AD provisioning - Prepopulate Attributes

Hi everyone,
In OIM 11g R2,
I want to provision to AD.
I can this operation.
But I can not pre-populate attributes.
In AD user form, some pre-populate attributes is defined.
In AD provisioning process definition, auto-prepopulate is selected.
What else do I have to do in OIM to carry pre-populate attributes to AD provisioning form.
Thanks.
Best Regards.

this is bug with the current version of r2 release. many persons has faced the same issue.
Actually pre-populate is happen but you can see only after resource is provisioned. and same is not available under catalog page while requesting.
find the other thread.SR has been raised by this user and you can communicate with him for same.
Re: prepopulate form while requesting
--nayan

Similar Messages

Groupwise provisioning - 'MailboxExpDate' attribute

I am working with a customer who is using Oracle Waveset 8.1, and is provisioning to Groupwise via the NDS adapter. In SIM 7.1 Groupwise was provisioned through its own adapter and it supported the management of the 'MailboxExpDate' attribute. However the combined NDS/Groupwise adapter in 8.1 does not seem to support the management of this attribute.
Has anyone else come across this? If so, how did you get around this limitation?

Hi,
I think I already explain what you need to do but let me give you some more details.I can not provide any documentations.
1.For first approach you need to go to database provisioning process and then you add a new conditional task which will update the email field.Add your adapter which will update the email field in database.Now go to ""Reconciliation Insert Received" task in same provisioning form and then go to Response and Assign your newly created task on "Event Processed" response.If you are new in OIM then this will be simplest approach.
2.For second approach there are many post in forum for creating entity adapter. You need to create an adapter of type entity and in that adapter you will have execution schedule as pre-insert,post-insert and so on.The entity adapter code will update email in database.Now you need to attach this adapter in Provisioning form which you can find "Business Rule Definition"->Data Object Manager->Search for your form name and then attach your entity adapter.
Regards
Nitesh

Provision Process Form - Propopulate Field Problem

Hi everyone,
I mentioned this problem last week in OTN.
AD provisioning - Prepopulate Attributes
My problem is a bug and I found this bug.
Bug id : 14761208 in Oracle Support.
But there is no detail information on Oracle Support.
If this is bug and If I have to develop a button on provision form to fill prepopulate fields, how can I develop this button?
Thanks.
Best regards.
Edited by: JuniorOimDeveloper on Oct 30, 2012 8:53 AM
Edited by: JuniorOimDeveloper on Oct 31, 2012 2:35 AM

Hi Abhi,
Can you tell me how you have implemented populating an UDF based on Prepopulation of another UDF. I have a similar kind of requirement. It would be great if you share your code or relevant part of it.
Regards,
Sunny Ajmera

OIM 11.1.1.5 provisioning role based objectclasses and attributes

TL;DR You can't provision some attributes in our LDAP directory without the objectclass and I can't figure out the best way to inject the dynamic objectclasses into the create user process without the user being created already.
Some background:
I have configured our oim 11.1.1.5 instance and LDAP connector to provision ODSEE. At another's recommendation, I put all possible LDAP attributes in a single form regardless of which objectclass was needed for them. In ODSEE, sets of attributes are allowed through objectclasses for each 'Role'. ie. Student, Employee, Guest, etc objectclasses. I have all of the roles identified in OIM and can map them to an objectclass in LDAP
My question is, how can I provision role based objectclasses along with the common ones that are configured in the lookup so that when the associated attributes are provisioned, I don't get objectclass violations?
Can I append objectclasses to the list stored in the Configuration lookup in ldapUserObjectClass?
Should I create a child form containing the objectclasses and try to provision them?
Can/should I create a child form for each set of attributes by role? Common attribs in the LDAP_USR form and role based attribs in UD_LDAP_STU, UD_LDAP_EMP, UD_LDAP_GST, etc. Would prepop and the rest of the main form functions work the same?
Anything else I'm not thinking of? I am still a novice with some of these topics and may be way off base.
Any help will be greatly appreciated and thank you in advance

