AD Account Provisioning

When I try to provision an AD account to an OIM user, the process task "System Validation" status says "Pending". I have tried this many time, for multiple users. Same response. The process does not go beyond System Validation.
I can edit the "Process Form" for the request and I see that the field "Domain" is empty. This corresponds to the IT Resources Field in my form. IF I lookup for whats available, I see my IT Resource "Local AD". I select it and click save. Nothing happens. The form does not save.
what could be wrong here ?

Do you have another non-conditional task on your provisioning process, like the Create User task?
As for System Validation starting out pending, this happens if you do not have your provisioning process definition set to Auto-Save. You also must make sure to populate all required fields.
-Kevin

Similar Messages

OIM 11g r2 disabling multiple account provisioning

Hello all,
I have a question, in oim 10g and 11g, on resource object there was a "allow multiple" checkbox.
So you could configure your resource if you want to prevent it from multiple provisioning.
But in 11gr2 I cannot see that checkbox.
How can i configure my resource as it is going to disable multiple account provisioning?

Is there anyone who can help?

Service account provisioning

Hi all,
I have read in the documentation(Design Client) that OIM connector provides different prvisioning process for Service account (there are alltogether separate tasks for these accounts under process definition) and Normal account for each target resource. Could any one please elaborate me how to process service account provisioning (if there is any difference) as there is no documentation stating underline.

Hi ,
I am having the same concern. I want to implement service account management through OIM ,OOB AD connector provides by default tasks to handle service account scenerio. Please provide the suggestion regrding the implementation of service account provisioning, if there is any document related to it, will be quite helpfull.
Thanks
Edited by: user8634889 on Sep 15, 2009 11:09 PM

OIM 9.1 AD Account Provisioning

Has anyone ran into the scenario where you go to provision an AD account and the process fails because the account already exist on the target which results in the resource status remaining as "provisioning". I expected that status to change to "provisioned" once a recon was ran which would link the account to the OIM user but it didn't. The recon linked the account but from the user's resource profile you can see that it didn't.

first of all when the account with the same id is found on Ad, it may necessarily not be that of the user unless you have ascertained that. If you want the adapter to return a success what you should have done is mapping the user_already exists retrun code to C for completed instead of an R for rejected, which is why the resource is going into a provisioning status.
BTW does your create user task or whatever task last gets executed before the provisioning is deemed as complete have the task to object status mapping set to C=Provisioned?
What you will need to do is, revoke the AD resource from the user's resource profile list and then run the recon, the account should now be linked to the user if the owner matching rules match up to the identity in oim.

How to solve the dn collision in AD during AD account provisioning

Hello,
I have multiple users with the same last name, first name and middle name.
We decided to build the full name using the rule:
lastName, firstName
OR lastName, firstName# (if the lastName, firstName already exists, add a number and the number just get incremented as needed).
OR lastName, firstName MiddleInitial (if exist middleName exists for user)
I wrote the code to prepop the FullName field in the AD process form and the code works fine.
But when OIM is trying to create the AD account, I got the error:
In the Create User, rejected task:
Response: AD Invalid data error
Response Description: Could not create user as the formed account name contains special characters
The log file showed:
ERROR,16 Jul 2011 17:19:02,018,[OIMCP.ADCS],The error occured in tcADUtilLDAPController::createObject():[LDAP: error code 80 - 00000057: SysErr: DSID-031A0FB6, problem 22 (Invalid argument), data 0
^@]
ERROR,16 Jul 2011 17:19:02,018,[OIMCP.ADCS],Invalid Data Error encountered
Invalid Data:[LDAP: error code 80 - 00000057: SysErr: DSID-031A0FB6, problem 22 (Invalid argument), data 0
The full name in the AD process form has the value: Garcia Jose C2
That means AD does not like the full name to contain a number?
How can I fix this problem because we have a lot of dn collision in the same OU? We would like to guarantee uniqueness of dn across the domain.
Thank you.
Khanh

Hi,
You can try making an LDIF file with a example name that you would produce, then, on Windows, try using ldifde.exe to import that LDIF file into the AD, and see if it gets you an error. That would tell you whether or not AD is willing to accept the name format you're trying to use.
Jim

