OIM 11g - Modify Assign Roles request

Hi everyone,
I would like to know if it's possible to modify Assign Roles request in order to restrict the available assignees. I mean for example, if a manager wants to create a new Assign Roles request, he will be able to select only users whose he is the manager of.
If someone knows how to do that he will be really helpfull !
Thanks in advance,
Thibault

Thanks for both of you !!
Indeed it's OOTB and it didn't work for me because there was another authorization policy configured for REQUEST_ADMINISTRATOR which allowed them to search for all users. And because all of my requesters had this role, they could search for all users. So I configured a new request template which allow a role, that I had already created before, to create request and now it works fine.
Thanks !!
Thibault

Similar Messages

OIM Modify Assign Role Template

Hello all,
I would like to know, if its possible to change the name of the users showed into the Assign Role Template, I mean, when I create a request using the Assign Role Template, the OIM let me to search the users who Im gonna add to the respective Roles.
So when I look for those users, in the "Available Users" Field, appears the "display name" or the "First name and Middle name". What I want is that instead of show me the "display name", show me the "userLogin".
Is it possible?
Hope could help me.

any update please?

Assign role request through code not going to Operational level

Hi All
We are trying to assign roles through code using the OIM API's as suggested in the documentation
"http://docs.oracle.com/cd/E27559_01/doc.1112/e28183/oim_up.htm#autoId40".
We have 2 Approval policies one is at Request Level (i.e. Auto Approval) and the other is Operational level(Scope=ALL Scope) with workflow, So once the request is getting raised with the code successfully it is getting completed. The expected behavior is that it should go to the approval workflow attached at operational level.
When we tried to attach a workflow at the request level, the request is going through Approval workflow attached at request level and once we approve at request level it is getting completed and not going to operational level.
But we will have Request level as auto approved and Operational level with two level of Workflow.
Thanks in Advance

Check whether you have configured Request Type in your approval policy properly for operational level approval. In the Rule Components section check whether you have configured everything correctly. Also dont raise the request from system admin login as it will be treated as a direct provisioning request and your approval policies will not be invoked. Login through an end-user and test it

OIM 11g Modify User Profile for Updating End Date

Hi Gurus!
We have an OIM implementation where users may request the creation of other users by means of a Create User request template. In this template we set the End Date to be 3 months after the request date.
In order for the requester to extend the period of a user's OIM user account (along with its provisioned resources) we customized a Modify User Profile by displaying the End Date field and automatically populate it again to 3 months after the request date. Also we developed a custom event handler to enable the user when it is disabled and the End Date is updated to a future date.
This Modify User Profile is working great when the user is still enabled (the End Date is still in the future), however, when the End Date has passed (and the user is Disabled) the requester is not able to see the user when selecting the Modify User Profile request template.
Is there a way to allow requesters to also see disabled users in the Modify User Profile request template?
Thank you in advance.
Regards,

Hi Kevin,
thanks for your reply!
But, in this case, when the user is already disabled due to his End Date, how can a requester, through the Self Service TAB, enable it?
The Enable User request template does not work since when trying to enable the user, OIM sees the End Date is already passed and the DataSet validation throws an exception.
The only way I saw was providing a Modify User Profile Request template to change the End Date and developing a custom event handler to enable the user upon the extension of the End Date...
How can, in this situation, a requester enable the user and extend its End Date?
Thank you!
Regards,

OIM 11g R1 - Restrict Role assignment

Hello,
is it possible, if a user have a special role, that no other roles can be assigned?
For example:
User1 have the role "Restricted" assigned. No other roles can be assigned to that users. Either SYS ADMIN cannot assign other roles.
Only after this role was revoked from the user, other roles can be assigned again.
Is it possible to handle this scenario by an eventhandler?
Edited by: 960944 on May 6, 2013 7:58 AM