It is definitely doable if you use a custom LDAP connection implementation and just add objectclass update calls as needed as precursor tasks for the Update tasks.
Here is a small LDAP demo tool that you can adapt to do the update: http://iamreflections.blogspot.com/2010/08/manage-ad-with-jndi-demo-tool.html
There may be a smarter and more out of the box way to do it but this will work.
Martin

Peovisioning multivalued attribute to a Detail table in SQL using GTC

I have a trusted recon set up from Sun LDAP to OIM followed by auto provisioning to SQL's "MyUser" table using GTC. This works fine so far.
Now the difficult part of the requirements. I have a multi-valued attribute called 'AppRoles' associated to User in Sun LDAP. I want to provision this attribute to SQL's "MyUserToRole" table (this is a detail table of Master "MyUser" table). What should be the best approach to do this task ?
Thanks!
Kabi

For Look-Up:
Once you run Trusted Recon, all your AppRoles are inserted into this look-up as different rows for different users. Use OIM API's for that. A basic structure could be like following:
Code - Decode
User01 - Role01,Role02
User02 - Role02,Role03,Roel04
User03 - Role08,Role12
This way all the roles are stored in this look-up. Bu the only issue with this could be the modification in the look up manually which could be tolerated as their are glitches with almost every solution implemented.
For UDF Field
Yes, their would be a limitation in the Text Area field and it is *200* characters. So if that is the case then you should go for Look-up which doesn't have such restrictions at-least for your requirement.

Provisioning of groups to AD using AD connector

I want to provision groups from OIM to AD. I came to know from the AD connector guide that we can provision groups to AD.
My problem is i found that connector provisions only the following attributes to AD (Group Name, Organization Name, objectGUID, Group Type, Group Display Name).
I want to provision other attributes also like Group Scope to AD apart from the one provided above by the connector. How can i achieve this??

I want to provision groups from OIM to AD. I came to know from the AD connector guide that we can provision groups to AD.
My problem is i found that connector provisions only the following attributes to AD (Group Name, Organization Name, objectGUID, Group Type, Group Display Name).
I want to provision other attributes also like Group Scope to AD apart from the one provided above by the connector. How can i achieve this??

Multiple IT Resources for LDAP Server?

All,
I have a client with several Sun Java System Directory Server (SJSDS) instances, each containing separate user repositories. The schemas for each SJSDS instance have been customised - uid is not the user identifier attribute, nor is inetorgperson the user objectClass.
I have imported the SJSDS connector and am stuck at how I can represent these multiple real-world SJSDS instances in OIM. I understand that I can create separate IT Resources for each SJSDS instance, complete with their individual hostnames and IP addresses; this makes sense. However, according to the "Extending the Functionality" guide (http://download.oracle.com/docs/cd/E11223_01/doc.904/e10446/custom.htm#CIHDDEGA), the user identifier attribute and objectClass seem to be defined at the connector level through the Lookup.iPlanet.Configuration Lookup Definition? Am I correct in therefore assuming that this means all of my LDAP Server IT Resources have to share the same user identifier attribute and objectClass?
Can anyone suggest how I might be able to define unique settings for attributes such as the user identifier attribute and objectClass for each LDAP Server IT Resource? What is the standard approach?
Also, I read that there is a one-to-one relationship between a process task and its adapter. Does this therefore mean that I should create separate "Create User" adapters for the Process Definition associated with each IT Resource implemented?
Any guidance / clarification would be greatly appreciated :-)
Damian

See this is the underlying assumption for multiple instances creation in OIM for any target system:
- Create multiple IT Resources of same IT Resource type. Each one will have individual connection parameters specified in it. You know that.
- Now while provisioning, you just select anyone of this IT Resource as required, so your request is directed towards the required target.
Note
- It considers that you are always provisioning same attributes to all those targets because you will always see same process form for all targets.
- You have same objectClass for all.
- You have same 'Unique Attribute' and 'Key Fields' for reconciliation.
- Although you can modify the IT Resource for providing different attribute list for prov and recon based on your target system by providing different values for look up's in place of- AttrName.Prov.Map.iPlanet and AttrName.Recon.Map.iPlanet. But since RO, Process Form etc all are same so no such real usage.
Note - Lookup - 'AttrName.Prov.Map.iPlanet' has got one attribute objectclass. See if modifying it works. But in OIM process form, attributes will always be same
Work-Around if above doesn't work
The only thing you can do is replicate one instance of SJSDS multiple times within OIM for every OIM object. Say if you want 5 different instances of SJSDS then like following:
- Create 5 identical RO, Process Form, rules, Process Definition, Lookup's etc within xml for every OIM object that you thing will change for all these 5 instances. If anything is common then let all the 5 refer to it. Do it by copying + renaming xml.
- Now import everything in OIM. So now you can see 5 different RO like SJSDS1, SJSDS2 ,SJSDS3 .. etc for all these 5 instances and they will behave differently with no overlapping and you can configure these individually.
- But this is very critical procedure. You need to take proper care while replicating.
Hope it helps.
Thanks
Sunny
Edited by: rajsunny

