Allocating multiple accounts on a resource through multiple roles

Is there anyway for IdM to cater for the following scenario
Role 1 -> Allocates accounts on Resources A & B
Role 2-> Allocates accounts on Resources A & C
Such that when a User is given both Roles, their account list is
(1st) account on A, account on B, (2nd) account on A, account on C
rather than the aggregate of (1 only) Account on A,account on B, account on C.
And if, say, Role 1 is revoked for the account on Resource A as provisioned by Role 1 is the only account to be revoked on the resource allowing the 2nd account on Resource A (as provisioned through the still active Role 2) to still be managed
Thanks
--Calum                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

Yes, it should be possible, but messy.
The easiest way would be to create separate resources for the roles. So you'd have two configured resources for the same target, and the roles would assign the separate resources. You'd have to make sure that the target resources account names are different because usually they are required to be unique.

Similar Messages

  • Reporting for multiple Accounts by Partner dimension for multiple Entities

    Hi all,
    I have a report in Reporting Studio which uses a Sum column formula to add data for all the members selected in a prompt for the Entity dimension (which is in the columns of the report).
    In the rows I have 2 dimensions, Partner and Account. I have the report set up to display the children of Partner and multiple accounts for each Partner. The issue I am having is that I would need to actually calculate one of the account totals (it is a Yield account) since summing the yields for partners is not valid.
    I can't just pull out and calculate the Yield accounts though because the accounts need to be listed by Partner.
    Is there a way to group two rows so that I can pull out and calculate the Yield account but still display the accounts by Partner?
    So I was thinking:
    Partner A Account 1, Account 2
    Partner A Yield
    Partner B Account 1, Account 2
    Partner B Yield
    I can't hardcode this as there are hundreds of Partners. If there is a way to set up auto-calculate to Average only the Yield accounts, that would work as well in theory.
    Any help would be appreciated. If any clarification is needed just let me know.
    Thanks.

    Hi Mehmet,
    There are too many possible department combinations to actually create member formulas for each one.
    The formula for Yield is Revenue/Units. So an example would be $100,000 revenue divided across 1,000,000 units gives a Yield of 0.10.
    The more I think about this problem, the more I realize that this may not possible. If a manual calculation is required I would need to have it so that I'm able to match up the children of Revenue with the children of Units in order to calculate the various Yields. From my experience this isn't possible. I am staying away from hard-coding in the report as it would create issues down the road.
    If there is some way to utilize auto-calculation that may be the only solution.
    Any other thoughts would be appreciated though.
    Thanks.

  • Delivery cost with multiple account assignment

    Dear SAP gurus,
    I found a problem in here. In my company we are using multiple account assignment in PO with multiple asset entered in one line. This PO actually will have customs and delivery cost inside of it, however it is not know at the time of PO creation. When the forwarder send the goods, sometimes the shipment can contain more than one PO as well, thus it is impossible to determine the exact value of delivery cost at the time of PO creation.
    When the goods are delivered in the FOB point, the vendor deliver goods will send the invoice for goods, and when the goods delivered to our warehouse, then the forwarder will deliver the invoice for the delivery cost. So there is no sequence of the invoicing. Sometimes the goods are invoice earlier than the delivery cost, sometimes it is later.
    My requirements are to make sure that the delivery cost is being posted to the asset account of the goods that are being delivered in the PO. I have tried these options:
    a. Planned delivery cost inside the PO --> when posting invoice for planned delivery cost, got error message that there is no delivery cost in the PO. I think this is because of the multiple account assignment because when creating PO and inputting the delivery cost i do get warning that no delivery cost for multiple account assignment,
    b. Unplanned delivery cost --> ONLY work if the invoice for delivery cost and goods are being posted as one document, which is not the case in here.
    c. Separate PO for delivery cost --> got issue in which the person who supposed to create the PO for delivery cost, would not have any idea what asset no to be used (worse --> if the asset is being delivered partially).
    Do you have any idea of what to be done in this case? Please help.
    Best regards,
    John.

