Attributes in resource account exclusion rule

Similar Messages

• Resource account attribute names during reconciliation

  Hi,
  I need to set some attributes when creating the IDM user during initial reconcilation from an LDAP resource. I understand only the waseset and LDAP user attributes are available during the reconciliation. Does anyone know how to refer to the resource account attributes?
  I tried to put this in my proxyuser form:
  <Field name='accounts[Lighthouse].uvaDepartment'>
  <Derivation>
  <invoke name='listToString' class='com.waveset.util.Util'>
  <ref>accounts[LDAP].ou</ref>
  <s>; </s>
  </invoke>
  </Derivation>
  </Field>
  uvaDepartment is a extended attribute in the IDM schema, and ou a multivalued LDAP atribute. But uvaDepartment remains empty.
  Greetings,
  Marijke

  thanks,
  I found out the problem was caused by not setting thel user password in the resource parameters page.
  I set up a temporay form and debugged the attributes from the Active Directory. Somehow, the password has already been populated with a (random) value. To be sure, I'll use your suggestion to generate a temporary password to ensure it conforms to my own Password Policy :
          <invoke name='generatePassword'>
            <new class='com.waveset.provision.PasswordGenerator'>
              <ref>:display.session</ref>
            </new>
            <invoke name='getObject' class='com.waveset.ui.FormUtil'>
              <rule name='UWS-RLB-Utils:GetLightHouseContext'/>
              <s>Policy</s>
              <ref>My-Password-Policy</ref>
            </invoke>
            <new class='com.waveset.object.WSUser'/>
          </invoke>

• How to get an account with an IsICP -"R" attribute calculated in the HFM Rule file

  Till recently everything was going fine with the calculations in our HFM setup ( Version 4.1)
  We have say around 8 Expense accounts which roll up into a Parent account say ALL446 which finally rolls up into Operating Expenses.
  Operating Expenses
    |__ parent account
        |_INVALO
         |_ALL446
            |__222446
            |__242446
  And we have a calculation in the rule file as below
  HS.EXP "A#BE FIXED COST = A#Operating Expenses +A#SGA - A#BE VC OP F10"
  This was calculating correctly till we did the below change
  Added IsICP attribute to couple of accounts say 222446 and 242446 ( in the above example) in the metadata which finally rolls up into Operating Expense.
  Note: we did not add any Plug account attribute to the accounts
  Now the problem what we have in hand is -> Fixed Cost is not calculating correctly.- It happens that the two accounts for which we added the IsICP are not showing up in the calculation and the data in those two accounts are not adding up in Fixed Cost.
  POV in GRID/Excel -> actual,2013,periodic,<Entity Currency>, ICP Top, AllCustom1, AllCustom2, AllCustom3, None( for custom4)
  But when we retrieve Operating Expenses in Excel - it is showing the correct amount, even in the grid - but looks like when the rule tries to calculate Fixed Expenses using the above rule - these accounts are not adding up in the Operating expenses.
  I tried the formula ( to check what number is coming into Fixed cost ) - the result is zero - But in the grid/excel I see amount for acct2. Same POV as above
  HS.EXP "A#BE FIXED COST = A#222446"
  and if I add & Tops to the account like below ( getting some weird number instead of what is there in acct2)
  HS.EXP "A#BE FIXED COST = A#222446" & Tops
  Questions:
  1) Where exactly I am going wrong ?
  2) Is it MANDATORY to have a Plugaccount attribute when we have IsICP turned to "R" ?
  3) What will happen if we do not have a Plugaccount for the IsICP account ?
  4) How to correct the formula to make sure I get the number in the acct2 into Fixed Cost??
  5) Do we need to have the IsICP turned on to the immediate parent of the account having IsICP and the Top parents of the account too??
  6) Is it possible to get the exact number what we have in 222446 into BE Fixed Cost account via Rule?- why I am not getting it
  Notes:
  BE Fixed Cost-> account type -"Expense", IsCalculated - yes, IsConsolidated - yes, IsICP- N, Custom1TopMember - AllFunctions, Custom3TopMember- AllCustom3, enabled allcustom1,2,3,4aggregations
  Operating Expenses->"Expense", IsCalculated - No, IsConsolidated - yes, IsICP- N, Custom1TopMember - AllFunctions, Custom3TopMember- AllCustom3, enabled allcustom1,2,3,4aggregations
  INVALO ->"Expense", IsCalculated - No, IsConsolidated - yes, IsICP- N, Custom1TopMember -none, Custom3TopMember- none,
  enabled allcustom1,2,3,4aggregations
  Problematic account 222446 -> "Expense", IsCalculated - No, IsConsolidated - yes, IsICP- R, Custom1TopMember - Operations, Custom3TopMember- AllCustom3, enabled allcustom1,2,3,4aggregations
  The Entity on which I am trying to get the data( mentioning wherever I have attributes for this entity)
  DefCurrency - DEM, Allowadjs- enabled, IsICP - enabled, Userdefined 2 - financial, - SecurityasPartner attribute - is not selected through out the applicaiton.
  Variable
  Tops = ".I#[ICP Top].C1#AllCustom1.C2#AllCustom2.C3#AllCustom3.C4#[None]"
  tried attaching the attachments ( but service is unavailable)
  Waiting for all of your valuable suggestions..

