Nesting of Rules for Auto Group (Role) Membership Rules in OIM 11gR2
Does anyone know how to nest rules for auto group (role) membership in OIM 11gR2. The General rules in Design Console are no longer used for auto group membership and the rules that can be configured in the Role properties cannot be nested as far as I can see.
Any info is appreciated.
Thanks!
My mistake... this is possible in the web ui.
Similar Messages
-
Issue in evaluation of Role Membership Rule in gtc trusted recon.
Hi All,
I got a issue in evaluation of role membership in gtc trusted recon.
i created a custom UDF in user profile.i am updating that field from gtc trusted recon.
i created a rule based on that custom UDF.But that is not triggering while we run the gtc trusted recon.users are coming to oim from database .but rule is not evaluating.
if we manually create any user rule is evaluating.role is assingning .
how to solve this problem.it is very urgent for me.
thanks in advance.
-Hanumanhi bikash,
i am using oim 11.1.1.5 version.
Access policy is triggering if role is assigned to the user ,when i directly create the user in oim, instead of gtc trusted recon.
that udf field is mobile status.it is custom udf .
Thanks & Regards,
Hanuman. T -
Copa derivation rule for customer group
Hi All,
I am currently facing an issue with Derivation rule and hope someone can help me on resolving this.I have created a COPA derivation rule which has field as
Source Field
company code
Plant
Target field
Distribution channel
Condition
customer group 3 = 18.
so ideally with this conbination the distribtion channel gets updated
for the sales order.
However the issue we are facing is that the rule is working for only 1st line item and not for the others. I have also kept setting as" overwrite values only if new values found"
e.g if we see the accounting doc of billing then
line item 1 customer: x
line item 2 SaLes GL: rule works fine and dist channel is updated.
line item 3 discount GL: rule does not work.
Have checked the derivation rule and it looks correct.
Can you kindly suggest solution to this.Hi Ajay,
Thank you so much for your reply.Please note that the GL is a cost element but the category in system is 1 and not 12.However I would like understand as to why is this happening.why does the system picks up derviation rule for a Gross sales GL and not for Discount GL(Cost element).
The distribution channel gets updated for sales GL when i check the prof segment of the line item, however this is not the case with doscount GL.
I would like to understnad the implication before changing cost element category from 1 to 12 as it runs across system.
Kindly provide some more explaination.
thanks in advance. -
Role membership rule not working
Hi guys,
When I create a role and assign 'membership rule' to it, the members are shown in preview screen.
But they are not show up in members screen of that role.
My environment is 11gR2 SP1.
It is working nicely in 11gR2 base. But from some bundle pack and after, it is not working.
1. is it right?
2. if then, why is it changed?
3. and how shoul I assign members to role?
(as a workaround I modified the memner arrtibute. => not working
and restart OIM, => still not working
and reboot the server.> still not working...)
can anyone help this?
regards,
dongsuJ,
It has been a critical issue in real customer project this year.
Certainly we informed it to local oracle team and they says it is intentional change and we have to accept it.
(means create role first and read in users by trusted recon from source again.. bra bra..)
But I do not get any documented information about it.
Actually in BP4 (may be..) if I change any attribute value of that user who supposed to belongs to that role, then it works.
But in BP7 and now in PS1, even that approach do not working. -
Personalization (Cross-Selling Rules for Target Group) in E-commerce
Hi,
Could any one suggest solution for the query...
Scenario: Personalized Cross-Selling for Target Group in a Webshop (E-Commerce-B2B Occasional User Scenario). The Cross Selling is to
appear only for Target Group, but the system is prompting the Cross Selling
Rule for both Target Group aswell Global. The Config details are below
mentioned.
1. In Method Schema (11) we maintained Cross Selling Methods for Global as well
as Target Group.
(CRM_MKTPR_PP_CS_GL_READ & CRM_MKTPR_PP_CS_TG_READ).
(I did remove Global Method for testing, but still it is appearing for Global
Target Group)
2. Created Cross Selling rules in CRM for Target Group Target Group & is
Activated.