Is it possible to incorporate a "Manual Over-ride" feature in FIM 2010? i.e. during a target sync, skip the MV entry.

We are stuck on a FIM design.
We have a column in our SQL feed table to FIM MV named "ManualAction"
What we want to happen is that if this column has the value "YES" then FIM will not synchronize the MV entry to attached sources e.g. AD and FIM Portal.
If we try connector filter-ing on column ManualAction equals YES we either disconnect and preserve the MV attributes provided or disconnect and nullify those MV attributes. This is not what we want.
We want somehow to instruct FIM not to synchronize this MV entry if MV.ManualAction == YES
Could this be do via a Rule extension somehow??
The point of the Manual flag is that an Administrator may set one or more attributes in an AD account deliberately and does NOT want them overwritten by FIM even though the usual authoritative source value differs...
What we are thinking is ... is it possible to instruct FIM to 'skip' this MV entry at target resource(s) sync time.
I admit, I am not optimistic but I thought I could ask the FIM experts.

Hello,
you can do this for normal MA in some more and maybe granular ways.
consider to sync the ManualAction also to MV and use this in manual precedence code of attribute flows in combination with lastwriter/contirbutor of the attribute.
With this you have the manual attribute values from ex. AD also in MV and so in Portal.
This is more granular because you can only have a override on the attributes you need while flowing other attributes by normal sync.
Portal is a bit restricted as you can not control the provisioning and attribute flows with code. Whats in your MV will be providioned and exported to Portal 1:1 (if there are flows of cource).
To have advanced flows on Portal MA you can implement a solution called replay MA.
See:
https://unifysolutions.jira.com/wiki/display/FIMTEAMCOM/2014-01-22+-+FIM+Replay+MA
Peter Stapf - ExpertCircle GmbH - My blog:
JustIDM.wordpress.com

OID Trusted reconciliation failed

Hi,
I am trying to do trusted reconciliation from OID. Reconciliation task is failed and following are the error logs found:
ERROR QuartzWorkerThread-1 XL_INTG.OID - ====================================================
ERROR QuartzWorkerThread-1 XL_INTG.OID - Exception at com.thortech.xl.integration.OID.schedule.tasks.tcTskOIDUserReconciliationprocessBatch(): [B cannot be cast to java.lang.String
ERROR QuartzWorkerThread-1 XL_INTG.OID - ====================================================
I am trying to reconcile the OOTB fields (cn,sn,givenName,userPassword) and 2 user defined fields (text based).
Can anyone let us know when this casting exception will be thrown?
- Kalyan Mutya

Yep mappings are poor, I created an entity adapter for the EMP_TYPE & USR_TYPE, users are reconciling.
There is still an issue with the reconciliation.
I can provision all attributes on the OIM user account to their coresponding OID attributes, but when I reconcile I process all attributes, but the xellerate user only links the default ones
LastName
Organization
First Name
User ID
Xellerate Type
Email
Role
I have checked and rechecked the mappings, This is on 9.0.3.1672 using the 9.0.4.1 connector.
Any ideas?