    See  while making the invoice for the delivery cost you have selected the aggreation as planned delivery cost and in the PO you have not maintained the deilvery conditions .The pricing conditions which you have maintained must ebe  have condition category - delivery cost .The system will not give thr message thhat you have not mainatined the delivery cost .If you have condition as mandatorty it will show that the conditions ( mandatory) are not maintain.In order to maintain the delivery cost you have to check your conditions whether they are delivery cost related conditins and if then maintain there values in PO and check while doing invoice you will get.
    You have also the option of entering the delivery cost at time of the Invoice as unplanned delivery cost ...........
    Just check your conditions which you have maintained the calculation schema as delivery conditions and maintain the values and do the invoice proceesing .
    It is not advisableto cretae the sepearted PO for the delivety cost as it is not good way of doing the proceess.
    Regards
    sunny

  • More than one accounts in a resource

    I am trying to load the SQL table, but I can pass only one row at a time to the resource.
    I do see in the manual that there is a logic(as per the manual) to add multiple accounts to a resource i.e.
    The accounts attribute contains a list of objects for each account linked to the dentity Manager user. Each account object contains the values of the account ttributes retrieved from the resource. The name of each account object is typically the name of the associated resource. If
    more than one account exists for a given resource, the object names take a suffix of the form |n where n is an integer. The first account on a resource has no suffix; the second account has the suffix |2. The third account on a resource has |3, etc.
    I tried this, but this was not working. Can anyone help me with this.

    I am trying that thru my workflow: The followings is my code
    My table name is userroleable. and i canot enter a 2nd account after the first one is completed.
    <appendAll name='user.accounts'>
    <list>
    <Object name='userroletable|2'/>
    </list>
    </appendAll>
    <appendAll name='user.waveset.accounts'>
    <list>
    <Object name='userroletable|2'/>
    </list>
    </appendAll>
    <set name='user.accountsuserroletable.randomid'>
    <concat>
    <invoke name='nextInt' class='com.waveset.util.RandomGen'>
    <i>9</i>
    </invoke>
    <invoke name='nextInt' class='com.waveset.util.RandomGen'>
    <i>9</i>
    </invoke>
    <invoke name='nextInt' class='com.waveset.util.RandomGen'>
    <i>9</i>
    </invoke>
    <invoke name='nextInt' class='com.waveset.util.RandomGen'>
    <i>9</i>
    </invoke>
    </concat>
    </set>
    <set name='user.accountsuserroletable.userid'>
    <ref>userid</ref>
    </set>
    <set name='user.accountsuserroletable.roleid'>
    <get>
    <ref>roleList</ref>
    <i>1</i>
    </get>
    </set>

  • Multiple Accounts on Multiple resources through ActiveSync

    Hi,
    I am trying to create multiple accounts on multiple resource through activesync. But i am able 2 create on a single resource... below is the code
    <Field name='NDSFilter'>
    <Disable>
    <isFalse>
    <contains>
    <ref>accountInfo.assigned</ref>
    <s>Dev-NDS</s>
    </contains>
    </isFalse>
    </Disable>
    <Field name='newAccountRequest'>
    <Expansion>
    <block trace='true'>
    <s>Dev-NDS</s>
    </block>
    </Expansion>
    </Field>
    <Field name='global.NdsUname'>
    <Expansion>
    <block>
    <s>NdsFour</s>
    </block>
    </Expansion>
    </Field>
    <Field name='global.NDSOU'>
    <Expansion>
    <block>
    <s>ADK</s>
    </block>
    </Expansion>
    </Field>
    <Field name='accounts[Dev-NDS].waveset.generate'>
    <Default>
    <s>true</s>
    </Default>
    </Field>
    </Field>
    <Field name='DSFilter'>
    <Disable>
    <isFalse>
    <contains>
    <ref>accountInfo.assigned</ref>
    <s>UOS-AssociatesLDAP</s>
    </contains>
    </isFalse>
    </Disable>
    <Field name='newAccountRequest'>
    <Expansion>
    <block trace='true'>
    <s>UOS-AssociatesLDAP</s>
    </block>
    </Expansion>
    </Field>
    <Field name='accounts[UOS-AssociatesLDAP].accountId'>
    <Expansion>
    <block trace='true'>
    <s>AccountTwo</s>
    </block>
    </Expansion>
    </Field>
    <Field name='global.OU'>
    <Expansion>
    <block trace='true'>
    <s>UOS-MultiAccounts</s>
    </block>
    </Expansion>
    </Field>
    <Field name='accounts[UOS-AssociatesLDAP].waveset.generate'>
    <Default>
    <s>true</s>
    </Default>
    </Field>
    </Field>
    Can anyone pls suggest me the solution...
    Thanks in advance
    Kiran

