ACIs for Roles

Similar Messages

• Error while updating a custom Windows Azure Diagnostics configuration xml from powershell. "Invalid update to extension reference for role"

  I am attempting to upload a manually edited WADConfig xml to my VM. The WAD service is functioning correctly, I needed to add some custom WinEventLogs. The prescribed steps result in an error.
  What am I overlooking?
  I am following these instructions:
  Step 5: Remotely install Diagnostics on your Azure Virtual Machine
  azure.microsoft.com/en-in/documentation/articles/cloud-services-dotnet-diagnostics/#virtual-machine
  $storage_name = "wadexamplevm"
  $key = "<StorageAccountKey>"
  $config_path="c:\users\<user>\documents\visual studio 2013\Projects\WadExampleVM\WadExampleVM\WadExample.xml"
  $service_name="wadexamplevm"
  $vm_name="WadExample"
  $storageContext = New-AzureStorageContext
  -StorageAccountName $storage_name -StorageAccountKey $key
  $VM1 = Get-AzureVM
  -ServiceName $service_name -Name $vm_name
  $VM2 = Set-AzureVMDiagnosticsExtension
  -DiagnosticsConfigurationPath $config_path
  -Version "1.*"
  -VM $VM1 -StorageContext $storageContext
  $VM3 = Update-AzureVM
  -ServiceName $service_name -Name $vm_name
  -VM $VM2.VM
  Unfortunately, I am receiving this error:
  Update-AzureVM : BadRequest: Invalid update to extension reference for role: XXXXXX and reference: IaaSDiagnostics.
  What's missing from the above script?

  Hi,
  Since Azure SDK 2.5 uses the extension model the diagnostics extension, the configuration and the connection string to the diagnostic storage are no longer part of the deployment package and cscfg. All the diagnostics configuration is contained within the
  wadcfgx. The advantage with this approach is that diagnostics agent and settings are decoupled from the project and can be dynamically enabled and updated even after your application is deployed. 
  Due to this change some existing workflows need to be rethought – instead of configuring the diagnostics as part of the application that gets deployed to each environment you can first deploy the application to the environment and then apply the diagnostics
  configuration for it.  When you publish the application from Visual Studio this process is done automatically for you. However if you were deploying your application outside of VS using PowerShell then you have to install the extension separately through
  PowerShell.
  There PowerShell cmdlets for managing the diagnostics extensions on a Cloud Service are -
  Set-AzureServiceDiagnosticsExtension
  Get-AzureServiceDiagnosticsExtension
  Remove-AzureServiceDiagnosticsExtension
  You can use the Set-AzureServiceDiagnosticsExtension method to enable diagnostics extension on a cloud service. One of the parameters on this cmdlet is the XML configuration file. This file is slightly different from the diagnostics.wadcfgx file. You can
  create this file from scratch by either following the article that you are referring to or  you can modify the wadcfgx file and pass in the modified file as a parameter to the powershell cmdlet.
  To modify the wadcfgx file –
  Make a copy the .wadcfgx.
  Remove the following elements from the Copy:
  <DiagnosticsConfiguration xmlns="http://schemas.microsoft.com/ServiceHosting/2010/10/DiagnosticsConfiguration">
     <PrivateConfig xmlns="http://schemas.microsoft.com/ServiceHosting/2010/10/DiagnosticsConfiguration">
       <StorageAccount name=" " endpoint="https://core.windows.net/" />
     </PrivateConfig>
     <IsEnabled>false</IsEnabled>
  </DiagnosticsConfiguration>
  Make sure the top of the file still has xml version and encoding –
     <?xml version="1.0" encoding="utf-8"?>
  Effectively you are stripping down the Wadcfgx to only contain the <PublicConfig> section and the <?xml> header. You can then call the PowerShell cmdlet along with the appropriate parameters for the staging slots and roles:
  $storage_name = ‘
  <storagename>’
  $key= ‘<key>’
  $service_name = '<servicename>'
  $public_config = '<thepublicconfigfrom_diagnostics.wadcfgx>'
  $storageContext = New-AzureStorageContext –StorageAccountName $storage_name –StorageAccountKey $key
  Set-AzureServiceDiagnosticsExtension -StorageContext $storageContext -DiagnosticsConfigurationPath $public_config –ServiceName $service_name -Slot ‘Staging’ -Role ‘WebRole1’
  Hope this helps !
  Regards,
  Sowmya