Department and Division in Identity Template not updated

Hi all,
I was recently trying to populate the attributes Department and Division dynamically for Active Directory like AccountId by doing the following in Identity Template
cn=$accountId$,ou=$Department$,ou=$Division$,dc=com
But this doesn't seem to work . IDM doesn't seem to recognize this.
I will be glad if somebody can help me with this.
Thanks in advance!!
regards,
Zebra8

You're not alone, I have similar problem. Unfortunately, none of the forum posts that touch on this specific problem and/or say they found a solution, provide a specific (connect the dots) solution:
Assign users to virtual organisations? -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5244414
missing attribute container required by the identity template for resource -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5220580
missing attribute firstinitial required by identity template for resource -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5164606
'i' in employeeId -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5136857
Is it possible to set identity template dynamically? -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5133235
Identity Template issue|http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5110444
ActiveSync assigning and linking Active Directory accounts -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5110302
Error during saving a user data -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5100184
How to use a rule to generate ID for a resource? -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5093491
Error While recon -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5102663
LDAP Resource Account Creation -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5117857
Multiple accounts on AD -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5128583
multiple accounts for active directory -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5163175
Flat File Active Sync Error -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5054272
Problem changing user projects -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5064478
Problem during provisioning -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5219921
unable to get firstinitial in AD template -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5165816
Place IDM USer in specific Active directory Container based on Department -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5175931
Active Directory Error -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5058048
Summary instructions (collected from these posts and IDM docs):
* the template is only used when an account is created
* any $attributes$ referenced in the template must be either IDM extended user attributes (i.e. always present) or in the associated resource schema map
* can also dynamically override the identity template using the attribute �accounts[<resource>].identity�
* if the attribute is only used for the template, set the schema mapping to IGNORE_ATTR to that IDM doesn�t try to provisioning the attribute
Some fuzzy/non-specific suggestions:
* may utilize workflows; i.e. modify the default create user workflow
* may involve the resource activeSync form
* suggestion that any referenced attributes need to be �global�; this either means set using �global.<attr>� syntax, they are marked as �required� in the schema map, and/or the the LDAP activeSync resource �populateGlobal� attribute is set to �true�
I'll post a solution when I figure it out.

OIM-OID Provisioning - OID Group PrePopulate Approach :

Hi,
I am working on OID Connector 9.0.1.14 with OIM 11.1.1.5.
I have reconciled all the Roles and Groups from OID to OIM and can successfully provision users to the OID along with membership to these specific Roles and Groups.
I want to prepopulate the OID Group based on certain attribute from the OIM User form. My Approach so far is :
1) Created an Entity Adapter with a variable : say Org and GroupName.
2) Set the Logic as if Org = XYZ (+XYZ does exist on OIM+) set GroupName as = "OID Group 1" else set GroupName as = "OID Group 2"
3) Attached this adapter to the "OID User Group" form on the "Data Object Manager" at the pre-insert stage.
4) Mapped the Adapter variable as :
a) Org Maps to "Organization Definition" with the qualifier "Organization Name"
b) GroupName maps to the "Entity Field" with the qualifier "UD_OID_GRP_GROUP_NAME"
However nothing seems to happen when I create/modify a user with Orgization Name as XYZ and manually Provision the OID Resource. I can see the form but nothing is populated in the Group Field. Upon completing the request, I get the user provisioned to OID but without any Group information..
Is my approach right ? Am I missing something ?

Here is what I have done for a client. My requirement was for a given department, a user must have a list of groups provisioned to them. So here is what i've done:
1. Create a lookup that has Code Key = Department, Decode = CN of the groups in a delimited format.
2. Create a provisioning task that will look at the department code from the user form, reference the lookup and find the decode values. Split them based on a delimiter. Then using each value, lookup the code key value from the real lookup that contains the full distinguished name of the group in the OID Group lookup. I even appened the IT Resource Key and ~ so that my search would be Decode or Code = "IT Resource Name~CN=<CN VALUE>%". This would return only the single group code key value. And then i add it to the child table. Repeat this for all the values in the delimited field.
3. Create a provisioning task that removes the values from the child table based on the delimited value. You'll need to search through the existing child table values.
Once you have the 2 tasks, you'll want to add a value to the your Lookup.USR_PROCESS_TRIGGERS that is your group determining field. Create your task name in this lookup. On your provisioning workflow, for the Adding of the groups task, make this unconditional, and have a preceding task of the Create User. Give it the name from your Lookup.USR_PROCESS_TRIGGERS and append " - Add Groups" to the task name. Create another task called the same, but append " - Delete Groups" to the task name. On the Add Groups task, make the preceding task the Delete groups. When you map your inputs to the adapters, on the delete, select the old value check box from the User Form so that you get the old value. Now, when the value changes on the user form, it will first remove the old groups, then add the new ones. All this will be done using the child table APIs, so that the existing Insert and Delete task triggers for your child table will run.
-Kevin