I don't know if you can prevent, but i am pretty sure you can immediately fix. You can create an event handler like this:
<action-handler class="com.client.code.eventhandler.RoleUserProcessor" entity-type="RoleUser" operation="CREATE" name="RoleUserProcessor" stage="postprocess" order="1000" sync="TRUE"/>
This is just a sample event handler that i've used before that did a check any time a member became a member of a role to perform a certain action. You could do some testing on the operation type, and the stage if you want. But it is possible for you to know anytime a user is added to this role, and anytime a user is added to a different role to check if they are a member of this role you mention. If they are a member, use the APIs to remove them from any others. If they get added to a new role, immediately remove them.
So yes, it is possible, and perhaps this can give you a start at some testing.
-Kevin

OIM 11g - Modify AdminWelcome.jsff

I want to modify the AdminWelcome page that the panel box for roles, organization and authorization policy are closed by default. Only the panel box for user should be open
Could somebody help me, how to modify the AdminWelcome.jsff from IdentityTaskFlow.jar?
Edited by: 935899 on Aug 16, 2012 8:53 AM

Hi Rajiv,
Thanks for your response.
1. I want to make Manager field on Profile->My Profile->Attributes editableYou can create Authorization Policy for this. I don't have VM running but Manager field should be present there.
I tried to do that but the Manager field still can't be edited. I wonder if there is a (xml) file that i must edit just like in 10g such as FormMetadata.xml perhaps?
2. When user modify the attribute(s) by him/her self, there is a workflow initiate and goes to xelsysadm (default request level and operation level).Customize OOTB Approval workflow or create new one with new Approval Policies.I tried to make a request level and operation level in Approval Policy with Auto Approval then it worked, no need approval when the user modify self profile.
Thank you
Ivan P
Edited by: ivan kw on Sep 8, 2011 3:19 AM
Edited by: ivan kw on Sep 8, 2011 3:22 AM

OIM 11g add custom role on user creation

Hi,
I when i create a user in OIM11g by default it gets added to "ALL USERS" role.
I have created a new role and want to add user to this custom role while creating users. How can i do this in OIM11g
Regards,
Ab
Edited by: 824473 on Jan 18, 2011 2:33 AM

set Auto submit true. you can't set the value for ValueChangedListener property in current release of R2. This is bug and you can raise SR for same. But, this won't cause saving data into USR table. ValueChandedListener property for Modify User page only.
As you said, data is not being saved in the USR table then verify your steps again:
create sandbox->users->create user/edit user/view user details page->click customize->leftTopcorner->View->Source->select area->edit->Click Add Content (on left top)->Data Component catalog->scroll down and select User VO->Refresh dialogue box->select the field and click 'Add'->on dropdown select 'ADF Input test w/label/for view user page it should be output test w/label->close that window->Check if it added to create user form->save and close customization
for user detail page select "Managed User->UserVo1 " as datacomponent
Re: UDF creation on User form in 11gR2
for valuechangedlistener the fixes all ready available. you have to do some workaround as other poster has given in above link:
1.Create a sandbox and activate it. Open the page that contains the UDF, and click Customize.
2.Select View, Source.
3.Note the value of the valueChangeListener property of a predefined field. To do so:
a.Click the predefined field, and then click Edit to open the Component Properties dialog box.
b.Copy the value of the valueChangeListener property.
4.Export the sandbox as a ZIP file.
5.Extract the ZIP file and edit the jsff.xml file for the specific screen.
6.Add the following attributes to the ADF tag, for example af:inputText, for the UDF:
◦valueChangeListener=VALUE_COPIED_IN_STEP3
◦autoSubmit="true"
7.Create the ZIP file for the sandbox.
8.Import the sandbox.
9.Publish the sandbox.
Edited by: Nishith Nayan on Sep 21, 2012 1:04 PM