    Thanks for the reply... in my case this would be done by the active synch process so no GUI form is required. I will be getting a list of application ID for the user by LDAP AS. One i get it i will have to parse it and get the list of application user id. I am passing those ID;s to a workflow where I am forming the resource name as you mentioned
    for example:
    If i get user1#user2#user3 from AS i am separating them based on # using split and getting 3 different user id;s
    now i am forming a string with the resource name and passing it to the sub process in which i am checking out the user object, setting the user attributes and checking in the new view.
    user1#LDAP
    user2#LDAP|1
    user3#LDAP|2
    Problem ; When i run this user1 is getting created in LDAP but user2 and user3 are not. There entry is getting created in IDM.
    When I open the IDM object I get a yellow triangle (warning) and if I open the user object and hit save button IDM creates the user account on the LDAP.
    any help for further solving this problem would be appreciated.
    Regards,

  • Multiple accounts on the same resource

    Experts,
    I am trying to create multiple accounts for the same IDM user.
    I have written a workflow which calls the subprocess to create multiple accounts. In the orignal workflow I pass the IDM accountId and the target system accountid in the Iterate loop.
    In the subprocess i am checking out the user view then appending the resource specific parameters (mentioned below) and then checking in the view.
    <Activity id='1' name='Add resource to user object'>
    <Variable name='userObject'/>
    <Action id='1' name='CheckOut User View' application='com.waveset.session.WorkflowServices'>
    <Argument name='op' value='checkoutView'/>
    <Argument name='type' value='User'/>
    <Argument name='id'>
    <ref>userId</ref>
    </Argument>
    <Argument name='TargetResources' value='EDS'/>
    <Argument name='authorized' value='true'/>
    <Argument name='Form' value="Empty Form"/>
    <Variable name='view'/>
    <Return from='view' to='user'/>
    </Action>
    <Action id='2' name='Add Attribute'>
    <expression>
    <block>
    <set name='applicationuserid'>
    <invoke name='get'>
    <split>
    <ref>userid_applicationid</ref>
    <s>#</s>
    </split>
    <i>0</i>
    </invoke>
    </set>
    <set name='resourcename'>
    <invoke name='get'>
    <split>
    <ref>userid_applicationid</ref>
    <s>#</s>
    </split>
    <i>1</i>
    </invoke>
    </set>
    <set name='user.waveset.resources'>
    <appendAll>
    <ref>user.waveset.resources</ref>
    <list>
    <s>RACF</s>
    </list>
    </appendAll>
    </set>
    <set>
    <concat>
    <s>user.accounts[</s>
    <ref>resourcename</ref>
    <s>].created</s>
    </concat>
    <s>true</s>
    </set>
    <set>
    <s>waveset.accounts[RACF].id</s>
    <get>
    <invoke name='getObject'>
    <invoke name='getLighthouseContext'>
    <ref>WF_CONTEXT</ref>
    </invoke>
    <s>Resource</s>
    <s>RACF</s>
    <Map>
    <MapEntry key='action' value='update'/>
    </Map>
    </invoke>
    <s>id</s>
    </get>
    </set>
    <set>
    <concat>
    <s>user.accounts[</s>
    <s>RACF</s>
    <s>].name</s>
    </concat>
    <s>RACF</s>
    </set>
    <set>
    <concat>
    <s>user.accounts[</s>
    <ref>resourcename</ref>