3. Target Group Modeling done in Segment Builder.
4. Target Group Assignment done in the webshop.
5. Application Administration related tasks (clearing done).
6. Product Catalog Updated Replication is done aswell.
7. Simulation of Product Proposal is done using program
"CRM_MKTPR_PRODUCT_PROPOSAL"
Please suggest me if I miss anything to recommed Cross-Selling rules only to the Target Group.
Thanks in Advance,
D u r g a r a oCartweaver
http://www.cartweaver.com/
Web Assist Power Store
http://www.webassist.com/support/ecommerce-options.php
Nancy O.
Alt-Web Design & Publishing
Web | Graphics | Print | Media Specialists
http://alt-web.com/
http://twitter.com/altweb -
Rules for AD Groups mapping with ECC roles in GRC
Hi All,
I'm actually looking at an option to define the Rules in GRC where i can map AD (LDAP) groups to ECC roles. Is it possible? Could you please let me know if i can achieve this with Rule Architect in GRC 5.3 OR by any other mean.
Regards
- VGurus,
Any thoughts on this?
Regards
Vaib -
WLS: more fine granularity for User, Groups, Roles
Hi All,
in order to organize different user, groups in WLS, I need to use/define more condition/attributes than standard WLS User and Groups.
The Oracle WLS concept and OPSS is clear to me and I need some samples or practical cases.
- Oracle Fusion Middleware 11.1.1.5, Security Guides http://docs.oracle.com/cd/E21764_01/security.htm
- Oracle® Fusion Middleware Understanding Security for Oracle WebLogic Server 11g Release 1 (10.3.5) http://docs.oracle.com/cd/E21764_01/web.1111/e13710/toc.htm
- Oracle® Fusion Middleware Securing Oracle WebLogic Server http://docs.oracle.com/cd/E21764_01/web.1111/e13707/toc.htm
- Oracle Platform Security Services 11gR1 (White Paper)
http://www.oracle.com/technetwork/middleware/id-mgmt/opss-tech-wp-131775.pdf
Any idea?
Regards,
MohHello Suman,
Try avoid denial based security rights assignment instead you can specify the unspecifed. As Greg said
Denied + Granted = Denied
Denied + Not Specified = Denied
Granted + Not Specified = Granted.
You should not deny rights for HR End User usergroup, Instead make them as unspecified. If you do so the whenever the user part of both the groups , your security rights aggregation would be
Granted + Not Specified = Granted.
Make sure you follow the approach as above. You can refer the blog below for how to structure the folder, report and User group hierarchy and effective maintenance of security
BusinessObjects Administration - Content Management Plan
Regards
Mani -
Complex expression rules for customizable groups not working
Hello Community,
we have recently installed Cisco Prime 4.1 (running on Windows server 2008 R2 Standard - 64bit Operating System).
Our main buildings are connected via Gigabit Interfaces, so I wanted to change the threshold in Fault Monitor only for those devices and those interfaces, to be something different than the default value (40%).
My regular expression is this:
(Interfaces.SystemName contains "Sw-AM-C6509" AND
Interfaces.Description contains "GigabitEthernet9/23") OR
(Interfaces.SystemName contains "Sw-KK-C6509" AND
Interfaces.Description contains "GigabitEthernet1/23") OR
(Interfaces.SystemName contains "Sw-MK-C6509" AND
Interfaces.Description contains "GigabitEthernet1/23")
When I try to "Check Syntax" I get an error message:
You have entered an invalid rule. Enter a valid rule. See the
Help
for examples of valid rules
I also found the following thread "https://supportforums.cisco.com/message/646043#646043" that provided an example, but I got the same error message, when I tried to run the example.
In my regular expression if I only type:
Interfaces.SystemName contains "Sw-AM-C6509" AND Interfaces.Description contains "GigabitEthernet9/23"
without any brackets and the like it seems to pass the syntax check.
Any help will be highly appreciated!
Thanks in advance,
KaterinaHello Community,
https://supportforums.cisco.com/message/646043#646043 mentions a bug that should have been removed on LMS2.6 but was still persistent. It states that:
when defining complex rules you have to use the complete Object ID (this info is available in the User Guide but wasn't described in DFM On-line help), which is different for each application.
:Campus:OGS:Device
:DFM:VASA:DFMObject
:CMF:DCR:Device
:RME:INVENTORY:Device
I would have thought that if this was actually a bug it should have been removed in the newest version of LMS4.1, but from what I understand it must still be there. I couldn't find anything relevent in the Administration of Cisco Prime LMS 4.1 document.