Gmail User Account Provisioning

Hi,
We are using FIM 2010 to provision our IODS users to Gmail, We have almost 700,000 user objects in IODS so running full sync profiler for IODS to get the user objects in meta verse is taking a lot of time.So i am thinking if there is any powershell script
which we can user to provision users in Gmail.
Thanks,
Rakesh

Typically the Google tools GADS, which is their rough equivalent of DirSync, will create Gmail users from AD OUs or some other LDAP repository. This is the standard that most Google Apps deployment follow so you should look into that path before going
down the Powershell route. Since you have to provision 700k+ users, I really think following Google best practices is key here. Are you working with a Google Apps implementation partner for this? If so they should have someone that can give
you best practices on this. That being said, here is the
link to the Google Powershell cmdlets.
Scott
If this post has been useful please click the green arrow to the left or click Propose as answer

Provision Migration Source Proxy Account wizard broken

I cannot get the "Provision Migration Source Proxy Account" to complete. All fields are filled in according to the documentation, but when I click Yes to the confirmation box, I get "Migration proxy account provisioning failed: eDirectory NWDSCCODE: ERR_SYSTEM_ERROR [-319]".
When I check eDirectory, the Migration Proxy Account has been created and has Supervisor rights to the root of the tree. Everything seems to have been completed on the eDirectory side and the "Migration Source Information" in NSMAdmin has Source Tree Name and Migration Proxy Account, but the Default Server Address is blank.
This is NSM 3.0.1 for Active Directory. Any ideas where I go from here?

Stober,
NSM does not support multiple target paths in DFS. I believe that having
multiple target paths configured is the problem that your experiencing
for both this target path issue, along with your quota issue.
thanks,
NSM Development
On 2/28/2011 11:06 PM, stober wrote:
>
> I'm also posting this in the thread about Quotas and DFS, since I think
> they're the same problem. I'm not our storage guy, so I don't know a lot
> about DFS. I've been reading up on it and I think the issue with the
> "DFS link has multiple target folders" error is related to how we have
> DFS replication set up.
>
> We have two servers set for replication. The intent was that users
> would use one server and it if failed, it would fail over to the second,
> which contains a replica of all data. Both DFS target links for these
> servers are Enabled. I think Storage Manager is seeing both servers when
> pointed to the DFS namespace and doesn't know which to use, hence the
> "multiple target folders".
>
> Is anyone else using DFS replication and seeing similar issues? I'm
> going to test this tomorrow by disabling one of the target links and
> seeing if quotas and migration both start working. I'll post back
> results. If that works, I'm going to have a fight on my hands on how DFS
> replication should be set up. Hopefully, someone knows a secret setting
> to make this work instead of changing all of our DFS setup.
>
> stober;2080140 Wrote:
>> I can now get the Migration wizard to run, but it won't actually move
>> folders. In the Preview, I get "293 The specified DFS link has multiple
>> target folders." This is the same error I get when trying to set quotas
>> (see my other post in this forum about quotas in AD). Does SM not
>> support DFS? Is my DFS misconfigured somehow or is there an "approved"
>> configuration to work with SM?
>
>

CUP Provisions user to SAP successfully but gives "Auto-Provisioning" error

Hi All,
I'm getting an "auto-provisioning" error in CUP when a "Change Account" workflow is approved. The strange thing is, CUP does successfully provision the change to the SAP backend. Yet, the "New Account" provisions successfully without the error.
Here is an example of the audit trail log from Change Account:
Request submitted for approval by Dylan Hack(HACKDY) on 06/28/2010 17:14
Approved By Dylan Hack(HACKDY) Path AE_AUTO_APPROV_ERROR and Stage AE_AUTOPROV_ERR on 06/28/2010 17:14
   Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
   Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
   Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
   Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
Auto provisioned for request on 06/28/2010 17:14
   User Provisioning failed for System(s) : DEV. Error Message :
   Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
   Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
   Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
   Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
Request submitted for reroute by system on 06/28/2010 17:14 due to auto provisioning failure
   Rerouted in the Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR to Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR
Note: the role names were replaced with "xxxxxxx."
The system log gives an error, but it is very vague:
2010-06-28 17:14:34,682 [SAPEngine_Application_Thread[impl:3]_33] ERROR com.virsa.ae.service.ServiceException
com.virsa.ae.service.ServiceException
     at com.virsa.ae.service.sap.SAPProvisionDAO.intializeWithChangeUserInputParameters(SAPProvisionDAO.java:762)
     at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3457)
     at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3419)
Any ideas or suggestions?
Current software level AC5.3 SP12.
-Dylan

