Add user to role during reconciliation

Hi,
I have this scenario:
We have a database resource on which we run reconciliation to link accounts to our users in IDM.
I also have roles that contains this resource. When the reconciliation runs I would like to add the user
to that role, instead of linking the user to the resource account directly.
Our problem now is that if users gets linked to the resource, and then gets the role, if the role is removed, the user still has the link to the resource.
Did that make any sense?
I'm guessing that I need to use the "per account workflow" to make this happen, but I'm not sure how to do write this workflow.
Regards,
Henrik

Hi Henrik,
You could do it during reconciliation with a per-account workflow.
Another approach is to use a regular workflow that lists users with accounts on that target resource and processes each of them to remove any unneeded direct assignments. That is what I went with, and I run the workflow periodically.

Similar Messages

AppServer: problems trying to add users to roles in security dialog

I'm trying to learn J2EE using AppServer. My current example has a client accessing
an entity bean. I want two classes of user - Reader, and Updater. Most methods
of Home and Remote are accessible to both classes, a few are restricted to users
in Updater role. I'm currently having problems adding users to roles in deploytool.
I have defined users using the Admin client.
I have implemented and test run client and entity bean without security restrictions, it works.
I have defined roles associated with the application.
I have allocated roles to every method in Home and Remote interface of bean.
I have extracted the generated XML file and checked the <assembly-descriptor> section and
it appears that all roles and role descriptions are defined as required.
deploytool lets me use the "Security Role Mapping" dialog, I can select either of my roles and
try "Add user to role" - subsequent dialog shows my users and allows me to "Map user to role" -
but selected user does NOT appear in the user names panel.
What am I doing wrong or what am I omitting? Hints please!

Thanks for suggestions. (I'm using Windows so file-protections pretty
non-existent).
I looked in the Sun file you mentioned and found the users were defined.
When I restarted AppServer and deploytool, the users were shown in the appropriate
panel.
There is probably some minor bug in deploytool that causes the User Panel not
to be updated as it should be after a user has been added to a role.

Cannot add users to roles

I have configured OpenLDAP data store with Access Manager. I can see the users added in LDAP in the Subjects tab of Access Manager, but when I create a role ad try to add users in the role I get the exception
Plug-in com.sun.identity.idm.plugins.files.FilesRepo: Unable to find entry: C:\Documents and Settings\161101\amserver\idRepo\user\frank
Can anybody suggest what is problem

Hi there,
The reason why you have file repo is because you installed the AM using file repo instead of LDAP.
Deleting the File Repo configuration for that realm will not affect the configuration part of the AM ( I would still do a backup ... just in case) because the datastore configuration has nothing to do with that. The configuration part of the AM is at the platform level and you have that configured on the configurations tab of the platform. What I'm sugesting is on that specific Realm ( I usually use a different Realm other than the Root realm ... this way I'm sure not to mess it up ) go to the datastores (which is the place where user data is stored and not the configurations (though they might be the same) ) and delete the file datastore configuration (or point it to a different location ... but do not delete the files on the filesystem, because they are still in use by other Realms and the configuration ) .
Configuration data and User repositories can be configured in different places .... which is what you are now trying to do .... have the conf on the file system and have the users on an LDAP.
Defenetly do a backup of your stuff ... and if at all possible use a different realm other than the root realm.
Hope this helps .... and makes any sense !
Rp

"Low-level" authorizations for accessing BW reports - add users to role

Using the advice in Topic "Low-level" authorizations for accessing BW reports, I have been able to publish a query to a role that has 3 test users and each user gets the same query but with different data, as determined in the tables.
Is there a way to look up the users and e-mail addresses from a table and associate them to the role? We have several hundred e-mail recipients that will not need BW access, but only need an e-mail with a static report that contains data on their own territories.

Hi!
i think programatically it might be complex. You got to maintain a seperate variant of report per user and use this variant to send mail. that means you need to maintain a variant and a Broadcast setting per user. once maintained you can use it any number of times the values will be recalculated everytime.
with regards
ashwin
PS n: Assigning point to the helpful answers is the way of saying thanks in SDN. you can assign points by clicking on the appropriate radio button displayed next to the answers for your question. yellow for 2, green for 6 points(2)and blue for 10 points and to close the question and marked as problem solved. closing the threads which has a solution will help the members to deal with open issues with out wasting time on problems which has a solution and also to the people who encounter the same porblem in future. This is just to give you information as you are a new user.