OIM 11g R2 Available Roles For Organizations Is Empty After XML Import

Hi,
When we exported Organizations in OIM via Deployment Manager and imported them back, available roles on Organizations are gone.
To be exact; Hierarchical role assignments are gone, which are done using "include-sub-orgs" check while putting organizations to Roles.
To understand the problem,
We took a single organization, exported it, changed only organization name in the XML and imported it back. The results are the same.
We included every possible dependency in the xml to see if this was the issue, apparently it wasn't.
Furthermore,
On the Role screens' Available Organization's tab, when we check the "include sub orgs" box, it works fine on manually added organizations. They are shown on Available Roles for the Organizations.
But this doesn't work on imported organizations.
Is there a trick to this in R2?
How can we export-import the organizations and still see the available roles?
Thanks,
Erdogdu

Hi All
Any updates please . Can any one just update whether creating a custom attribute on User Profile adds the attribute in the list of attributes for membership rules for roles .
Thanks
Darshan

How to trigger approval request for resources after assigning role

Hi,
We have a use case where we need to assign resources to user via assigning roles.
In order to achive this use case
1. we have created a role and assigned the access policy to it which contain the resources to be provisioned once the role is assigned to the user.
2. Created a SOA composite having manager approval and assigned this composite to a approval policy of type 'Assign Role'.
3. I am already having the approval policy for the resources which are present in roles. The approval policy of resources is of type "Provision Resource".
4. Also the SOA composite for resource apporal is deployed in OIM and assigned to the approval policy.
5. Now when I am raising the request from OIM of type "Assign Role" the approval defined in the SOA composite for Role approval gets triggered. After approving the role request the role is assigned to the user and also the resources defined in the access policy gets provisioned to teh user account.
Now I want to trigger the resource approval process after the role approval instead of directly provisioning the resources. So that once the role is approved the individual Approval Process of resources part of roles should also gets invoked. Based on the approval or rejection of resources approval, the resource gets assigned to the user.
Please let me know how to achieve the above use case.
Thanks in advance

Access policy is saying whoever gets xyz role, will get this abc resource. Now once a user gets xyz role, you are stopping to get abc resource? both are contradictory. Don't go through access policy. User is anyway going to request for roles. Modify your flow and make user request for resource. Have your composite and approval policy attached. User will get resource once it is approved.
regards,
GP

OIM 11G : Selecting Multiple RO's in Single "Self Request Resource" Failing

Hello Everyone,
OIM 11G : End User "Self Request Resource" failing when user selects 2 or more resources in a Single Self Request Resource Request
1) On OIM 11G, I have created 2 resource objects, workflow, process forms.
2) Created the separate request dataset xml and imported into OIM repository
3) Now if an end user creates a request , "Self Request Resource" and selects one of the resource
4) Form defined as per request dataset shows up perfectly for the application on Resource Attributes page which comes next.
5) Only Problem that I am seeing is when End User selects 2 resources in one single request
Both the resource request dataset has been correctly configured because selecting only 1 works not both when both are selected in same request.
Thanks,
Deepak

Hello Experts,
on OIM 11G
I am getting the above issue when an end user does a "self request resource" and selects 2 Resource Objects.
On the Next Page, attribute form defined as per the request dataset.xml does not show up.
Both the RO's are seen on top breadcrumbs but with a blank form. I can navigate to the next RO Resource Data Details again with a blank form.
Though the attribute form as per request dataset comes up properly if I select any 1 of the 2 RO's and make "self request resource". everything goes fine.
I have followed the documentation thoroughly to import the datasets etc and can see request dataset in MDS_PATHS table (DEV_MDS user).
If anybody has also faced a similar issue or tested that selecting 2 RO's in 1 single "self request resource" works , pls let me know.
Thanking in advance,
Deepak

OIM 11g: xelsysadm has to approve twice

I have configured OIM so that an end user can create a Self Assign Role request. The approval first goes to the user's manager, then xelsysadm.
When I click Approve Task as xelsysadm, it comes back with a confirmation that the task was approved. However, when I refresh the page, I can see the task is still there. The 2nd time I approve it, it actually works and the user gets the role s/he requested.
This is all OOB configuration, nothing customized. The only thing I added was a Template Level Approval Process: default/BeneficiarymanagerApproval!1.0
Am I missing something?

sorry, wrong forum.