  1) why was I not getting the formula right when I use & Tops
  I'm assuming that BE Fixed Cost has N for IsICP, in that case you can not write to invalid intersections as it would attempt to use the same ICP information
  2) Is it MANDATORY to have a Plugaccount attribute when we have IsICP turned to "R" ?
  No
  3) What will happen if we do not have a Plugaccount for the IsICP account ?
  It will not run eliminations
  4) Do we need to have the IsICP turned on to the immediate parent of the account having IsICP and the Top parents of the account too??
  If you want it to rollup, yes you would need that.  We have all Parent accounts as isICP set to Y and top member to ICP Entities so that they roll up
  5) which will have priority the rule or the Grid where we have the calculated member like the BE Fixed Cost - because in the grid I had icptop, allcustom1,2 3 and when had & Tops to the account - I got some weird numbers...
  I'm not following the question here, grids are just really a display mechanism, rules will handle all of the calculations.

• How to find out if a user has no more resource accounts?

  I want to check to see if a user has no more resource accounts tied to it. The only resource account left is Lighthouse and nothing else.
  Do you know how I do this?
  Thanks

  I was able to find disabled users using the below code. Does anyone know how I can find users who have only Lighthouse account and nothing else? I want to add this to the search criteria.
  <Action id='0' application='com.waveset.session.WorkflowServices'>
  <Argument name='op' value='queryObjectNames'/>
  <Argument name='type' value='User'/>
  <Argument name='single' value='false'/>
  <Argument name='attributes'>
  <map>
  <s>lhdis</s>
  <s>true</s>
  </map>
  </Argument>
  </Action>

• Document Access for resource accounts

  Hello,
  Anyone know if it is possible to create a shared folder in a resource account and import documents into it?
  We want to have an admin account which would be used to hold forms, policies, etc. When its created under a user account and the user moves on we have to recreate the shared folders with documents etc. If it was a resource account we could just change ownership.
  Thanks,
  Tom

  Hello Danita,
  So would this be a simple properties change of the "Author"? Or some other attribute from Console One or something.
  Thanks!
  Tom
  Originally Posted by dzanre
  taphillips wrote:
  > Thanks for the reply. I suppose we would have to find a way to change
  > ownership of docs when a user moves on...
  That's easy enough to do. Easier if you remember to do it before you delete the
  user account (i.e., you can reassign all documents from user1 to user2). But if
  you forget there is a routine to run to assign all "orphaned" docs to a
  particular account as well.
  Danita
  Novell Knowledge Partner
  Are you a GroupWise Power Administrator? Join our site.
  http://www.caledonia.net/register
  If you find this post helpful and are logged into the web interface,
  show your appreciation and click on the star below...

