Oracle RDBMS


General information

Oracle connector provides an ability to get user data and user permissions from Oracle RDBMS system and provision data to Oracle RDBMS. The operations that could be performed by using OpenIAM are - create, modify, enable, disable, end date user, add or remove profile/priveleges/roles/table spaces etc of user.

Installation and connection to OpenIAM

In an RPM installation please use the general startup script to start the connector. Dockerized deployment version is also available for the connector.

General usage

Connector settings

configure additional fields (Left menu → Connector Configuration): alt text alt text alt text

Managed system settings

Login Id: OracleConnectorUser Password: \<password> JDBC driver: oracle.jdbc.driver.OracleDriver Connection String: jdbc:oracle:thin:@oracle_host:port/sid Search filter for User: USERNAME=? Search filter for Group: Role=? Search filters must have char "?" which will be replaced by principal name to find the object. Filter is used in reconciliations as well.

Steps to be performed on Oracle DB side

Create a service account in Oracle using following script:

create user OracleConnectorUser identified by passwd00;
grant resource, connect, dba, create session, UNLIMITED TABLESPACE to OracleConnectorUser;
alter user OracleConnectorUser default role all profile default;

Synchronization

Instruction how to set up synchronization is provided in a separate document. OpenIAM provides out of the box sync configurations and groovy scripts.

Example of query:

    • select all records; USERNAME=Jons% - select by user name (will use where USERNAME like ('Jons%') = "Start with") You can concat some filters like : USERNAME=Jons%;ACCOUNT_STATUS=OPEN where ";" = "AND" List of fields for filtering : USERNAME ACCOUNT

Oracle scripts behind the scenes

Oracle SQL used in the connector CREATE NEW USER: CREATE USER \<user_name> IDENTIFIED BY \<password> DEFAULT TABLESPACE \<default_tablespace> TEMPORARY TABLESPACE \<temporary_tablespace> COUNT \<account_status>; ALTER USER \<user_name> DEFAULT ROLE \<default_roles>; GRANT \<roles>,\<privileges>

MODIFY USER : ALTER USER \<user_name> DEFAULT TABLESPACE \<default_tablespace> TEMPORARY TABLESPACE \<temporary_tablespace> PROFILE \<profile> ACCOUNT \<account_status>; ALTER USER \<user_name> DEFAULT ROLE \<default_roles>; GRANT \<roles>,\<privileges>;

Additional information

Selected fields on search user:

SELECT * FROM DBA_USERS WHERE USERNAME='TEST_ORACLECONNECTORUSER';

Privileges from Oracle:

SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE='TEST_ORACLECONNECTORUSER';

Roles from Oracle:

SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE='TEST_ORACLECONNECTORUSER';

SQL query will be performed to pull users:

SELECT * FROM DBA_USERS WHERE USERNAME='TEST_ORACLECONNECTORUSER';

To include privileges from Oracle add in /sync/user/oracle/UserSyncAttributes.groovy "privileges" then following SQL will be performed:

SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE='TEST_ORACLECONNECTORUSER';

To include role from Oracle add in /sync/user/oracle/UserSyncAttributes.groovy "roles" then following SQL will be performed:

SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE='TEST_ORACLECONNECTORUSER';

Make sure service account you are using has permissions to perform SQL mentioned above

Connector Troubleshooting and Tips

Connector troubleshooting could be done by raising logging level to DEBUG mode (-Dlogging.level.org.openiam=DEBUG)