Dynamically add Users to Roles

Can someone help me? See the thread here:
http://forum.java.sun.com/thread.jspa?threadID=777504

Marc,
Thnaks for your reply, Could you please explain me more about this configuration
<?xml version = '1.0' encoding = 'UTF-8'?>
<ISConfiguration xmlns="http://www.oracle.com/pcbpel/identityservice/isconfig">
<configurations>
<configuration realmName="jazn.com">
<provider providerType="JAZN" name="xml" service="Identity">
<property name="userPropertiesFile" value="users-properties.xml"/>
</provider>
<provider providerType="CUSTOM"
name="CustomPlugIn" service="Authentication"
class="package.name.CustomAuthenticationService" />
</configuration>
</configurations>
</ISConfiguration>
Thanks,
Rajesh

OIM 11g R1 - Add user to group after AD Reconciliation

Hi,
i want to add all reconcilated users from AD to OIM to a special role in oim, after a AD reconciliation.
By default, all users get the role ALL_USERS. I want to add a futher role, for example ALL_AD_USERS.
How to do this?
Edited by: 960944 on Jan 15, 2013 5:11 AM

I assume that here you are talking about AD TRUSTED RECONCILIATION and you don't have any other TRUSTED Reconciliation and this is the only way to bring users into OIM, then you can create a role and attach a membership rule say "Organization doesn't contain ZZZZ". It will satisfy all the users
CONS: Here you won't be able to distinguish between users which are creating through Admin Console or from AD Trusted or from some other Trusted Recon.
Now if you want only those users who are coming from AD then Add a task on Reconciliation Insert/Update Received and add user into Role using APIs.

How to assign users to group during upload ?

Hi all,
we have to upload a lot of users into our EP6.
according to the documentation it is possible to assign those users to roles during the upload, but we want to use Group-Assignments instead of directly assigning roles to users.
Is there any possibility to assign groups instead of roles during a user-upload ?
The doc shows in the Standard-File-Format" the parameters <namespace>:<name> , may those be used for this purpose, when yes, then how ?
Thanx for any hints...
Stefan

Hi,
do you mean uploading role-group assignments or user-group assignments?
User-group assignments can be uploaded using the following format (extraxt from UME documentation - section: Standard Format):
[Group]
gid=HappyBuyers
gdesc=This is a group of all satisfied buyers
user=MarcPeters;JackSmith;Alan_Fox
Make sure that you upload the groups in a second step after you have already uploaded the users. The userIds you name in the property "user" must exist.
For uploading role-group assignments I don't know a way but usually you so not have that many ...
Best regards,
Oliver

Portal user and role creation

How do we add (bulk add) users and roles to Portal 6.0 without the management console ?
Thanks ,
Ravi

Did anyone have an answer to this? I've used tools with other directories that permitted a bulk add or a flat file dirsync that allowed a CSV file to add accounts. I would be interested if someone has done this for portal 6.2 or 6.X.
Thanks in advance,
Mike

User status during reconciliation

Hi All,
I have configured AD connector for reconciliation and it is working fine. Also I have created Resource Object, Process Definition and form for multiple resources of AD, during reconciliation when event is linked user status is set to 'Provisioning' instead of 'Provisioned' as per the default functionality and during the successive recon the status is changed to 'Enabled'.
Can any one please tell me what configuration might be missing due to which the status is set to 'Provisioning' at first time.
Any pointers in this regards will be appreciated.
TIA

After successful target source recon, the status should be 'Enabled' or 'disabled' depending on the user account status in AD. Can you look at the tasks that are executed when the status is set to 'provisioning'? Which task fails? what is logged in the logs? Could be that 'Get ObjectGUID' task is not completed and it completes before the next run of the scheduler, which is why it works fine in second run.