• Linking resource accounts to access policy from a database

  As part of the seeding process, we assign roles to the users and then run the recon to assign resources to the user. We have an access policy which is supposed to assign AD resource when a User has an Employee role. After we seed all the existing users, we enable to policy to assign AD for the new users, but since we recon the user's instead of access policy, it doesn't link the access policy to resource account.
  How can I link those two in the database so next time when someone is removed from the Employee role, it will also remove the AD account. I tried setting the pol_key attribute in UD_ADUSER with the id of the policy found in table pol but that didn't help.
  Thanks

  As part of the seeding process, we assign roles to the users and then run the recon to assign resources to the user. We have an access policy which is supposed to assign AD resource when a User has an Employee role. After we seed all the existing users, we enable to policy to assign AD for the new users, but since we recon the user's instead of access policy, it doesn't link the access policy to resource account.
  How can I link those two in the database so next time when someone is removed from the Employee role, it will also remove the AD account. I tried setting the pol_key attribute in UD_ADUSER with the id of the policy found in table pol but that didn't help.
  Thanks

• Assigning Multiple Resource Accounts to IdM User Account in IdM 7.0

  Hi All -
  Has anyone tried assigning multiple resource accounts to a IdM User with IdM 7.0 by creating a Account type using Identity Rules. I tested it on Simulated Resource and it works fine. But for Active Directory, which has personal accounts and Admin accounts on different OU on AD, when I am trying to do the Bulk Upload. The bulk upload is able to do link up the Admin account on AD to user account. But then it tries to create an additional account as well even though the user that executed the Bulk action has a Blank form assigned. Has anyone been able to figure this out yet ? If yes, can you please provide some inputs on this ?

  Hi All -
  Has anyone tried assigning multiple resource accounts to a IdM User with IdM 7.0 by creating a Account type using Identity Rules. I tested it on Simulated Resource and it works fine. But for Active Directory, which has personal accounts and Admin accounts on different OU on AD, when I am trying to do the Bulk Upload. The bulk upload is able to do link up the Admin account on AD to user account. But then it tries to create an additional account as well even though the user that executed the Bulk action has a Blank form assigned. Has anyone been able to figure this out yet ? If yes, can you please provide some inputs on this ?

• Resource account creation

  I want to call some stored procedures against an AS400 when IDM creates (and deletes) an account on an AS400 server. How does one find out when a resource account is created or deleted against a resource, in the IDM work flows?
  Douglas

  I solved my problem. The issue was that while I did map the attributes correctly in the resource schema, I had failed to make the attributes global in the configuration. Once the attributes were made global things worked a lot better.

• ActiveSync - link resource account and password push

  Is it possible to push a password from an IDM account to a resource account at the same time as linking the two accounts, during ActiveSync?
  Scenario: I have an account in IDM and an account on a resource. I use ActiveSync to "discover" the account on the resource and link the IDM account with the resource account. At the same time I would like to push the IDM password to the resource. Thereby, synchronizing the IDM password with the resource password.
  I have unsuccessfully tried to accomplish this in many ways:
  1) Within the Admin GUI, I've edited an account and when I assign the resource to the account the password in IDM does not push to the resource.
  2) Within ActiveSync, I have used global.password, password.password, password.confirmPassword, password.targets, password.accounts[resource].selected
  NOTES:
  - when the account exists on the resource and IDM links to the resource account, the password does not push
  - when the account does not exist on the resource and IDM is required to create the resource account, the password is pushed
  At this point my guess is that I will have to kick off a workflow to trigger the password push as the ActiveSync cannot handle linking and subsequently updating an attribute on that resource at the same time. Any ideas would be helpful. Thank you in advance.