    <s>].gapracfid</s>
    </concat>
    <ref>applicationuserid</ref>
    </set>
    <set>
    <concat>
    <s>user.accounts[</s>
    <ref>resourcename</ref>
    <s>].identity</s>
    </concat>
    <concat>
    <s>uid=</s>
    <ref>applicationuserid</ref>
    <s>,ou=racf,ou=Applications,dc=gap,dc=com</s>
    </concat>
    </set>
    <set>
    <concat>
    <s>user.accounts[</s>
    <ref>resourcename</ref>
    <s>].firstname</s>
    </concat>
    <ref>user.accounts[Lighthouse].firstname</ref>
    </set>
    <set>
    <concat>
    <s>user.accounts[</s>
    <ref>resourcename</ref>
    <s>].lastname</s>
    </concat>
    <ref>user.accounts[Lighthouse].lastname</ref>
    </set>
    <set>
    <concat>
    <s>user.accounts[</s>
    <ref>resourcename</ref>
    <s>].fullname</s>
    </concat>
    <ref>user.accounts[Lighthouse].fullname</ref>
    </set>
    </block>
    </expression>
    </Action>
    <Action id='3' name='Check In User View' application='com.waveset.session.WorkflowServices'>
    <Argument name='op' value='checkinView'/>
    <Argument name='view' value='$(user)'/>
    <Argument name='authorized' value='true'/>
    <Argument name='Form' value="Empty Form"/>
    </Action>
    <Transition to='end'/>
    <WorkflowEditor x='244' y='48'/>
    </Activity>
    When i run this in the IDM I can see all the entries but only first one is actually created on the target resource. When I open the user object in IDM and hit Save button IDM creates the accounts on the target system.
    I have already tried by using the refresh view just before the checkin view action but no luck..
    Any help for solving this problem would be appreciated.
    Thanks

    Thanks for the reply... in my case this would be done by the active synch process so no GUI form is required. I will be getting a list of application ID for the user by LDAP AS. One i get it i will have to parse it and get the list of application user id. I am passing those ID;s to a workflow where I am forming the resource name as you mentioned
    for example:
    If i get user1#user2#user3 from AS i am separating them based on # using split and getting 3 different user id;s
    now i am forming a string with the resource name and passing it to the sub process in which i am checking out the user object, setting the user attributes and checking in the new view.
    user1#LDAP
    user2#LDAP|1
    user3#LDAP|2
    Problem ; When i run this user1 is getting created in LDAP but user2 and user3 are not. There entry is getting created in IDM.
    When I open the IDM object I get a yellow triangle (warning) and if I open the user object and hit save button IDM creates the user account on the LDAP.
    any help for further solving this problem would be appreciated.
    Regards,

  • Multiple accounts on the same resource in Oracle Waveset 8.1.1 patch 5

    Hi IDM Experts!
    I've customized my userforms in order to create multiple accounts on the same resource using the syntax accounts[<resourceName>|n].<attribute> like the documentation suggests. That worked fine using Sun Identity Manager 8.1.
    However, I've not been able to create new multiple accounts after I upgraded to Oracle Waveset 8.1.1 patch 5.
    Is there anything else that I have to take into account for this new version? Is that a bug?
    Thanks in advance for your help!