How to assign approvaal policy for a request template in OIM 11g

When I request for resource in OIM 11g, It's always going for Default approval of xelsysadm.
I want this Request level approval must go to "Beneficiary Manager approval". While requesting I am selecting request template (which I created) for Provision resource as Request type.I have already set "Beneficiary Manager approval" as request level approval for this request template.
I have created one approval policy, How can I assign this approval Policy to request template so that When i submit this request , it should go to my Manager approval.
Regards,
J

Hi Rajiv,
I do not need approval of Operational level. I want to stop the approval process after request level approval.
Here you are saying to create a new approval policy and set as AUTO Approval as true. There are some default approval policies which comes with OIM 11g and one of the approval policy is trigeering the Operaional level approval. So I think I do not need to create new approval policy and I can use exsting approval policy and modify as you suggested selecting AUTO APPROVAL and create approval rule as request template=="XYZ".
I am not sure which default approval policy trigeering the Operational approval now. Can you pls tell me that?
Can you pls confirm that, there is only way to restrict Opertional Approval by selecting "AUTO APPROVAL" true and put the approval rule as request template=="XYZ"
Thanks Rajiv for your help all the time.

Can approver modify user's request form in OIM 11g?

Dear All,
In OIM 10g, the approver of a request can modify user's request form, we just need to configure the permission in OIM. But, can we do it in OIM 11g?
If can, how can i configure it?
really need your help guys,, :D
Thank you,
--herry

Hi user12841694,
Thanks for the suggestion. But, the data (field) that can be modified by the approver is very limited. We cannot attach multi-valued attribute there (like Child Form).
Regards,
---herry

How can an approver modify the requested items in a request - OIM 11g R2

Hi,
I want the approver to add/modify/delete the requested items in a request, when the request is pending for approval.
For eg. If a user has requested for 2 entitlements, when the request reaches the approver's queue, approver can add/delete the entitlements in the same request.
Please let me know how to achieve the same in OIM 11g R2.
Thanks
Edited by: user9212679 on Mar 15, 2013 9:23 AM

Check this API documentation
http://docs.oracle.com/cd/E27559_01/apirefs.1112/e28159/oracle/iam/platformservice/api/AdminRoleService.html

OIM 11g r2 ps2. Setting end date for role requests

Hi,
reviewing the new features document on oim 11g r2 ps2: http://www.oracle.com/technetwork/middleware/id-mgmt/overview/oim-11gr2-whats-new-1709505.pdf
it says "For example, in a request that involves multiple entitlements, the requester might be required to specify the start date and end date for each of the entitlements requested. OIM enables requesters to provide such information during request that can be carried all the way to approval and provisioning processes. OIM also provides an out-of-the-box scheduled task for entitlement grant and revoke based on the start and end dates specified"
I've been searching on the documentation and doing tests on a virtual environment before a poc to a customer and can not find how to use that feature.
Is it an OotB feature or it needs codification and extra configuration?
Any tips on how to achieve this?
Thanks in advance!

Doc links:
http://docs.oracle.com/cd/E40329_01/admin.1112/e27149/appinstance.htm#OMADM5296
http://docs.oracle.com/cd/E40329_01/admin.1112/e27149/scheduler.htm#OMADM743, tasks "Sunrise of Accounts and entitlements" and "Sunset of Accounts and entitlements".
Oracle Support Document 1951854.1 (Sunrise And Sunset Of Entitlements) can be found at: https://support.oracle.com/epmos/faces/DocumentDisplay?id=1951854.1
Joost

OIM 11g - Modify Assign Roles request

Similar Messages

Maybe you are looking for