In order to fix my problem I used the following syntax, which seems to pass the syntax check.
:DFM:VASA:DFMObject:Interfaces.SystemName contains "6509" AND
(:DFM:VASA:DFMObject:Interfaces.Description contains "1/23" OR
:DFM:VASA:DFMObject:Interfaces.Description contains "9/23")
It does get the job done, but this isn't exactly what I wanted.
I hope that someone can update this post and verify that this is the correct way to go.
Katerina -
Counting Rule for employee Group
Dear Experts,
I want to make new counting rule like If Employee takes Casual Leave on Friday and on Monday he do Sick Leave that Saturday and Sunday Should be treated as Earned Leaves. Saturday and sunday should be deducted from earned leaves.
REgards
Jazib TariqDear Jazib,
Please look into this
http://help.sap.com/saphelp_46c/helpdata/EN/c1/d32fe48435d111950d0060b03c6b76/content.htm
Regards
Qazi Raheel -
Applescript rule for auto-archiving Apple Mail 3.0?
In Tiger, I used an Applescript rule that someone had wrote which automatically moved all incoming mail that wasn't junk, into an, 'ON MY MAC Mailbox', named 'Inbox Archive', and all sent emails into an 'ON MY MAC Mailbox' called 'Sent Archive'
This was a great way to keep my inbox clean, while always having an archive of all emails I've sent & received.
The script doesn't work in Leopard, and causes Mail to crash. Unfortunately I no longer have the author's contact info, and don't know of as easy & clean a method to keep an archive. I'm not interested in a 3rd party app. Does anyone know if Mail 3.0 has an Archive feature? Or anyone who can Applescript such a rule?
Thanks!Thanks TexasZeus. Unfortunately his Mail Scripts aren't Leopard ready, but the link does help expand my resources, so thank you!
http://homepage.mac.com/aamann/Mail_Scripts.html -
Setup vacation rules for group in workflow.
hi,
somebody please guide me to setup vacation rules for a group.And reassign a user's role to a group when the user is on vacation in Workflow.
thanks
JamrasJob,
Put your issue with workflow forum or Apps forum http://forums.oracle.com/forums/forum.jspa?forumID=40
--Shiv -
OIM Reports for BIP Role Membership
The OIM BP04 Reports for BIP, the Role Membership report description states:
"This report will display membership details of all the roles. The report will not show indirect memberships. Security model is not implemented in this report."
Looks like the data model deliberately excluded indirect roles (or child tabled roles) from the Lookup.DBUM.Oracle.Roles (same for the Privileges Reports).
Can anyone guide me through editing the Role Membership data model to INCLUDE the roles from the lookup table?
I believe the Lookup.DBUM.Oracle.Roles have to get associated to the users recon'd from the DBUM Trusted Recon from the DBA_Users table first.
Thanks for looking.The BP04 OIM roles reports targets OIM roles, not oracle or ad roles.
To achieve those views, custom BIP reports that query the respective OIM tables where the AD and Oracle data exist are required.
Thanks for looking. -
How to create the roles and rule
i buddies,
here i have small requirement, but i am confusing to do that as i am new to OIM. my requirement is
1) i have to create 2 roles named a and b.
2)then i have to create one rule which states that these two roles can'be the same in that organization.
3)after that i have to create one user and i have to assign the first role i.e a.
4)if i assign the second role ie b to the same user , it should not allow me.
to accomplish this task what is the work flow i have to create ? please tell me the steps...
Thanks
BaluFirst create 2 user groups called Group A and Group B.
Create the group membership rules for A and B which will instruct oim to evaluate group membership rules when a user is created in OIM.
for example: If user's cost center (on the user form) is "AAA" then he should be assigned to Group A. this will be your group membership rule for group A
Then for constrcuting the group membership rule for Group B you can say,
if user's cost center !="AAA". This will ensure that any single user in the system will not be a part of both groups at any given time, depending upon this attribute called cost center.
you can then define access poclicies on the groups/roles which is used to auto-provision resources for any member of that role/group. -
Execution of membership rules during creation event in OIM
Hi,
I have a question regarding the execution sequence of a role membership rule/s. As noted in the section "Orchestration Concepts" of the Oracle 11gR1 Developer's Guide (http://docs.oracle.com/cd/E21764_01/doc.1111/e14309/oper.htm#CCHJHFGE), there are 6 Orchestration stages:
1. Validation: Stage to perform validation on the orchestration, such as validity of orchestration parameters. Orchestration parameter is the data that is required to carry out the orchestration operation.