Deleting IDM user accounts during reconciliation

Hello All,
We have an authoritative data source which is a MySQL database. I have loaded all the users from the DB into IDM. What I want to know is can we delete the user in IDM when the user account is deleted from the MySQL database?
How can I achieve this during reconciliation?
Any help would be highly appreciated.
Thank you very much.
Vamsi

I think you need to use the per account workflow, which is part of the recon policy. It should be something like:
<Extension>
<WFProcess name='UC2 ORA Per Acct Workflow' title='UC2 ORA Per Acct Workflow'>
<Variable name='userName' input='true'/>
<Variable name='accountId' input='true'/>
<Variable name='loginApplication' input='true'/>
<Variable name='resource' input='true'/>
<Activity id='0' name='start'>
<Transition to='Sync Attributes'>
<eq>
<ref>initialSituation</ref>
<s>AR_SITUATION_NAME_UNMATCHED</s>
</eq>
</Transition>
<Transition to='Deprovision User'>
<eq>
<ref>initialSituation</ref>
<s>AR_SITUATION_NAME_DELETED</s>
</eq>
</Transition>
<Transition to='Disable User'>
<eq>
<ref>initialSituation</ref>
<s>optional logic here</s>
</eq>
</Transition>
<Transition to='Clear Task Results'/>
<WorkflowEditor x='38' y='177'/>
</Activity>
<Activity id='1' name='Sync Attributes'>
<Variable name='WF_ACTION_ERROR'/>
<Variable name='user'/>
<Action id='0' name='Checkout User' application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='checkoutView'/>
<Argument name='type' value='User'/>
<Argument name='id' value='$(accountId)'/>
<Argument name='authorized' value='true'/>
<Argument name='Form' value='UC2 ORA Per Acct Form'/>
<Variable name='view'/>
<Return from='view' to='user'/>
<Return from='WF_ACTION_ERROR' to='ERROR'/>
</Action>
<Action id='1' name='Checkin User Object' application='com.waveset.session.WorkflowServices'>
<Condition>
<isnull>
<ref>WF_ACTION_ERROR</ref>
</isnull>
</Condition>
<Argument name='op' value='checkinView'/>
<Argument name='view'>
<ref>user</ref>
</Argument>
</Action>
<Transition to='Clear Task Results'>
<isnull>
<ref>WF_ACTION_ERROR</ref>
</isnull>
</Transition>
<Transition to='end'/>
<WorkflowEditor x='259' y='7'/>
</Activity>
<Activity id='2' name='Deprovision User'>
<Variable name='WF_ACTION_ERROR'/>
<Variable name='user'/>
<Action id='0' name='Checkout User' application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='checkoutView'/>
<Argument name='authorized' value='true'/>
<Argument name='type' value='Deprovision'/>
<Argument name='id' value='$(accountId)'/>
<Variable name='view'/>
<Return from='view' to='user'/>
<Return from='WF_ACTION_ERROR' to='ERROR'/>
</Action>
<Action id='1' name='Select All Accounts for Deprovision'>
<expression>
<set name='user.resourceAccounts.selectAll'>
<s>true</s>
</set>
</expression>
</Action>
<Action id='2' name='Checkin User Object' application='com.waveset.session.WorkflowServices'>
<Condition>
<isnull>
<ref>WF_ACTION_ERROR</ref>
</isnull>
</Condition>
<Argument name='op' value='checkinView'/>
<Argument name='view'>
<ref>user</ref>
</Argument>
</Action>
<Transition to='Clear Task Results'>
<isnull>
<ref>WF_ACTION_ERROR</ref>
</isnull>
</Transition>
<Transition to='end'/>
<WorkflowEditor x='308' y='241'/>
</Activity>
<Activity id='3' name='Disable User'>
<Variable name='WF_ACTION_ERROR'/>
<Variable name='user'/>
<Action id='0' application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='disableUser'/>
<Argument name='accountId' value='$(accountId)'/>
<Argument name='doWaveset' value='true'/>
</Action>
<Transition to='Clear Task Results'>
<isnull>
<ref>WF_ACTION_ERROR</ref>
</isnull>
</Transition>
<Transition to='end'/>
<WorkflowEditor x='390' y='387'/>
</Activity>
<Activity id='4' name='Clear Task Results'>
<Action id='0' application='SET_RESULT_LIMIT'>
<Argument name='limit' value='0'/>
</Action>
<Transition to='end'/>
<WorkflowEditor x='351' y='104'/>
</Activity>
<Activity id='5' name='end'>
<WorkflowEditor x='691' y='50'/>
</Activity>
</WFProcess>
</Extension>
Reg/Suveer

During import ora-01917 user or role does not exist "High Priority"