• OIM 11g R1 - Container for Roles

  Hi,
  is it possible to create container for roles?
  For Example:
  Container1: RoleA, RoleB, RoleC
  Container2: RoleV, RoleY, RoleZ
  The reason is, i want to create authorization policies, which allows the user to assign specials roles. The problem is, that a lot of roles will be added during the operation. This means, if a new role will be created, i have to edit the authorization policy
  The best way is, i assign a Role-Container to the authorization policy. If i create a new role, i add the role to the special container.
  Is this possible in OIM 11g R1?
  Edited by: 960944 on Apr 3, 2013 5:18 AM

  Yes, you can do that using authorization policy.
  Try this:
  Create a Role called 'X'
  Create a Authorization Policy of Role Management Entity Type called 'X Role Authz Policy' and under the Permission tab:
  Grant Modify Role Membership, Search for ROle, View Role Detail and View Role Membership
  Under Data Constraints: Add all the roles that a user can self assign except SYS ADMIN role.
  Under Assignemnt: Add Role 'X'
  Save and apply to test it.
  You can have a look at the default Role Management All Users Policy for reference.
  Regards,
  Sunny

• RFC- Bapi - For Role Maintenance (Single and  Composite)

  We are in the process of developing an ASP.NET web application which will be used to raise requests for user and role creations in SAP.
  We will be making use of Sonic ESB to update SAP through IWAY SAP adapter.
  IWAY SAP adapter supports RFC’s, Bapi’s & IDocs.
  We are aware of RFC’s that could be used for user creation, updating and deletion.
  We have NOT come across any RFC’s or Bapi’s for role maintenance
  1) We would need RFC’s for the following requirements:
  1) To create a new role (single or composite role ).Creating a new role would include adding transactions to a role, deriving from an existing role or assigning more than one role to another role.
  2) To update a role
  3) To delete a role.
  4) To get the details of an existing role
  If there are no RFC’s for the above requirement, will we need to create a custom RFC?
  If we need to create a custom RFC, are there any transactions already available for the above requirements so that we could write a RFC wrapper?
  2) Are there any RFC’s that would give us the complete list of roles (single or composite) in an SAP system?
  3) Are there any RFC’s that would give us the complete list of transactions in an SAP system?
  Presently for 2) & 3) , we are making use of RFC_READ_TABLE to read SAP tables to get the list of roles and transactions.
  Thanks for your answers

  Hi,
  check these FM , i dont know it will work for u or not.
  BAPI_USER_ACTGROUPS_ASSIGN     User: Change entire activity group assignment
  BAPI_USER_ACTGROUPS_DELETE     User: Delete entire activity group assignment
  BAPI_USER_CHANGE               Change User
  BAPI_USER_CLONE                Create User with Template in Another System
  BAPI_USER_CREATE
  BAPI_USER_CREATE1              Create a User
  BAPI_USER_DELETE               BAPI to Delete a User
  BAPI_USER_DISPLAY              Display Users
  BAPI_USER_EXISTENCE_CHECK      Check a user exists
  BAPI_USER_GETLIST              Search for Users
  BAPI_USER_GET_DETAIL           Read User Details
  BAPI_USER_INTERNET_CREATE      Create a user in the Internet
  BAPI_USER_LOCACTGROUPS_ASSIGN  Change Activity Group Assignment for Dependent Systems from Central Sy
  BAPI_USER_LOCACTGROUPS_DELETE  Delete Activity Group Assignments in the Dependent Systems
  BAPI_USER_LOCACTGROUPS_READ    Change Activity Group Assignment for Dependent Systems from Central Sy
  BAPI_USER_LOCK                 Lock User
  BAPI_USER_LOCPROFILES_ASSIGN   Change Profile Assignment for Dependent Systems from Central System
  BAPI_USER_LOCPROFILES_DELETE   Delete Profile Assignments for Dependent Systems
  BAPI_USER_LOCPROFILES_READ     Change Activity Group Assignment for Dependent Systems from Central Sy
  BAPI_USER_PROFILES_ASSIGN      User: Assign profiles
  BAPI_USER_PROFILES_DELETE      User: Delete All Profile Assignments
  BAPI_USER_UNLOCK               Unlock user
  Reward points if useful..
  Regards
  Nilesh