Provision a multivalued attribute from OIM to OID

Hi,
I have a requirement to provision a new multivalued attribute from OIM to OID.
Steps followed:
Created a child form
Attached child form to the OID Parent form
Created a process task adapter.
Created a task in process definition and the attached the adapter
Adapter code.
public String addChildData(tcDataProvider ioDatabase, long procInstKey, long childDefKey){
          try{
               tcFormInstanceOperationsIntf formInstOper = (tcFormInstanceOperationsIntf)tcUtilityFactory.getUtility(ioDatabase, "Thor.API.Operations.tcFormInstanceOperationsIntf");
               HashMap testval = new HashMap();
               testval.put("UD_TESTCHIL_TESTGROUP","abcd2134");
               System.out.println("testval..."+testval);
               long formreturn = formInstOper.addProcessFormChildData(childDefKey,procInstKey,testval);
               System.out.println("formreturn" +formreturn);
          catch(Exception e){
               System.out.println("exce" +e);
          return "Success";
After attaching while provisioning I am seeing both parent and child forms. I have provided the values and its successfully provisioning.
But how I can provision the new OID multivalued attribute. We have to do any setting in the lookup?
Regards,
KK

Just create your new adapter for add and delete from this new child table just like the other triggered tasks. If it's a multi value on the user profile, use the adapter for Add Multi Value Attribute that comes with the connector. In the property name, put in your multi value attribute name, and map the value from the child table.
-Kevin

Custom object class attributes are not provisioning in oID thru OIM

Hi,
I have connected OIM with oID user provisioning is also taking place. I have made one custom structure class with some attributes in OID.
In form designer,in OID usr form i have made feild UD_OID_USR_Custom
In OId .config lookup i have mentioned that custom class as well as attributes of class[in code Custom in decode name of attribute at target]
In process form recon mapping of OID i mapped this feild name .
Also in resource object recon mapping also i mentioned this attribute.
But while creating user till process form value of attribute is populating and not provisiong that attribute in OID.
Please tell me where i went wrong or exact steps of mapping in form designer,Process definition,Lookup.OID.configuration,Resource objects.
Thanks

process form recon mapping of OID i mapped this feild nameHave you made attribute entry in Provisioning Lookup AttrName.Prov.Map.OID ?
Have you followed each step :
http://download.oracle.com/docs/cd/E11223_01/doc.904/e10436/extnd_func.htm#CACICHDH

AD provisioning - Enable / Disable Account Attribute

Hi everyone,
I provisioned a user to AD successfully.
And I disabled this account in OIM.
I want to control whether this account is disable in AD or not.
Which attribute is ebanle/disable acount attribute in Active Directory?
Thanks.
Best Regards.

userAccountControl attribute in AD:
512: For Enable
514: For Disabled..
66048: For Enabled with Password Never Expires=true
66050: For Disabled with Password Never Expires=true
And if you don't want OIM user disablement or enable-ment to affect the AD Account status, remove the OOTB Adapter attached on Disable User and Enable User respectively and attach tcCompleteTask...

Provision user to a resource when a LDAP attribute is set to true by active

HI,
I have the following requirement
When a particular attribute in LDAP is set to true then we have to pick it by the active sync process and provision the user in another resource.
Can any one let me know how to go about this.

I'd do it like this:
Create a business role "SomeRole" that includes an IT-Role that includes the target resource.
In the activeSync form, assign this role depending on the LDAP attribute:
<Field name='waveset.roles'>
<Expansion>
    <cond>
      <eq>
        <ref>accounts[LDAP].thisParticularAttribute</ref>
        <s>true</s>
      </eq>
     <s>SomeRole</s> 
     <ref>waveset.roles</ref>
    </cond>
</Expansion>
</Field>

AD provisioning - Prepopulate Attributes

Similar Messages

Maybe you are looking for