Auditing Roles to actual resource groups membership.

Similar Messages

• AD Group Membership revoked on adding new group through role and acespolicy

  Hi all,
  when a user is created in OIM, it is provisioned with Default Role say CONTRACTS which will provision AD Account and a default AD group membership.
  when I assign a new role membership say BILLING, to assign additional AD group memberships through access policies, it is removing the default AD group membership from the user. But still the user is having both the roles CONTRACTS and BILLING.
  The ootb AD task, remove user from group is triggered.
  The problem is happening only in Testing environment.
  In development envi it is working fine.
  it is not removing the default group memberships.
  any ideas? thoughts? which I need to check.
  my oim server is 11.1.1.3.0, with weblogic setup.
  Edited by: Venu on Dec 2, 2011 1:06 PM

  Do one thing:
  Take New User
  Assign First BILLING
  Assign Second Group
  And then ASSIGN CONTRACT
  Update the results.
  It is happening in one env so you might have done some configuration or it could be env issue as well.

• Active Directory Group membership based on OIM Role

  In OIM 11g, is it possible to determine additional AD group membership based on role membership?
  If it is, could someone point me to documentation or give me a brief description of what to do in order to make this work?
  Thanks!

  In OIM 11g, is it possible to determine additional AD group membership based on role membership?
  If it is, could someone point me to documentation or give me a brief description of what to do in order to make this work?
  Thanks!

• Automatic Provisioning of resource through group membership

  Hello,
  I want to automatically provision a resource to a user if he is a member of a particular group.
  I have created the group,creted access policy(with approval = No) as well as group membership for that group .
  When I create a user and assign him the group and checks the resource assigned to him , that resource system validation remains in pending status.When I open the process form corresponding to it and without making any change just save it the resource assignment completes.
  plz tell me what is to be done to make it completely automatic.
  Thanks.

  Go to Process Def of that resource and select Auto Save check box there and try.

• Design question: Change Group membership for a AD resource via SelfService

  Hi all,
  based on the OIM tutorials, I designed OIM that way that an end user can successfully request a resource. Is there a way to allow end users to modify their resource "subscriptions"? For example, I would like to allow end users to change their AD group memberships after the initial provision to the resource.
  From what I have learned from the tutorials, I would assume to create an AD group membership attribute in the user account profile form and propagate changes to that attribute back to AD.
  Or is there a way to allow end users to change their resource data directly under "My Resources" ?

  there is no concept of requesting a modification of an already provisoned account. Like you said this can be achieved thru an attribute on the user's profile and on changing that attribute, downstream applications can be propagated the new value.
  Typically if changes to an already proviisoned account needs to be done in oim and through oim, an oim admin goes to the user's resource profile and clicks on edit on the process form and can edit any data there. in case of ad groups, there will be a child process form that shows the groups that the user is a member of, you can insert(add) new groups or delete existing groups from there and save the form. In the proviisoning porcess of AD you will need to write a porcess task, which should add/remove the user from the specified group in AD on the trigger when a new group is added or an existing group is removed wehn the admin is modifying the user's AD process form/process child forms in oim.

• Group Membership under Settings/My Account is not updating

  We use an External table for User permissions/Groups to get updated in Group Membership.
  We use our custom tool to create/update new/existing users with the permissions. Then our ETL picks up the changes from the OLTP tables and update User Permission table in our DWH hourly. Now let me explain the present situation. User ABC is an existing user and never used our Report Portal before, we updated ABC user with all the necessary groups to use Report portal and with curiosity she didn't wait until Hourly ETL run and she didn't had the necessary permissions to run any reports in Report portal. But when she login after 1hr/10 hr/ 1 day/2 day, the user won't see the Permissions getting updated in Group Membership. If we check the User permission table in DWH, it is updated with all the new roles, but it is never being updated in 'My Account' Answers. I think this is some kind of Presentation Cache issue, but I did clicked "Reload Files and Metadata" under Settings and "Close All Cursors" under Settings/Manage Sessions. You may also say it may be with the Caching on Initialization Block for the User Permission table, but we did Un-check the 'Use Caching' right below the Row-wise initialization for the corresponding Initialization block. We has 3 users with the same issue now. But when the user waits for certain time (for at least 1hr), and when they login after the actual hourly ETL ran, they were able to get in and use Report Portal without any issue. So, I am kind of sure this is something with CACHING and I might be missing some thing on Clearing this type of Cache. Could someone please help me out on this? This is in PRD and we are not able to find a solution. Any help would be appreciated!
  -Dinesh