• RFC for role maintenance

  We are in the process of developing an ASP.NET web application which will be used to raise requests for user and role creations in SAP.
  We will be making use of Sonic ESB to update SAP through IWAY SAP adapter.
  IWAY SAP adapter supports RFC’s, Bapi’s & IDocs.
  We are aware of RFC’s that could be used for user creation, updating and deletion.
  We have NOT come across any RFC’s or Bapi’s for role maintenance                   
  1) We would need RFC’s for the following requirements:
  1)       To create a new role (single or composite role ).Creating a new role would include adding transactions to a role, deriving from an existing role or assigning more than one role to another role.
  2)       To update a role
  3)       To delete a role.
  4)       To get the details of an existing role
  If there are no RFC’s for the above requirement, will we need to create a custom RFC?
  If we need to create a custom RFC, are there any transactions already available for the above requirements so that we could write a RFC wrapper?
  2) Are there any RFC’s that would give us the complete list of roles (single or composite) in an SAP system?
  3) Are there any RFC’s that would give us the complete list of transactions in an SAP system?
  Presently for 2) & 3) , we are making use of RFC_READ_TABLE to read SAP tables to get the list of roles and transactions.
  Thanks for your answers

  Hi Nicole,
  I think you are in the wrong forum.... For Guided Procedures, this is only about process roles and not roles used in the ABAP Stack.
  Best regards,
  David

• OIM 11gR1 : Parallel approval for role assignment.

  Hi,
  I'd like to add custom attributes to a role : "District security officer" and "Department security officer" (Can those be used for searching users? -- i.e. users lookup)
  When the role is to be assigned to a user, I'd like the workflow engine to open tasks for the members entered on those custom attributes.
  Also, Is it possible to assign a Role instead of the users in the custom attributes ?
  Meaning, Approving user assignment of a role named "Role A" will be done by users that belong to "Role_A_Approvers".
  Will appreciate pointers to the online docs, I've search and didn't find information related to the usecase I've described.
  Thanks,
  Meni,

  Bikash Bagaria wrote:
  Meni wrote:
  Hi,
  I'd like to add custom attributes to a role : "District security officer" and "Department security officer" (Can those be used for searching users? -- i.e. users lookup)
  When the role is to be assigned to a user, I'd like the workflow engine to open tasks for the members entered on those custom attributes.Try modifying the dataset. But I think there was an issue which someone reported here which said that you cannot add additional attributes to the role dataset. Logically it makes sense because there is no custom attribute for role in OIM so dataset should not allow it either.
  I've noticed that the design console allows adding custom attributes to roles.
  This can be done via Administration --> User Defined Field Definitions --> UGP (Table name).
  Once a field is added, you'll need to choose "Properties" and add a "Visible Field = true" prop to the attribute chosen.
  This will add a custom attributes section where your attributes will be shown.
  Question is how you can add a "search users" lookup instead of plain string for this custom attribute,
  and how those attributes will find their ways into the BPEL composite where business decisions based on those attributes may be taken (assign task per this attribute for an example).
  Also, Is it possible to assign a Role instead of the users in the custom attributes ?
  Meaning, Approving user assignment of a role named "Role A" will be done by users that belong to "Role_A_Approvers".You can create request for multiple roles in a single request and in your approval process you need to dynamically set the human task assignee based on the role selected. You also need to attach the approval process to orchestration level so that it generates a separate child request for each role selected.
  I'm not sure I understand how the proposed approach helps avoid the decoupling of users to role admins attribute.
  The intention was to have two roles, "Role_A" and "Role_A_Approver" where people that belong to "Role_A_Approver" will be assigned workflow tasks whenever Role_A is to be granted to end-users.
  Currently, each role has a "Role Admin" attribute, this attribute however holds a user and not a container of users (role)..
  Will appreciate pointers to the online docs, I've search and didn't find information related to the usecase I've described.
  All about requests
  Thanks,
  Meni,-Bikash

• Failed to get the Availability State on server Distriubtionpoint1 for role SMS Distribution Point