2. Preprocess: Stage to perform orchestration parameter manipulations or get approvals or perform Segregation of Duties (SoD) checks.
3. Action: Stage in which the action takes place.
4. Audit: Stage in which the auditing of operation is performed.
5. Postprocess: Stage in which consequent operations related to the current operation takes place. Examples of consequent operations are auto role membership and policy evaluation on a user creation.
6. Finalization: Last stage in the process to perform any clean up.
The question is: If a role membership rule has been set up so that a user will be assigned a role if a particular user attribute is set during the preprocess or postprocess stage, when is the actual execution of the membership rule performed? i.e. in which orchestration stage is the role membership rule executed?
regards,
Evangelo
Edited by: 953049 on 25-Sep-2012 22:04Custom Preprocess handler doesn't work in 11g. Are you sure? The documentation only states that it will not work for trusted reconciliation (from Oracle support article ID 1262803.1 - OIM11g: Sample Code For A Custom Event Handler Implemented for Pre-Process Stage During Create User Management Operation).
-
Removing Role Membership through API's in OIM11g
Guys, I am trying to remove a role membership for a user.
I was trying with this API (*oracle.iam.identity.rolemgmt.api*) and Interface RoleManager.revokeRoleGrant(roleKey,userKeys,evaluatePolicies). I am getting errors when I try to Import the api oracle.iam.identity.rolemgmt.api as Import cannot be resolved. which is the exact jar that I should add in the build path?
I have added all the 25 jars of lib but still it is not resolved.
And is this the correct API for removing the role membership for a user?
please share the sample code snippet if any of you have already have that functionality?
Edited by: Venu on Aug 24, 2011 3:00 PMVenu wrote:
Guys, I am trying to remove a role membership for a user.
I was trying with this API (*oracle.iam.identity.rolemgmt.api*) and Interface RoleManager.revokeRoleGrant(roleKey,userKeys,evaluatePolicies). I am getting errors when I try to Import the api oracle.iam.identity.rolemgmt.api as Import cannot be resolved. which is the exact jar that I should add in the build path?
I have added all the 25 jars of lib but still it is not resolved.
And is this the correct API for removing the role membership for a user?
please share the sample code snippet if any of you have already have that functionality?
Edited by: Venu on Aug 24, 2011 3:00 PMYou don't need to use 25 jars from the lib in your client code. Just need to use 3 jars which are bundled in the OIM_HOME\server\client\oimclient.zip\lib folder and wlfullclient.jar. The oracle.iam.identity.rolemgmt.api is in oimclient.jar which is in the oimclient.zip\lib folder.
HTH
Maybe you are looking for
-
Extended Notifications - Workflow Inbox link not working
Hi, I have configured SWNCONFIG to send Extended Notifications. E-mails are being sent but the link for Workflow Inbox (configured in Subscription Settings - SHOW_INBOX_AS = LINK1) only takes to the enterprise portal home page not the inbox. I have s
-
IPhone 5 not recognised by iTunes on my mac
When I try to connect the phone buzzes and I am told the device is not recognised. I have tried 3 different cables and different USB ports. I have an iPhone 5 and mac. I recently synced the phone with no problems. Any help much appreciated.
-
Multiple datasource with a sub-report with Java
Hi All, I have a group of data from which I will create subset to separate on a group. Now, I have multiple (say 3) datasets with me for which I want to perform the following tasks: Add first dataset to the databasecontroller, after adding the datase
-
Hello, Is there a way to display the image of the navigation bar entry on the top instead of in line with the text? I tried several things with my moderate html knowledge but didn't get it working. Denes Kubicek
-
Switching music from memory card to phone memory (...
Hi, i have hardly any space left on my Nokia 5800 memory card, and would like to know how to put some songs onto the phone memory as i have some free space there. does anybody know how? (very greatfull)