Hi,
When i import the data the following error occured.
imp system/[email protected] fromuser=dmv_ace_ruh touser=dmv_ace_ruh file=F:\dmvaceruh.dmp log=F:\dmvaceruhimp.log ignore=y
fromuser=dmv_ace_ruh (exported by another database i.e database name is ACE)
OS = Sun solaris
touser=dmv_ace_ruh (database name is SAI)
OS = windows server 2003
Database Common 10g
Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production
With the Partitioning, OLAP and Data Mining options
Export file created by EXPORT:V10.02.01 via direct path
Warning: the objects were exported by DMV_ACE_RUH, not by you
import done in AR8MSWIN1256 character set and AL16UTF16 NCHAR character set
export client uses WE8MSWIN1252 character set (possible charset conversion)
. importing DMV_ACE_RUH's objects into DMV_ACE_RUH
. . importing table "DMV_COVER_RISK_SMI_DISC_LOAD" 0 rows imported
IMP-00017: following statement failed with ORACLE error 1917:
"GRANT ALTER ON "DMV_COVER_RISK_SMI_DISC_LOAD" TO "PREM_ACE_RUH""
IMP-00003: ORACLE error 1917 encountered
ORA-01917: user or role 'PREM_ACE_RUH' does not exist
IMP-00017: following statement failed with ORACLE error 1917:
"GRANT DELETE ON "DMV_COVER_RISK_SMI_DISC_LOAD" TO "PREM_ACE_RUH""
IMP-00003: ORACLE error 1917 encountered
ORA-01917: user or role 'PREM_ACE_RUH' does not exist
IMP-00017: following statement failed with ORACLE error 1917:
"GRANT INDEX ON "DMV_COVER_RISK_SMI_DISC_LOAD" TO "PREM_ACE_RUH""
IMP-00003: ORACLE error 1917 encountered
ORA-01917: user or role 'PREM_ACE_RUH' does not exist
IMP-00017: following statement failed with ORACLE error 1917:
"GRANT INSERT ON "DMV_COVER_RISK_SMI_DISC_LOAD" TO "PREM_ACE_RUH""
IMP-00003: ORACLE error 1917 encountered
ORA-01917: user or role 'PREM_ACE_RUH' does not exist
IMP-00017: following statement failed with ORACLE error 1917:
"GRANT SELECT ON "DMV_COVER_RISK_SMI_DISC_LOAD" TO "PREM_ACE_RUH""
IMP-00003: ORACLE error 1917 encountered
ORA-01917: user or role 'PREM_ACE_RUH' does not exist
IMP-00017: following statement failed with ORACLE error 1917:
"GRANT UPDATE ON "DMV_COVER_RISK_SMI_DISC_LOAD" TO "PREM_ACE_RUH""
IMP-00003: ORACLE error 1917 encountered
ORA-01917: user or role 'PREM_ACE_RUH' does not exist
IMP-00017: following statement failed with ORACLE error 1917:
"GRANT REFERENCES ON "DMV_COVER_RISK_SMI_DISC_LOAD" TO "PREM_ACE_RUH""
IMP-00003: ORACLE error 1917 encountered
ORA-01917: user or role 'PREM_ACE_RUH' does not exist
IMP-00017: following statement failed with ORACLE error 1917:
"GRANT ON COMMIT REFRESH ON "DMV_COVER_RISK_SMI_DISC_LOAD" TO "PREM_ACE_RUH""
IMP-00003: ORACLE error 1917 encountered
ORA-01917: user or role 'PREM_ACE_RUH' does not exist
IMP-00017: following statement failed with ORACLE error 1917:
"GRANT QUERY REWRITE ON "DMV_COVER_RISK_SMI_DISC_LOAD" TO "PREM_ACE_RUH""
IMP-00003: ORACLE error 1917 encountered
Regards
S.Azar
DBA
Edited by: azarmohds on Oct 5, 2009 5:11 AM

oradba wrote:
What's not clear with this error message? The mentioned role ''PREM_ACE_RUH' does not exist in the target database. So granting privileges to this role cannot work.
Werner''PREM_ACE_RUH' this is one of the user of ACE database. but i exported DMV_ACE_RUH user data only...
but i cannot import the dmv_ace_ruh data to same user name of SAI database..
regards
S.azar