  Distriubtionpoint1-- Server share distribution point
  Distriubtionpoint1-- Acting as site system role (DP)
  Distriubtionpoint1--attached under the primary PR0 (Primary server0)
  Primary server0-- reporting to CS0 (central site 0)
  Distriubtionpoint1-- Windows 2008 sp1 r2 standard
  Infrastructure details:-
  =============
  Distriubtionpoint1 located in different domain with one way trust.
  1) Check ping status with FQDN from both domain and it is success.
  2) Check port 135, 445, 80,443 through telnet from both domain and success.
  3) Primary Server0 account is member of the local admin group on Distriubtionpoint1.
  4) Check the PR0-SCCM-DP$ folder NTFS & Share permission
  Share permission
  a) everyone & local admin group has full control
  Security permission
  a) System has full permission
  b) user has read & exec
  4) Local admin full
  Sitestat.log error message:
  ---->: Failed to get the Availability State on server
  Distriubtionpoint1 for role SMS Distribution Point. SMS_SITE_SYSTEM_STATUS_SUMMARIZER 4/22/2014 9:00:15 PM 952 (0x03B8)
  ---->: Now polling via NAL for SiteObject "["Display=\\Distriubtionpoint1\PR0-SCCM-DP$\"]MSWNET:["SMS_SITE=PR0"]\\Distriubtionpoint1\PR0-SCCM-DP$\" SMS_SITE_SYSTEM_STATUS_SUMMARIZER
  4/22/2014 9:00:15 PM 952 (0x03B8)
  for ["Display=\\Distriubtionpoint1\PR0-SCCM-DP$\"]MSWNET:["SMS_SITE=PR0"]\\Distriubtionpoint1\PR0-SCCM-DP$\, no connection account is available SMS_SITE_SYSTEM_STATUS_SUMMARIZER
  4/22/2014 9:00:15 PM 952 (0x03B8)
  ---->: The NAL path ["Display=\\Distriubtionpoint1\PR0-SCCM-DP$\"]MSWNET:["SMS_SITE=PR0"]\\Distriubtionpoint1\PR0-SCCM-DP$\ is currently not accessible. SMS_SITE_SYSTEM_STATUS_SUMMARIZER
  4/22/2014 9:00:18 PM 952 (0x03B8)
  Info>: Unable to get available space for the Site Object ["Display=\\Distriubtionpoint1\PR0-SCCM-DP$\"]MSWNET:["SMS_SITE=PR0"]\\Distriubtionpoint1\PR0-SCCM-DP$\ SMS_SITE_SYSTEM_STATUS_SUMMARIZER
  4/22/2014 9:00:18 PM 952 (0x03B8)
  STATMSG: ID=4701 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_SITE_SYSTEM_STATUS_SUMMARIZER" SYS=Distriubtionpoint1 SITE=PR0 PID=4112 TID=952 GMTDATE=Wed Apr 23 01:00:18.002
  2014 ISTR0="\\Distriubtionpoint1\PR0-SCCM-DP$" ISTR1="\\Distriubtionpoint1\PR0-SCCM-DP$" ISTR2="2014 04 4 17 04 31 31 000" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8=""
  ISTR9="" NUMATTRS=0 SMS_SITE_SYSTEM_STATUS_SUMMARIZER 4/22/2014 9:00:18 PM 952 (0x03B8)
  for ["Display=\\Distriubtionpoint1\PR0-SCCM-DP$\"]MSWNET:["SMS_SITE=PR0"]\\Distriubtionpoint1\PR0-SCCM-DP$\, no connection account is available SMS_SITE_SYSTEM_STATUS_SUMMARIZER
  4/22/2014 9:00:18 PM 952 (0x03B8)
  ---->: GetOperationsManagementData failed to connect to ["Display=\\Distriubtionpoint1\PR0-SCCM-DP$\"]MSWNET:["SMS_SITE=PR0"]\\Distriubtionpoint1\PR0-SCCM-DP$\; error
  = 5. SMS_SITE_SYSTEM_STATUS_SUMMARIZER 4/22/2014 9:00:20 PM 952 (0x03B8)

  I have tried to access the server share DP from the primary server by using my user
  credential. Yes I can able to access the share.
  But when I use the system credential to access the share received an error message as shown in below screenshot
  Hence i have provided the share and ntfs permission administrators, system, everyone,
  primary server account with full control on both tab. but still i am receiving error message.
  :\temp>whoami
  US\prasath
  c:\temp>dir \\PrimaryServer1\SCCM-DP$
  Volume in drive \\PrimaryServer1\SCCM-DP$ is Data
  Volume Serial Number is 22F0-661B
  Directory of \\PrimaryServer1\SCCM-DP$03/17/2014
  03:33 PM <DIR> .03/17/2014 03:33 PM <DIR> .
  04/01/2014 08:04 AM <DIR> SMSPKG
  0 File(s) 0 bytes
  3 Dir(s) 514,625,064,960 bytes free
  ===========================================
  C:\Windows\system32>whoami
  nt authority\system
  C:\Windows\system32>dir
  \\PrimaryServer1\SCCM-DP$
  Access is denied.