Hello Varun,
Thanks for the thought on this. We don't use User Defaults for Change Account, but do for New Account. You question prompted me to do more testing with very interesting results.
Results
New Account with User Defaults configured:
User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
New Account without User Defaults configured:
User provisioned successfully, no Auto-Provision error.
Change Account with User Defaults configured:
User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
Change Account without User Defaults configured:
User provisioned successfully, Auto-Provision ERROR, Defaults NOT provisioned.
In both New and Change Account, the configured User Defaults are NOT provisioned even though the user is provisioned. AC5.3 is on SP12, the RTA is VIRSANH SP12 and VIRSAHR SP10.
For the Change Account, the user is always provisioned regardless of User Defaults; however, when no User Default is configured, the Auto-Provisioning error occurs. The User Defaults NOT provisioning is a real problem, the CUP error message, I can work around for now.
What about on your side? Am I the only guy using SP12 here?

OIM 11g R2 - Transferring accounts from one user to another user

Hi,
In OIM 11g R2,we have a requirement that we need to transfer accounts from one user to anothe user.For example,an user "User1" has AD and Exchange Accounts provisioned.Now we wanted to to transfer these AD and Exchange accounts to another user "User2".May I know how this can be done ?.Thanks

    public void moveAccount(){
        try {
            long newUser = xxxxx;
            long oiuKey = xxxxxx;
            userIntf.changeToServiceAccount(oiuKey);
            userIntf.moveServiceAccount(oiuKey, newUser);
            userIntf.changeFromServiceAccount(oiuKey);
        }catch(Exception e){
            e.printStackTrace();
-Kevin

Surcharge to be post using two deferent GL accounts

Hi Guys,
I have customer requirement to post a surcharge using of two G/L accounts for each line item,
Say Exu2026
Surcharge item condition ZTM1 have value Rs 1000/- need to post two G/L account same amount with out change 1) 2000014141 2) 7000014141,
I have updated the both GL accounts in VKOA in GL account/Provision account, created condition type assigned to pricing procedure , done other settings , created invoice , in the condition if I double click I can see both GL accounts in the invoice but the condition value is posted to first GL account not posted to second GL account.
Is there any routine or SAP notes for this issue to fix?

Following is accounting entry during Billing Document release to accounting:
|Customer Acc. |Dr| |1060| |
|Sales Revenue Acc. | |Cr| |1000|
|Tax Account| |Cr.| |60|
This is if you have Price inclusive of taxes. And you collect taxes from customer with the base price of the material.
Do want account entries like this?
Option1
|Customer Acc. |Dr| |1000| |
|Sales Revenue Acc. | |Cr| |940|
|Tax Account| |Cr.| |60|
OR
Option2
|Customer Acc. |Dr| |1000| |
|Sales Revenue Acc. | |Cr| |1000|
In either of the case, check your pricing procedure & respective account entries.
Else, if you looking for accural entries of taxes then the accounting entries will be
|Customer Acc. |Dr| |1060| |
|Sales Revenue Acc. | |Cr| |1000|
|Defer Tax Account| |Cr.| |60|
AND
Check GL Account 7000014141 in FBL3N.
|Defer Tax Account |Dr| |60| |
|Tax Account| |Cr.| |60|
Incase of nay further concern or doubt, do revert back to us.
Regards
JP