    Thanks for the reply... in my case this would be done by the active synch process so no GUI form is required. I will be getting a list of application ID for the user by LDAP AS. One i get it i will have to parse it and get the list of application user id. I am passing those ID;s to a workflow where I am forming the resource name as you mentioned
    for example:
    If i get user1#user2#user3 from AS i am separating them based on # using split and getting 3 different user id;s
    now i am forming a string with the resource name and passing it to the sub process in which i am checking out the user object, setting the user attributes and checking in the new view.
    user1#LDAP
    user2#LDAP|1
    user3#LDAP|2
    Problem ; When i run this user1 is getting created in LDAP but user2 and user3 are not. There entry is getting created in IDM.
    When I open the IDM object I get a yellow triangle (warning) and if I open the user object and hit save button IDM creates the user account on the LDAP.
    any help for further solving this problem would be appreciated.
    Regards,

  • Multiple account AD resource error

    Hello All,
    I am trying to create a new account type that will have admin privileges.
    I uploaded the following xml via configure->import exchange file
    <Rule subtype='IdentityRule' name='AccountId is User Name'>
      <ref>attributes.accountId</ref>
    </Rule>
    <!-- Simple example using prefix to indicate type of account -->
    <Rule subtype='IdentityRule' name='Administrator Identity'>
      <concat>
      <s>admin</s>
         <ref>attributes.accountId</ref>
      </concat>
    </Rule>
    </Waveset>when I try to assign this role to a new or existing user for my AD resource I get the following error.
    com.waveset.util.WavesetException: Error opening object 'LDAP://xx.xxxx.xx/admintest1234': ADsOpenObject(): 0X80072032: , 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8350, best match of: 'admintest1234' , An invalid dn syntax has been specified.
    I configured the resource for multiple account types via edit identity template ->types of accounts.
    Your help would be greatly appreciated.
    Thanks
    Clear

    Yes, you got this wrong. When you provide an identity rule, the identity template isn't processed. So when you have a template in the form of
    cn=$accountId$,ou=Staff,dc=example,dc=comIt is not sufficient to return a value for $accountId$ but instead you need to return a valid DN in the form of
    cn=admintest,ou=Staff,dc=example,dc=com

  • FecthAccounts on resources with multiple types of accounts

    Hello,
    I'm customizing the rename user form so I can modify some account attributes that are related to
    accountId and rename them in a propper way. For getting all account attributes on all resources I set
    fetchAccounts form property to true but only attributes on resources whose identity template is
    simple - It's not a resource with multiple types of accounts - are retrieved.
    The attributes of the resource with a setup of multiple types of accounts are not retrieved with fecthAccounts
    set to true. Has that happened to you ?
    Any clue ?
    Thanks,
    Pablo C.

    You can use Correlation Id for this Purpose. Producer should set Correlation id while posting the message and Consumer can check for Correlation id while dequeue.
    I did have this requirement before and used correlation id for it.
    http://sriworks.wordpress.com/2009/10/22/conditional-dequeue-mq-adapter/
    Or Just Accept Opaque Payload and tweak in BPEL Process using TranslateFromNative function.

  • Down payment with multiple account assignment PO

    Dear Experts,
    While posting down payment request through transaction F -47 with
    reference to purchase order we are getting below given error.
    In that purchase order we have given
    multiple account assignment i.e. multiple cost centers (e.g. Cost center A  50% cost center B 10% Cost Center  C 40% i.e. distribution by %)
    but
    system is flagging message
    Item 00010 of purch. document 4500024875 contains no suitable account
    assignment
    Message no. ME717
    What will be the possible cause?
    regards,
    Abhijit

    Hi,
    In the request f-27 tr.code give the purchase order which item you want to give ie., for above said example 10 is a line item of 4500024875 - purchase order and beside you have to mention
    10(lineitem) 4500024875 (purchase order) 2009 (year)
    and system will take that request against the above purchase order.
    Regards,
    satish

  • Software updates won't install with multiple accounts

    I'm using an iMac with multiple accounts.  When I go to update software, the box comes up and lists the updates. Great.  When I click install, it says it must restart in order to install the updates. Fine.  But after it restarts it goes to the login page, and once I login, it seems to forget that it's in the midst of an install. I've tried this many times, from many other accounts.
    How can I get it to follow through with the updates without getting stuck at the login page?
    Thanks