• Query: Setting ACL for Roles and Programmatic Approach

  Hi All
  I'm trying to setup ACL for Roles on WCC(11.1.1.8) server by following the blog https://blogs.oracle.com/kyle/entry/access_control_lists_for_roles using Framework folder and have few queries
  Query 1:
  Created new folder and associate enterprise roles under Role access list
  1. Created a new folder 'MyFolder' with Security group 'Secure', owner 'weblogic'.
  2. Assigned Role 'Deployers' under Role Access List with RW permissions.
  3. In Admin console, associated user 'jcooper' with 'Deployers' group and 'jausten' with no group.
  4. Logged in using 'jcooper' and able to assess 'Myfolder'.
  5. Logged in using 'jausten' and also able to assess 'MyFolder'
  Observation
  Since user 'jausten' is not associated with 'Deployers' group, how can 'jausten' assess the folder? Am I missing some configurations here. Please let me know setup steps to achieve this functionality in desired manner.
  Query 2:
  Created a prototype using RIDC to create a folder programmatically and assigning RAL to the created folder
          DataBinder requestData = client.createBinder();
          requestData.putLocal("IdcService", "FLD_CREATE_FOLDER");
         requestData.putLocal("fParentGUID", getFolderGUID("/"));
          requestData.putLocal("fFolderName", "TestFolder");
          requestData.putLocal("xClbraRoleList", ":Deployers(RW)");
          ServiceResponse  updateResponse = client.sendRequest(connectionContext, requestData);
  Observation
  Folder got created successfully, but 'Deployers' Role not assigned under Role access list.
  Query 3:
  Created a prototype using RIDC to assign enterprise roles to the existing folder
          DataBinder requestData = client.createBinder();
          requestData.putLocal("IdcService", "FLD_EDIT_FOLDER");
          requestData.putLocal("fFolderGUID", getFolderGUID("/TestFolder"));
          requestData.putLocal("path", "/TestFolder");
          requestData.putLocal("xClbraRoleList", ":Deployers(RW)");
          ServiceResponse  updateResponse = client.sendRequest(connectionContext, requestData);
  Observation
  Role got associated with folder under Metadata section, whereas folder information section does not contain the reference of updated role e.g. Edit Folder Information section on WCC UI not showing the added role, whereas Edit Metadata values section of UI showing this role.
  Please suggest what I'm missing in configuration/code and appropriate way to achieve the functionality.
  Thanks.

  Thanks Jonathan!!
  Query 2 and 3 answered by this setting and it worked fine.
  Could you please also assist on Q.1
  Query 1:
  Created new folder and associate enterprise roles under Role access list
  1. Created a new folder 'MyFolder' with Security group 'Secure', owner 'weblogic'.
  2. Assigned Role 'Deployers' under Role Access List with RW permissions.
  3. In Admin console, associated user 'jcooper' with 'Deployers' group and 'jausten' with no group.
  4. Logged in using 'jcooper' and able to assess 'Myfolder'.
  5. Logged in using 'jausten' and also able to assess 'MyFolder'
  Observation
  Since user 'jausten' is not associated with 'Deployers' group, how can 'jausten' access the folder?
  Am I missing some config?