Pre-populate adapters behaviour during role based provisioning

Hi all,
I have a question about pre-populate adapters behaviour during role based provisioning.
I'll sortly describe our architecture: we have OIM 11.1.1.3, Active Direcotry connector and obviously Active Directory as target system.
Our scenario is: assigning a role to a user , OIM should provision two account for this user to the same target system but in two different organizational unit (Active Directory).
Here some sample information to better understand our request:
- OIM User userID: userid1
- Active Directory IT Resource: ADServer1
- Active Directory Organizational Units: OU1 and OU2
- Role: Example Role
- UserID of the account provisioned in OU1: admin.userid1 (in this organizational unit the UserID is composted by a prefix "admin." and the OIM User UserID "user1")
- UserID of the account provisioned in OU2: user.userid1 (in this organizational unit the UserID is composted by a prefix "user." and the OIM User UserID "user1")
To achieve this goal, we have created two access policies AP1 and AP2. The first access policy provision the user account in OU1; while the second one in OU2.
Here some access policies form details:
### AP1 ###
- AD Server: ADServer1
- Organization Name: OU1
(other fields are empty)
### AP2 ###
- AD Server: ADServer1
- Organization Name: OU2
(other fields are empty)
Our idea was to develope two pre-populate adapter: one to compose the userID with "admin." prefix and the other one to compose userID with "user." prefix. However this solution cannot work because obviously you can link only one pre-populate adapter to a resource form field.
Any suggestion to avoid to create a second resource form?
Thank in advise,
Daniele

Hi,
probably your confusion is caused by my english....anyway....
I'm trying to generate two userids and in our scenario it's simple map the organizational units. For example userids in organizational units OU1 have "admin." prefix; while organizational units OU2 have "user." prefix.
Do you suggest to create a pre-populate adapter that use a lookup to set the correct prefix based on organizational unit name?
Thank you
Daniele

Provisioning tasks not getting initiated when done in bulk

Hello IDM Gurus,
Needed your help with an issue we're currently facing; We're having an odd problem with provisioning/deprovisioning to our ABAP repositories. For each repository we are using the Add Member/ Remove Member tasks; for all repositoies, both the Add Member and Remove Member event tasks trigger a similar task that basically through the means of a script checks to see whether a user already has privileges within the target repository or not, then accordingly either adds the new privilege to the existing account or creates a new account and adds the new privilege; after the initial check is made, the decision on whether to add the privilege to the existing account or create a new one and add the privilege is done through a uProvision call from the script itself to the appropriate provisioning task for the specific repository in question; the check for whether the account exists or not is done within the Provisioning task itself.The same process is followed for deprovisioning as well. An example of how this would work is:
JohnDoe has no account in Repository A;
Privilege X (associated with repository A) is added to his account;
The script is called and a check is made; the provisioning task for repository A is called;
The provisioning task checks and sees that JohnDoe doesn't have an account in repository A, so an account is created and Privilege X is added to the new account.
After this, we add two new privileges Y and Z(both associated with repository A) to JohnDoe
The script is called and a check is made; the provisioning task for repository A is called;
The provisioning task checks and sees that JohnDoe has an account in repository A, so the two new privileges are simply added to the existing account.
This all works perfectly as long as we only work with one repository at a time; i.e. only add and remove privileges from one repository at a time; make all changes related to privileges for one repository; hit update; then try doing the same again for another repository. Whenever we make multiple changes related to multiple repositories, random things start happening, some changes go across in full, but some just don't; there's no logic in why certain changes happen and certain don't.
Does this have something to do with working with just one dispatcher? is it not able to handle that many changes at once? I tried using privilege/assignment grouping for each repository, grouping it by repository name as it should inherently group add and remove task, but even that didn't have any effect. Privilege changes were still going missing.
Any suggestions / ideas to rectify this behavior?
I would appreciate any help with the issue! Thanks in advance!
Best regards,
Sandeep

Hey Matt,
Thanks a lot for your quick response! I tried changing the number of runtime engines from the default of 1 to 4 but it had no effect; I added 3 roles for 3 systems but only one system got an account provisioned to it; is 4 not enough? should I try a higher value? is the uProvision script not supposed to be called or used in that fashion for multiple simultaneous calls?
If looking at the backend to resolve this, would I need to only be looking at the MXP_PROVISION and MXP_AUDIT tables?
Thanks a lot in advance!
Best regards,
Sandeep

Adding new Corporate Account

I am having trouble adding my corporate email account as an account. When I enter my email address and password then click next, it searches for messages then says the username and password is incorrect. It won't take me to the screen to add my username and corporate domain. Any ideas?

sharken wrote:
I am having trouble adding my corporate email account as an account. When I enter my email address and password then click next, it searches for messages then says the username and password is incorrect. It won't take me to the screen to add my username and corporate domain. Any ideas?
When setting up a corporate email, the account provisioning is often overlooked and the corporate email account cannot be properly setup. Is your account provisioned with the Enterprise Data plan ($44.99/month) needed to access corporate email accounts?
If you have the $29.99 consumer data plan and want to access your corporate email account please login to your My Verizon account and upgrade your data plan to the Enterprise Email data plan. We can also upgrade your data plan by phone if you dial *611 on your mobile phone to contact our Customer Service Department.