Can't get hold of the user.waveset.roles in my workflow

Hey,
I am developing a workflow process that adds a role to each user during reconsiliation if they don't already have it.
1. It gets the user view.
2.. It checks to see if the user has a particular role. (This is where my problem lies, as the user.wavset.roles value returns null).
3. If the user already has the role the process ends.
4. If the user doesnt have the role it appends it to user.waveset.roles and then checks in the user view.
So at the moment the process always thinks the user hasnt got the role because I can't get user.wavset.roles to return a value. Although I can access it when I append!?
Any ideas anyone why I cant access the user.waveset.roles value in the second step? It prints out that the value is null on the stack trace.
The Activity code looks like this:
<Activity id='5' name='Check Roles'>
<Transition to='end'>
<match>
<upcase>
<block trace='true'>
<ref>user.waveset.roles</ref>
</block>
</upcase>
<upcase>
<rule name='Entrust GetAccess Role Name'/>
</upcase>
</match>
</Transition>
<Transition to='ProcessUser'/>
<WorkflowEditor x='163' y='9'/>
</Activity>

Check once if the variable "user" is holding the user view or not.
I'm not sure if you have already tried this....
If we are getting the user view using a workflow service then by default the fetched user view is placed in a variable called "view". So we may have to use 'view.waveset.roles'.
If we want to store the fetched user view in the variable "user", then in the Action that gets the user view, we may have to return the value from "view" to "user", wherein "user" is a global variable defined at the workflow level.Then we can refer "user" in all the activities throughout the workflow.

How to find and add user's manager as approver for an action at runtime?

Hi All,
I am able to add logged in users to a role and initiate the process.
But for 1st and 2nd level approval, I want to add supervisor and manger user id to the appropriate roles.
How do I implement this?
Thanks
Sundar

Hi,
2 ways:
1 - You can define a Structure String -> 0..n and define your role as Runtime Defined, so you associate this structure with your role. You will retrieve the users by role from UME, after this, initialize the structure withe the users. So the values will be transferred to your process.
see this link: /people/dipankar.saha3/blog/2007/05/31/how-to-create-dynamic-approval-process-using-conditional-loop-block-in-guided-procedure
/people/berndt.woerner/blog/2007/09/19/different-ways-to-model-dynamical-assignment-of-user-to-process-roles-using-composition-tool-guided-procedures--part-1
2 - Using Assign Users to Process Role Callable Object
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0c451f8-0dc2-2b10-e286-f5be915a07f7
Best regards

Creation of user sand roles

Hello sdn
i installed Newweaver snekapeakpreview(Java) in my system
when i tried to create a new user other than admin , user is created but
when i logged as newly created user it showing password has expired please
advise me to rectify this problem
second is
when i try to add iviews to roles which i created its showing popup
menu but it doesn't have the option add iview to role
iam unable to understand where im going wrong
waiting for your valuable replies

Hi Prasad,
please check out my advise from this thread for solving your first problem: EP SP15 FROM SDN
Hope it also solves your problem,
Robert
PS: I would suggest to open a new thread for the second problem, as it's not related to your thread name, and people might expecting something else in this thread.

User Exit to add user-defined selection critieria onto VL10G

Does anyone know how to add user-defined selection criteria onto VL10G - Sales and purchase order display screen? OSS note 524424 states the userexit to transfer user-defined selection criteria from the selection screen to the report but no information on how to add the selection criteria on the screen. Is that something can be done through configuration or user-exit?
Any advice or sample is greatly appreciated.

I was in a hurry, I forgot to add, the user role specific selection screen assignment to VL10G is done at "delivery scenario" level
The delivery scenarios that are predefined in the system can be found under Logistics Execution -> Outbound Process -> Goods Issue for Outbound Delivery -> Outbound Delivery -> Create -> Collective Processing of Documents for Shipment.
You can make the following settings in a delivery scenario:
Selection screen
You can use the selection screen parameters to define the appearance of the selection screen used to select the delivery list.
There are three combinations of selection parameters available that each include a different number of tabs.
A long selection screen with no tabs
A selection screen with three tabs
A selection screen with six tabs
The selection criteria is the same on all three screens in the standard system, it is simply arranged differently.
This parameter also triggers scheduling of the report for processing the delivery list, with the same three available tab options.
Customer enhancements are also possible in the LV50R_PREFZ1 program, which should be triggered from a delivery scenario.
User role
In the standard system, a predefined user role is assigned to each delivery scenario. If necessary, you can copy these user roles into your own user roles, make changes as required, and then assign them to a delivery scenario of your choice.
If the user role assignment for a delivery scenario is changed in Customizing, the new settings are valid for all users that carry out this delivery scenario.

Add user to role during reconciliation

Similar Messages

Maybe you are looking for