• AD LDAP for Authentication but ABAP or IDM for Role Assignments

  Hi Portal Gurus,
  Is it possible to configure the UME in such as way so that it connects to the AD for authentication purposes but uses the CUA or SAP Identity Manager for role assignments?
  Thanks,
  Vibhu

  Hi,
  Thanks for the suggestion. But ours was a different problem.
  The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
  During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
  Best regards,
  Ashok

• DFD diagram and ER crossmatrix for role definitions and role's privileges on objects

  Hello,
  Having the question on derivative use of combination of DFDs and ER diagrams ( let us be more fixes and focus on Relational model ).
  In DFD there are defined external entities and functions, data flows and data stores that are forming processes.
  Functions represents procedures, transactions, transformations.
  Dataflows presents procedures parameters, intermediate reports, temporary table data, data that is passed , retrieved/written, signals, triggers/events that controle or trigger function...
  Context of my question is focused on external entities.
  External entity suppose to denote the sourced or destinationed system ( for example Archiving system ) or operator, system that is out of scope of the DFD and it is mentioned just as target or destination or source of dataflow or control flow.
  In context of these understandings I am using external entitiy also for types of users of the system:  staff that is triggering functions or schedulers or job managers, or reporting systems ( or components of reporting systems like for example business intelligence extraction processes ).
  What is my problem that on basis of external entity definitions and E/R model also define roles and privilege classes for access to data objects.
  And from those generating ddls for database roles, privileges on entitities to those roles.
  But in privileges granting to role having two different kind of privileges on data objects:
  - privileges that are granted on various schema objects
     For example role1 has grant on tab1, view2, procedure1, package3,
  - the other type of privilega is based on the scope or range of semantically defined scope or semantic area.
  Semantic area is scattered through tables because of normalisation and using semantic area as entity of which primary key is
  partitioning the table data through many semantic areas.
  So this privilege should be granted on basis of the rows in table not column ( more semantically then structurally ...row oriented more than column ).
  Both privileges that are granted to roles are also basis for functional roles
  ( privilege that is granted that functional role has grant to trigger or execute some function or process ).
  My question is?
  How do you handle modeling technology for analysis and design for role privileges and consolidation between database and functional roles ?
  Grateful for any idea, experience and suggestions.

  Hello,
  Guess I was looking for the formal sequence of steps that would bring me to the
  ddls for "create role ..." and "grant privileges to role".
  You can do that.
  1) I assume you have logical model and it's engineered to relational model, also you have data flow diagram created
  2) You need to define information structures for flows connecting "Information store" to primitive process - attribute usage of particular entities should be defined for those "information structures" processed in flows
  3) You need to define create, update and delete operation for flow going from primitive process to store - read is assumed in opposite direction
  4) create a role in Process model and assign primitive processes to it - list of available processes to add depends on current data flow diagram
  5) You need an open physical model for your relational model
  6) Select "transfer process model roles to physical model roles" from context menu of top level DFD - select roles, relational and physical model there - roles with related permissions will be created in physical model
  Entity1 is divided in several subtypes for different business areas.
  And account manager for business_area1 is allowed to work on subtype1 ( view on prime table )...
  Different implementation of entity hierarchies are not processed correctly in that wizard - i.e to get permissions to table corresponding to child entity - that entity should be used in information structure and flow.
  Philip

• CUP - Initiator for roles not requiring approval (i.e. auto provisioned)

  We recently upgraded to GRC 5.3, SP10 and started noticing that using CUP, for roles that should be automatically provisioned (i.e. no approval required), it is taking between 3 minutes 45 seconds to 5 minutes for the request to be successfully submitted and automatically approved with provisioning.   I was wondering if anyone is experiencing simlar system performance
  Our set-up for auto provisioned role requests is as follows:
  1.  Created initiator INI_NO_APPROVE using role for attribute
  2.  Created stage STG_NO_STAGE  with Approver Determinator = No Stage
  3.  Created path definition PATH_NO_APPROVE with number of stages =2 and initiator = INI_NO_APPROVE
  Thanks!

  F.Y.I.
  As per SAP's recommendation - we applied note:1423983 in all target provisioningn systems and this resolved the issue.

• Approval work flow for Role based and Resource based

  Hi All,
  We have to implement approval work flow for the following things in OIM 9.1.0.1
  Approval work flow for Functional Roles (Groups in OIM) (Approvalsrequired for users to get these roles)
  IT Roles (Resources in OIM) (Approvalsrequired for users to get these resource)
  Functional Role (Group) contains policy1,polici2. Polciy1 contains res1,res2 and Policy2 contain res3,res4.I want to create approval work flow for this Functional Role to achieve the following
  User raise a request for the functional role, then it should wait to get manager approval. then once its gets approval, that user account should create on all resources which are involved in that group.
  And, I have to define approoval work flow for all individual resources to get users account creation on target with approvals. These resources may include in the groups as well.
  After getting approval for functional role (Group), then Will OIM starts the approval flow for all resources involved in the group? becase, all resources have approval workflow at resource level also.
  My Goal: Approval work flow for Group, should not process the approval work flow for resource. can we do it in OIM 9.1.0.1?
  And can we do the same in OIM 11g also?
  Please help me and do let me know, if you need any information from my end.
  Thanks.

