Deployment Configurations 4-17 Table 4–4 Action Rules Event State Entity Type Action Description No User Match Found User No Action Does not perform any action Create User Creates a user in Oracle Identity Manager No Account Match Found Account No Action Does not perform any action User Matched User or Account No Action Does not perform any action User Establish Link Modifies or deletes the matched user based on the change type Account Establish Link Owner identified - creates an account Users Matched User or Account No Action Does not perform any action Account Matched Account No Action Does not perform an action Establish Link Modifies or revokes the account based on the change type Accounts Matched No Action Does not perform any action No Role Match Found Role No Action Does not perform any action Single Role Match Found Role No Action Does not perform an action Establish Link Modify or delete a role Role Membership Create role membership Grant a role member to Oracle Identity Manager Delete role membership Delete a role member from Oracle Identity Manager No action Does not perform an action Role Hierarchy Create role hierarchy Creates a role hierarchy in Oracle Identity Manager Delete role hierarchy Delete a role hierarchy in Oracle Identity Manager No action Does not perform an action Multiple Roles Matched Role, Role membership and Role Hierarchy No action Does not perform an action No Role Grant Match Found Role Membership No Action Does not perform an action Create Role Member Creates a role member in Oracle Identity Manager Single Role Grant Match Found Role Membership No action Does not perform an action Establish Link Delete role member 4-18 Oracle Fusion Middleware Users Guide for Oracle Identity Manager

4.2.2.8 Reconciliation Best Practices

This section describes how to improve performance by identifying indexes that are required for connector tables and reconciliation tables. It contains the following topics: ■ Additional Indexes Requirement for Matching Module ■ Collecting Database Schema Statistics for Reconciliation Performance

4.2.2.8.1 Additional Indexes Requirement for Matching Module

When Oracle Identity Manager is installed, the necessary indexes are created in the Oracle Identity Manager database schema. However, there can be additional indexes required because of dynamic nature of some of the features in Oracle Identity Manager. This is especially true for reconciliation. Reconciliation uses matching algorithm to find if the useraccountroleorganization for which the change is requested is already existing in Oracle Identity Manager or not. The matching algorithm compares the data in set of columns in Oracle Identity Manager with the data in target horizontal table columns. The columns that contains the matching rules are defined in the reconciliation profile. To improve the performance of the matching operation quickly, there must be correct indexes created on the matching rule columns. To illustrate the recommended method of identifying the appropriate indexes, a sample Active Directory AD user profile present in the Meta Data Store MDS repository is taken as an example. In this example, trusted source as well as target resource reconciliation are covered. Multiple Role Grant Match Found Role Membership No action Does not perform an action Note: This state does not occur because the role grant match is done by looking for the primary key, which is a combination of the usr key and the group key. No Role Parent Match Found Role Hierarchy No Action Does not perform an action Create role parent Create a role parent in Oracle Identity Manager Single Role Parent Match Found Role Hierarchy No Action Does not perform an action Establish Link Delete role parent Multiple Role Parent Match Found Role Hierarchy No Action Does not perform an action Data Validation Failed Role, Role Hierarchy, Role Member Race condition Does not perform an action. The event needs to be re-evaluated. Parent role not found Role Hierarchy Race condition Does not perform an action. The event needs to be re-evaluated. Role member not found Role membership Race condition Does not perform an action. The event needs to be re-evaluated. Table 4–4 Cont. Action Rules Event State Entity Type Action Description Deployment Configurations 4-19 Selecting Indexes for Trusted Source Reconciliation To select indexes based on the matching rule criteria in trusted source and target resource reconciliation: 1. Open the AD user profile file in a text editor. 2. Search for ownerMatchingRuleWhereClause for all entities, as shown in the following figure with code sample: Here, the ownerMatchingRuleWhereClause is the following: ownerMatchingRuleWhereClause = UPPERUSR.USR_LOGIN=UPPERRA_ADUSER7.RECON_USERID5A729570 OR UPPERUSR.USR_UDF_OBGUID=UPPERRA_ADUSER7.RECON_OBJECTGUID 3. After identifying the columns constituting the matching rule in the user entity, create the indexes accordingly. Selecting Indexes for Target Resource Reconciliation To select indexes based on the matching rule criteria in target resource reconciliation: 1. Open the AD user profile file in a text editor.

2. Search for account search tag matchingruleWhereClause, as shown in the

following figure: Note: The AD user profile must be imported from the MDS by using the MDS utilities. See MDS Utilities and User Modifiable Metadata Files in the Oracle Fusion Middleware Developers Guide for Oracle Identity Manager for information about the MDS utilities. Note: ■ If any key field is defined in Oracle Identity Manager as case-insensitive, then a function-based index on that key field must be created. For example, if the connector code internally performs a search for the first name, assuming that FIRST_NAME is a key, then appropriate indexing must be done. ■ If multiple or composite keys are used for looking up a user, then choose between individual or composite indexes. Note: The AD user profile must be imported from the MDS by using the MDS utilities. See MDS Utilities and User Modifiable Metadata Files in the Oracle Fusion Middleware Developers Guide for Oracle Identity Manager for information about the MDS utilities.