  I have been able to successfully push the password to the resource both during activesync and within the Admin console. However, I have found some inconsistencies with IDM that might need attention or an explanation.
  First off, the key to pushing the password from IDM to the resource in the above scenario is....within the Resource Schema don't map IDM user attribute "password" but map an attribute such as "resource_password" to the password field on the resource. When I did this, I was able to provision the resource to the user in IDM and push the password to the existing resource account.
  Secondly, there is an inconsistency with IDM and how it treats password and the other fields. I mapped lastname to a field on the resource. From the admin console, I edited the user and the only change I made was to provision the resource to the user (Resources tab). After saving this user, the lastname field from IDM was updated on the resource.
  Why doesn't this work with password?

• How to specify  inclusion and exclusion rules for File data sources

  This is the seed URL for a file data source: file://localhost/c:/myDir/
  I want to exclude indexing and searching of files under: file://localhost/c:/myDir/obsolete/
  What is the exact format for the exclusion URL?
  I have tried both file://localhost/c:/myDir/obsolete/ and /myDir/obsolete/
  but neither of it seems to work; it still indexes everything under /myDir/
  Should I just put: /obsolete/ as the exclusion URL?
  Also after initial crawling, if I change the inclusion and or exclusion rules and then run the crawler again, it should update the indexes accordingly. Is that right?
  The version of UltraSearch I am using is 1.0.3.
  Thanks for any help on this.

  Try "/c:/myDir/obsolete/"
  Changing inclusion/exclusion rule does not affect files already crawled. It onyl
  affects next crawling behavior.
  To do any DML to existing data set, use SQL directly on wk$url table under the instance owner.

• BPC NW - Error in Business Rule for Account transformation rule table

  hi
  I have given the Account transformation Rule to move Amount from Account A to Account B and then I have given the following script logic in the default script
  **RUN_PROGRAM CALC_ACCOUNT*
  *CATEGORY = Category*
  *CURRENCY = RptCurrency*
  *TID_RA = %TIME_SET%*
  *CALC=A*
  *OTHER = ENTITY=C1000*
  **ENDRUN_PROGRAM*
  But when I try to load data through Input schedule in Account A and expect amount to transfer to Account B, I m getting an error
  Book Name:Book4
  Application : PLANNING*
  Status : Failed*
  Submitted Count : 1*
  Accepted Count : 1*
  Rejected Count : 0*
  - Error Message -*
  Error running default logic (Business rules are not available)
  - Rejected record list -*
  Error converting records: The root element is missing.
  Can someone please advice me what to do ....

  hi Marcel,
  Lot of thanks for your answer.
  But I have used your logic after removing GROUPS as I dont have GROUPS dimension in my application.
  *RUN_PROGRAM CALC_ACCOUNT
  CATEGORY = %CATEGORY_SET%
  TID_RA = %TIME_SET%
  CALC=FX
  OTHER = [ENTITY=%ENTITY_SET%]
  *ENDRUN_PROGRAM
  This is the error I m getting
  Book Name:Book3
       Application     :     PLANNING
       Status          :     Failed
       Submitted Count     :     1
       Accepted Count     :     1
       Rejected Count     :     0
            - Error Message -
  Error running default logic (Business rules are not available)
            - Rejected record list -
  Error converting records: The root element is missing.
  Can you please advice
  a) Does it mean some issue with my client installation as I dont see these LGF files. I even dont see the data folder in which lgf files are supposed to be present
  b) Where to find information for this interface CALC_ACCOUNT? How did you decide to use 'FX' and how do you know which dimensions to use. Like I dont have GROUPS.
  Please give me your comments.
  regards
  Gaurav