  Thats configurable buddy ! ! And possible in 10G and 11G both versions.
  Functional Roles : These are the groups/roles in OIM 10g/11g with access policies attached at the backend.
  - Create a dummy resource and name it Request Role or anything as you like. Attach an Object Form to it and have form field for Role Name, this would be a lookup type field linked to all OIM groups (leave system values using lookup query). So a user can select any OIM Group in this request as per configuration. Have approval workflows defined on this dummy resource Request Role and in its Provisioning Process make user/s a part of the requested group.
  - Now once the user is made a part of the group, the associated access policy would be invoked automatically and thereby provisioning. The only thing you need to keep in mind is that create the access policy without approval (there is a check box). If you do this the approvals would never be invoked even if you assign a group manually to the user coz it suppresses all the approvals in this access policy.
  IT Roles : These would be linked to the resource and you can define individual approvals on the resources as required.These approvals would be required if someone raises a request for these resources individually.
  Thanks
  Sunny

• Initiater for Role removal.

  Hi,
     I need some update/input w.r.t Role removal Initiator. While configuring the role removal is it possible to use the role status in the initiator?    If not how to identify this role is only for the role removal.
  Normally we use to put only one stage for Role removal. In the config, no where we are having automatic check for the request is only for the Role removal. So we have to trust that particular stage owners. As per the CUP automation check is it possible to validate this?
  Thanks in advance.
  Regards,
  Vasantha Kumar.

  Hi Justin
  I'm assuming you are involved in or victim of a security access review. I'm usually one of those security guys asking for role or transaction removal and you are the main contact in the business coordinating the changes.
  The process of remediation will possibly consist of checking which transactions are causing segregation of duties conflict, if they are used or not and removing one side of the conflict by removing an unused transaction.
  It shouldn't require the entire contents of a role to be removed - rather swapping role A for role B without a transaction or two.
  Removing transactions that aren't used can have more subtle implications which hopefully are found during UAT but is usually missed until used in anger. This what support is for after go live.
  Saying all that and depending on your time and skills, you could ask for access to the security person's test user in dev or qas where they are working to run transaction SUIM on transaction for user following the proposed changes and compare that to the actual access of the real affected user in prod. If you can get access to the informer tab in virsa you can use the standard simulation reports to also check the resulting conflicts which will help you talk to the business and advise on actions available. There should be role owners involved in all this as they have to owner the result: expect a request for these for CUP later on
  If you can retain control and approval of the (controlled) changes being made to users you will have a better understanding of what is happening, catch potential errors and mediate between security and the business - you have an important task!
  Ask for some basic training in standard SAP reports - the security team should be more than grateful for your input
  Crikey that was hard typing on an iPhone!
  Cheers
  Edited by: David Berry on Jan 11, 2011 8:17 PM

• OIM 11g: Issue while evaluating rule for Role Membership

  Hello All,
  I have configured few General Rules using 2 of our User Defined Fields, these general rules are used to determine role membership.
  What we observed that once "Identity Status" attribute is set to "Disabled" for OIM User Profile then OIM stops evaluating these configured General Rules for Role Membership.
  Env Details:
  Product Version: Oracle Identity Manager 11.1.1.5.0
  App Server: WebLogic Server Version: 10.3.5.0
  OS: Red Hat Enterprise Linux Server release 5.5
  Database: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64 bit
  Please let me know if any of you have encounter this issue and if there is any workaround available for it.
  Thanks,
  Shyam

  Re: OIM11g: Resource not revoked if the Identity Status is DISABLED
  XL.EvaluateMembershipForInactiveUser
  Workaround:
  You can make you of Event Handler and assign that group with APIs.

• I need the sap bw table names for ROLE's

  I need the sap bw table names for ROLE's .
  thanks

  Hi,
  AGR_1251 - Authorization data for the activity group
  AGR_USERS - Assignment of roles to users
  AGR_TCODES - Assignment of roles to Tcodes
  You can also try putting AGR* in ur search.
  -Vikram