    Are the apps installed in the main Applications folder or in each User's Applications folder? Apps installed in the root folder will be available for each user. Apps  installed in a User's Applications folder is individual to that User. You can drag these apps to the root Applications folder for easy updating.
    Macintosh HD Root folders
      Applications <--
      Library
      System
      Users

  • Multiple account assignment category for one line item in PO

    Dear Experts,
    We are on SRM 5.0 ECS
    One line item of a PO has multiple account assignment category with the cost distribution for
    1. Cost Center - 50%
    2. Order          - 50%
    Is it possible?
    As per my understanding one line item in a PO can have only one account assignment category
    Regards
    Mick

    Hi,
    Yes it is possible by Po line item.
    Just go to transaction bbp_poc through the web interface.
    Select your PO
    Select your line item PO.
    goto the account assignment tab (item overview)
    you get a cost distribution field in percentage
    then you get a cost distribution button : click it and you get several lines where now you can split your 100% in as many lines as you want.
    BR,
    Disha.
    Pls reward points for useful answers.

  • PO with multiple account assignments - non valuated / valuated GR

    Hi Experts,
    If I create a PO for goods with multiple account assignments the GR will not be valuated, but if I do the same for a service PO the GR will be valuated.
    What is the reason for this?
    Thanks in advance,
    Francisco Melo

    Hi,
    There is more of a qualitative response to the issue, rather than quantitative, If you go through SAP Note 204252 for GR of material it says that: "We have not implemented this function since users who post goods receipts would have to determine the distribution to individual account assignment items during partial deliveries. Generally, users cannot or should not determine this.
    An automatic distribution also causes problems and is also not implemented due to technical reasons".
    Means basically here a stores guy is doing GR and he maynot be competent enough to decide on the Account assignment front.
    However in general the service entry sheet is filled by departments who have got the work done, and are aware of the account assignment for that work.
    Hope this is helpful for you.
    Regards
    Chandra Shekhar

  • OIM 11g r2 disabling multiple account provisioning

    Hello all,
    I have a question, in oim 10g and 11g, on resource object there was a "allow multiple" checkbox.
    So you could configure your resource if you want to prevent it from multiple provisioning.
    But in 11gr2 I cannot see that checkbox.
    How can i configure my resource as it is going to disable multiple account provisioning?

    Is there anyone who can help?

  • Changing field staus group for multiple accounts

    Hi,
    Is it possible to change the FSG for multiple accounts at the same time, or does it have to be done one by one through FS00?
    Thanks and Regards

    Hi Sam,
    Try this t-code :
    OB_GLACC12
    Hope it is useful.

Maybe you are looking for

  • Help needed with a small XCode project...

    So I probably have found a way to disable command-tab app switching by updating the PullTab APE module to work with Leopard. I just need someone who knows it's way around XCode. I've been in contact with the author of PullTab, and he's confirmed that

  • Vendor Down Payment should not exceed Total PO Value

    Dear All, We want to restric the Vendor Down payment to total PO value and system must not allow to post the Down payment more that Total PO value. Eg. Material value - 1000 Tax                     100 Other charges    150 Total PO Value - 1250/- Now

  • IPod Touch 4G intermittent WiFi connection.

    I have already resetted my Network Settings and my router is in 100% working condition.  Short of going to the Apple Store is there any other troubleshooting that I can do?

  • BAPI Credit Memo Request w/r billing doc

    Hi everyone, I need to create credit memo request via VA01 with reference to billing document. Is there any BAPI or FM available? Thanks in advance.

  • IPhoto Facebook Upload of Large Panorama

    I just uploaded a panorama to facebook. iPhoto shows the picture in the facebook album, but it does not appear in the album when you look on facebook. The file is about 30mb so it might be a size issue, but iPhoto should error out and say so rather t