• How to assign different passwords for different resource accounts

  Hi everyone,
  We have a situation where we have users with two resource accounts. They have different passwords with different lengths.We are using Flat file active Sync adapter to create users in both resources and there we are setting passwor.password field. But we need to set different passwords to every resource account and it is obviosly it can not be done with password.password field. We tried e password view before provisioning where we chekout the user and set the follwing parameters:
  <set name='userview.resourceAccounts.selectAll'>
  <s>false</s>
  </set>
  <set name='userview.resourceAccounts.currentResourceAccounts[RES1].selected'>
  <s>true</s>
  </set>
  <set name='userview.resourceAccounts.password'>
  <ref>accountId</ref>
  </set>
  <set name='userview.resourceAccounts.confirmPassword'>
  <ref>accountId</ref>
  </set>
  But it did not worked. So is there a way to set different passwords to different accounts in SUN IDM?
  Oh and forgot to mention we are using Sun Idm 8.1 patch 9.
  Best regards.

  I actually managed to change the required password but i copied this in Provision externeal Resources.
  <Action id='1' name='Check out password view' application='com.waveset.session.WorkflowServices'>
  <Argument name='op' value='checkoutView'/>
  <Argument name='type' value='Password'/>
  <Argument name='id' value='$(accountId)'/>
  <Argument name='authorized' value='true'/>
  <Argument name='subject' value='Configurator'/>
  <Argument name='TargetResources'>
  <List>
  <String>RES1</String>
  </List>
  </Argument>
  <Return from='view' to='userview'/>
  </Action>
  <Action id='2' name='reset password'>
  <expression>
  <block name='reset password' trace='true'>
  <set name='userview.resourceAccounts.selectAll'>
  <s>false</s>
  </set>
  <set name='userview.resourceAccounts.currentResourceAccounts[RES1].selected'>
  <s>true</s>
  </set>
  <set name='userview.resourceAccounts.password'>
  <ref>accountId</ref>
  </set>
  <set name='userview.resourceAccounts.confirmPassword'>
  <ref>accountId</ref>
  </set>
  </block>
  </expression>
  </Action>
  <Action id='3' name='check in password view' application='com.waveset.session.WorkflowServices'>
  <Argument name='op' value='checkinView'/>
  <Argument name='view' value='$(userview)'/>
  <Argument name='authorized' value='true'/>
  <Argument name='subject' value='Configurator'/>
  </Action>

