oracle Internet Directory userid to each of the different Apps accounts, like this:

Link Multiple Apps Accounts:

Using this approach, the purchasing agent logs into Single Sign-On using his "john.smith" account.  One of the linked accounts is flagged as the default account, and he can easily switch to the other accounts without having to log out and back in again with a different userid.

Not in the Other Direction

This "one-to-many" link is fully supported with both Release 11i and 12.  In other words, you can link a single Oracle Internet Directory account to multiple Apps accounts.

"Many-to-one" links are not supported, however.  In other words, it's not possible to link multiple Oracle Internet Directory accounts with a single Apps account.

Integration with Third-Party LDAP Directories

You might have a third-party LDAP whose userid naming conventions differ from your E-Business Suite environment.  If so, your best approach is to ensure that Oracle Internet Directory is populated with those third-party userids, like this:

Comments:

Atul, Glad to hear that this will be useful to you.  It's possible for users to exist only in FND_USER and not Oracle Internet Directory:  these are called local users.  See the, "Logging Into The E-Business Suite Directly" section in Password Management with Oracle Internet Directory, or Metalink Note 261914.1 for more details.Regards,Steven

Posted by Steven Chan on August 11, 2006 at 04:02 AM PDT #

Steven,
Its really useful to us , We are planning to implement Integration E-Bizz with OID but which inturn is integrated with AD with simple one to one link . Apart from this we want some functional users to be only in FND_USERS and not in OID. I assume its already there. This piece of information is quite useful to us .

Atul
http://becomeappsdba.blogspot.com

Posted by Atul on August 11, 2006 at 06:48 AM PDT #

great info. thanks steven and keep up the good work.
we had the plan for integrating AD and OID with apps before but we stopped it snice the lake on info and documation but now it seems much much esiar so we will give it another thought.

thanks
fadi

Posted by Fadi Hasweh on August 12, 2006 at 06:36 PM PDT #

Hi Steven,
This is really good stuff! We currently have a project on the drawing board that will integrate Microsoft AD(with usernames like jsmith) to OID and then on to 11i (with usernames like JOHN.SMITH). We may end up changing our AD usernames, so it's nice to know that the functionality exists to use it both ways. We're also wanting to integrate Discoverer 10gR2 with OID and AD as well. Just imagine, single password for 11i and all of our other Oracle products and apps! What a dream.
Thanks for all the articles on this somewhat murky subject!

Mark

Posted by Mark on August 15, 2006 at 02:12 PM PDT #

Mark, I'm glad to hear that this will be useful for your firm.  Please let me know how things work out for your implementation.Regards,Steven 

Posted by Steven Chan on August 16, 2006 at 04:04 AM PDT #

Steve ,

It is the nice and long desired feature which is now available for making the product more enterprising and a giant steps in providing the global solution in term of usage of the system!! Great option?

I wonder that when we say " 俳ne-to-many? link is fully supported with both Release 11i and 12. " , is this means that every application of e-business can use this feature?

We are in process of implementing iStore with Siteminder (via SSO) . Since iStore has constraint of one user and one customer constraint.
But client has very critical requirement of linking of one sso user for multiple iStore accounts?

Since you don稚 have any disclaimer on 登ne-to-many?, I believe that this hold true for iStore too.

If your answer is yes ... tons of thanks in Advance.

Posted by Vikas Deep on February 28, 2007 at 12:24 PM PST #

Vikas,"One-to-many" links are supported for Release 11i versions 11.5.8 and higher.  This feature is also supported for Release 12 version 12.0 and higher.In both Release 11i and 12, iStore is a bit different than the rest of the E-Business Suite, in that it has its own front-end.  Unfortunately, I don't have enough familiarity with iStore to be able to comment definitively on how a "one-to-many" arrangement would work for that product.Your best option for getting this question answered authoritatively would be to log a Service Request for iStore via Oracle Metalink.Good luck with your investigation.Regards,Steven 

Posted by Steven Chan on March 02, 2007 at 03:33 AM PST #

Hi Steven,

I have a EBS with existing set of users. we are implementing SSO for our enterprise with OID as Enterprise User Repository. OIM usef for provisioning users to OID and EBS. OAM is used to achieve SSO for all enterprise applications. Not all users in OID are part of EBS. What would be a viable roadmap for us to implement a solution for this if i want to provision the users to OID and EBS separately and link them on the fly. Can you please guide me with the GUID, user & pwd sync between OIM, OID and EBS.

Regards
Devi

Posted by Devi on November 20, 2008 at 12:39 PM PST #

Hi, Devi,

It is technically feasible to link EBS with OID. OID may be linked, in turn, with Oracle Identity Manager. It is also technically feasible to link EBS with OIM directly, as the latter has two different connectors for EBS.

You can determine the cardinality of the user provisioning for each of these segments separately. For example, you can configure your integration to push EBS users from EBS to OID (and vice versa).

This flexibility yields a large number of possible permutations, too many to discuss meaningfully here. Each of these permutations will have different operational and user management implications.

I would strongly recommend that you review your requirements with someone in our Oracle Consulting Security practice. I've passed your name on to the head of that Consulting team; he'll contact you directly.

Regards,
Steven

Posted by Steven Chan on November 24, 2008 at 06:32 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
4
5
6
7
8
9
10
11
12
13
14
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today