OIM11gR2 - Exchange 2003 provisioning

Hi All,
I am getting teh following Error while doing accesspolicy base provisioning the exchange 2003.
But it is working when i am provisionig manually.
OIM version : 11gR2 Ps1
Websphere : 7
AD : 9.1.1.4
exchange 2003 : 9.1.1.4.0
<14-Jan-2014 16:11:33 o'clock GMT> <Error> <oracle.iam.provisioning.spi> <BEA-000000> <An error occurred in oracle.iam.provisioning.spi.DOBProvisioningUtil while populating account data and the cause of error is For input string: "".>
<14-Jan-2014 16:11:33 o'clock GMT> <Error> <oracle.iam.provisioning.util> <BEA-000000> <An error occurred in oracle.iam.provisioning.spi.DOBProvisioningMechanism/getAccountsProvisionedToUser while getting accounts provisioned to user with key 2091 and the cause of error is oracle.iam.provisioning.exception.GenericProvisioningException: An error occurred in oracle.iam.provisioning.spi.DOBProvisioningUtil while populating account data and the cause of error is For input string: ""..>
<14-Jan-2014 16:11:33 o'clock GMT> <Error> <oracle.iam> <BEA-000000> <Exception : oracle.iam.provisioning.exception.GenericProvisioningException: An error occurred in oracle.iam.provisioning.spi.DOBProvisioningMechanism/getAccountsProvisionedToUser while getting accounts provisioned to user with key 2091 and the cause of error is oracle.iam.provisioning.exception.GenericProvisioningException: An error occurred in oracle.iam.provisioning.spi.DOBProvisioningUtil while populating account data and the cause of error is For input string: ""..>
<14-Jan-2014 16:11:33 o'clock GMT> <Warning> <oracle.adf.controller.faces.lifecycle.Utils> <BEA-000000> <ADF: Adding the following JSF error message: IAM-4065016 : An error occurred in oracle.iam.provisioning.spi.DOBProvisioningMechanism/getAccountsProvisionedToUser while getting accounts provisioned to user with key 2091 and the cause of error is oracle.iam.provisioning.exception.GenericProvisioningException: An error occurred in oracle.iam.provisioning.spi.DOBProvisioningUtil while populating account data and the cause of error is For input string: ""..
oracle.iam.ui.platform.exception.OIMRuntimeException: IAM-4065016 : An error occurred in oracle.iam.provisioning.spi.DOBProvisioningMechanism/getAccountsProvisionedToUser while getting accounts provisioned to user with key 2091 and the cause of error is oracle.iam.provisioning.exception.GenericProvisioningException: An error occurred in oracle.iam.provisioning.spi.DOBProvisioningUtil while populating account data and the cause of error is For input string: ""..
        at oracle.iam.ui.platform.exception.OIMErrorHandler.reportServiceException(OIMErrorHandler.java:172)
        at oracle.iam.ui.platform.exception.OIMErrorHandler.reportException(OIMErrorHandler.java:66)
        at oracle.adf.model.binding.DCDataControl.reportException(DCDataControl.java:411)
        at oracle.adf.model.binding.DCBindingContainer.reportException(DCBindingContainer.java:416)
        at oracle.adf.model.binding.DCBindingContainer.reportException(DCBindingContainer.java:471)
        at oracle.adf.model.binding.DCIteratorBinding.reportException(DCIteratorBinding.java:403)
        at oracle.adf.model.binding.DCIteratorBinding.executeQuery(DCIteratorBinding.java:2144)
        at oracle.iam.ui.authenticated.myaccess.bean.MyAccessAccountsBean.refreshMyAccessAccountsList(MyAccessAccountsBean.java:680)
        at oracle.iam.ui.authenticated.myaccess.bean.MyAccessAccountsBean.refreshMyAccountsList(MyAccessAccountsBean.java:718)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at com.sun.el.parser.AstValue.invoke(AstValue.java:187)
        at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:297)
        at org.apache.myfaces.trinidadinternal.taglib.util.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:53)
        at org.apache.myfaces.trinidad.component.UIXComponentBase.broadcastToMethodBinding(UIXComponentBase.java:1256)
        at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:183)
        at oracle.adf.view.rich.component.fragment.UIXRegion.broadcast(UIXRegion.java:148)
        at oracle.adf.view.rich.component.fragment.UIXRegion.broadcast(UIXRegion.java:148)
        at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:102)
        at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92)
        at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361)
        at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96)
        at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:96)
        at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.broadcastEvents(LifecycleImpl.java:1018)
        at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:386)
        at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:194)
        at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
        at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
        at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
        at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
        at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.adf.view.page.editor.webapp.WebCenterComposerFilter.doFilter(WebCenterComposerFilter.java:117)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:106)
        at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
        at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
        at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
        at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271)
        at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177)
        at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.help.web.rich.OHWFilter.doFilter(Unknown Source)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.iam.ui.platform.servletfilter.IdentityContextFilter.doFilter(IdentityContextFilter.java:50)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.iam.platform.servletfilter.PwdMgmtNavigationFilter.doFilter(PwdMgmtNavigationFilter.java:164)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.bpel.services.workflow.client.worklist.util.WorkflowFilter.doFilter(WorkflowFilter.java:248)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.bpel.services.workflow.client.worklist.util.DisableUrlSessionFilter.doFilter(DisableUrlSessionFilter.java:70)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:179)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
        at java.security.AccessController.doPrivileged(Native Method)
        at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
        at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
        at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
        at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
        at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:139)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
        at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
        at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
        at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
        at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
        at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
        at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
        at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Thank you