• Framed IP Attribute missing in Accounting-Start messages from the ISG

  Framed IP Attribute missing in Accounting-Start messages from the ISG for the TAL Users. Account-Logon users and Interim updates have the Framed-IP though.
  We have the following command already enabled: aaa accounting include auth-profile framed-ip-address aaa accounting delay-start
  Any ideas or workarounds please?
  Debug:
  Aug 27 19:36:02.213: RADIUS(00000181): Send Accounting-Request to X.X.X.X:1813 id 21647/201, len 406
  Aug 27 19:36:02.213: RADIUS:  authenticator 23 FC FF 1B AC 01 77 B6 - 89 FE E2 9A 4E AA 0B 32
  Aug 27 19:36:02.213: RADIUS:  Acct-Session-Id     [44]  10  "000001BB"
  Aug 27 19:36:02.213: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
  Aug 27 19:36:02.213: RADIUS:  Vendor, Cisco       [26]  20 
  Aug 27 19:36:02.213: RADIUS:   ssg-service-info   [251] 14  "NBWAUTHSVC01"
  Aug 27 19:36:02.213: RADIUS:  Vendor, Cisco       [26]  34 
  Aug 27 19:36:02.213: RADIUS:   Cisco AVpair       [1]   28  "parent-session-id=000001BA"
  Aug 27 19:36:02.213: RADIUS:  User-Name           [1]   22  "[email protected]"
  Aug 27 19:36:02.213: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
  Aug 27 19:36:02.213: RADIUS:  Vendor, Cisco       [26]  25 
  Aug 27 19:36:02.213: RADIUS:   Cisco AVpair       [1]   19  "portbundle=enable"
  Aug 27 19:36:02.213: RADIUS:  Vendor, Cisco       [26]  23 
  Aug 27 19:36:02.213: RADIUS:   ssg-account-info   [250] 17  "SX.X.X.X"
  Aug 27 19:36:02.213: RADIUS:  Calling-Station-Id  [31]  19  "00-15-00-73-XX-XX"
  Aug 27 19:36:02.213: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Aug 27 19:36:02.213: RADIUS:  NAS-Port            [5]   6   0                        
  Aug 27 19:36:02.213: RADIUS:  NAS-Port-Id         [87]  11  "0/2/0/200"
  Aug 27 19:36:02.213: RADIUS:  Vendor, Cisco       [26]  46 
  Aug 27 19:36:02.213: RADIUS:   Cisco AVpair       [1]   40  "remote-id-tag=020a00000a050001000800c8"
  Aug 27 19:36:02.213: RADIUS:  Vendor, Cisco       [26]  36 
  Aug 27 19:36:02.213: RADIUS:   Cisco AVpair       [1]   30  "vendor-class-id-tag=MSFT 5.0"
  Aug 27 19:36:02.213: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  Aug 27 19:36:02.213: RADIUS:  NAS-IP-Address      [4]   6   X.X.X.X            
  Aug 27 19:36:02.213: RADIUS:  Ascend-Session-Svr-K[151] 10 
  Aug 27 19:36:02.213: RADIUS:   39 45 41 39 39 36 44 44          [ 9EA996DD]
  Aug 27 19:36:02.213: RADIUS:  Event-Timestamp     [55]  6   1346096162               
  Aug 27 19:36:02.213: RADIUS:  Nas-Identifier      [32]  24  "LAB-RAS01"
  Aug 27 19:36:02.213: RADIUS:  Acct-Delay-Time     [41]  6   0    
  Thanks in advance.

  It seems you already have tac case opened for this issue? Let me know if that is not the case.

• Turn "Delete Resource Account" for Active Directory into rename/move/unlink

  My Windows sysad would like me to stop deleting Active Directory users; he's tired of cleaning up from dangling SIDs, and I don't particularly blame him. Instead, he would like the process of "deleting" an AD account to be more like:
  1. disable
  2. rename from cn=user to cn=user_999, where 999 is replaced with an incrementing number (jsmith_001, jsmith_002, etc.). (Or maybe he;d be Ok with jsmith_yyyymmddhhmmss...)
  3. move (probably in the same "rename" above) from ou=Employees to ou=4Delete.
  4. unlink account from user.
  We are assigning AD accounts through roles, and so the Delete Resource User (or Delete Resource Person?) task is invoked. Does anyone have a customized version of this task that differentiates between resource account types and handles the "disable/rename/move/unlink" AD account paradigm my sysad would like? -Les

  Hi,
  did you ever resolve this? If so, how did you work it out as we would like to do the same.
  Thanks.

• Resource account password set during User Update process.

  Hi friends,
  I added to the Update WF a step to initialize an account password when, during the update of the user, IDM creates the new resource account.
  This is an initial password (known).
  This event basically happens in two User's Update cases:
  A. when the account was (accidentally) removed from the resource
  B. when a new Role requires to add a new resource account to the user
  In both cases IDM (re)creates the user account on the resource.
  In order to set this account initial password, I check (in the Update WF) the value of 'user.update.toCreate': if it contains the resource name, then I set the pw after the account has been provisioned.
  This method fails during case B. only when, for some reason, the resource account already exists BEFORE the update starts: even if the account is already there, IDM sets 'user.update.toCreate', leading my step to reset the account password to the initial value.
  What could I check in order to avoid it? (I don't want to reset account passwords when linking existing accounts)
  The only way I see at the moment would be to query the resource at the beginning of the Update WF to check if the account is already there...
  MTIA

  Hi,
  Have you found a resolution to this problem?
  Thanks
  Edited by: sun_to_Orcl on Jan 31, 2010 8:28 PM