Hi,
I think that you have to fill mandatory attrbute in exchange form.
Please fill User Logon Name, Recipient Type, Database, Alias attributes on exchange user form while provisioning.

Future direction of User Provisioning Tools ( GRC CUP or IDM)

Hi Security Colleagues,
We all know that SAP has GRC CUP(Access Enforcer) and NW IDM for provisioing.
We can use either of toll for user provisioning.
Based on your experience , what is the best tool ? ofcourse ,It changes from one company to other depends on requirements.
I am noticed that lot of SAP devlopment activity going on around IDM.
Based on SAP's future direction, what is the best tool ?
Its a common problem for most of SAP customers as SAP is giving IDM freely as part of NW license.
please share your thoughts..
Thank You.

For Futuristic product availabliliy, I always prefer the following two places to check. Can you please also check their?
http://service.sap.com/pam
http://service.sap.com/scl
Check the following Two points under the 2nd Link:
Scenario & Process Component
SAP's Release Strategy
Now based on your query I will also stick to the suggestions given in the Other two posts. To add few more points which you may get helpful I would like to emphasize on the below discussion:
u2022 SAP NetWeaver Identity Management helps companies to centrally manage their user accounts (identities) in a complex system landscape. This includes both SAP and non-SAP systems.
u2022 The solution provides an authoritative, single source of user information and enables self-service management of user information and authorizations using workflow technology.
u2022 In many cases resources such as meeting rooms, PCs and mobile devices, which all may have their own identity in some context, can be included in an identity management solution.
Out of all other points, lets discuss about Provisioning:
u2022 The term provisioning is often used to denote user provisioning or account provisioning.
u2022 The functionality includes:
o creation of accounts
o setting initial passwords
o setting and modifying access rights
o disabling (revoking) an account
o deleting an account
u2022 The overall purpose is to make sure an identity (for example a user) has the correct access to the applications.
u2022 User provisioning products also include workflow capabilities to apply business rules to the account provisioning process and typically provide user self-service capabilities (e.g., password reset)
(All these details I picked up and pasted here from different section of a Solutioning Material I prepared for my company to introduce IDM solutions to my customer... couldn't give here properly due to space constraints). You can understand the Importance SAP is imposing on this product for All aspects of Automating Security and Identity of Living and Non-Living staffs as well. By using this you can get more benefits besides of Provisioning which is available in separate Solutions under other products like Virsa etc. Please go through the relevant materials available in the IDM Forum (Bernhard provided u the link) to understand go for an realization assessment.
regards,
Dipanjan
Edited by: Dipanjan Sanpui on Oct 5, 2009 11:42 AM

AD Account Provisioning

Similar Messages

Maybe you are looking for