  Yes, we are using Initialization Blocks to update the User Groups. Our USER_PERMISSION table has Login, Company_ID, Roles, etc columns in it. The Initialization Block will query on this Table and the query has a where clause in it and the Where clause "where company_id=(select substr(':USER', 0, (instr(':USER', '.')) - 1) from dual) and upper(login)=upper((select substr(':USER', (instr(':USER', '.')) + 1) from dual))) and dw_delete_date is null" from which it will get the roles for each user. And YES, the Caching is turned off for this initialization block.
  And I should try deleting the user folders, but my company has a very strict policy so I should do that in DEv, then QA and in PRD. Hope this works, but I am still not convinced why this is happening. We cannot keep on deleting the user folders in future if this happens again.

• Problem in AD Group membership Insert Error "Response: CURRENT_ATTRIBUTES"

  Hi all,
  I am using Oracle Identity and Access Management 11g (11.1.1.5.0) with Weblogic 10.3.5 and apply patch -11.1.1.5.4. I have install AD Connector (activedirectory-11.1.1.5.0) and recon Group, OU and Users as a target source Successfully. When I tried to provision user in AD user is provisioned successfully but got following error message in Group membership Insert.
  Task Name     -     Group membership Insert
  Resource Name:     AD User
  Description:     
  User:     Test User 10 [?TESTUSER10?]
  Status:          Rejected
  Response:     CURRENT_ATTRIBUTES
  Response Description:     Unknown response received
  Notes:
  Assigned to     User     :     System Administrator[?XELSYSADM?]
  Error Details
  Setting task status... "CURRENT_ATTRIBUTES" does not correspond to a known Response Code. Using "UNKNOWN".
  Schedule Detail
  Projected Start:     November 7, 2012 6:14:47 PM     Projected End:     November 7, 2012 6:14:47 PM
  Actual Start:     November 7, 2012 6:14:47 PM     Actual End:     November 7, 2012 6:14:48 PM
  Last Update:     November 7, 2012 6:14:48 PM
  Back to Resource Provisioning Details
  OIM LOG
  Running UPDATECHILDTABLEVALUES
  Target Class = oracle.iam.connectors.icfcommon.prov.ICProvisioningManager
  <ObjectClassInfos>
  <ObjectClassInfo type='Group' container='false' embedded='false'>
  </optionsByOperation>
  </Schema>
  java.lang.reflect.InvocationTargetException
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADIDCUPDATECHILDTABLEVALUES.UPDATECHILDTABLEVALUES(adpADIDCUPDATECHILDTABLEVALUES.java:111)
       at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADIDCUPDATECHILDTABLEVALUES.implementation(adpADIDCUPDATECHILDTABLEVALUES.java:56)
       at com.thortech.xl.client.events.tcBaseEvent.run(tcBaseEvent.java:196)
       at com.thortech.xl.dataobj.tcDataObj.runEvent(tcDataObj.java:2492)
       at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(tcScheduleItem.java:2917)
       at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(tcScheduleItem.java:547)
       at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
       at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
       at com.thortech.xl.ejb.beansimpl.tcProvisioningOperationsBean.retryTasks(tcProvisioningOperationsBean.java:4042)
       at Thor.API.Operations.tcProvisioningOperationsIntfEJB.retryTasksx(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
       at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
       at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
       at $Proxy348.retryTasksx(Unknown Source)
       at Thor.API.Operations.tcProvisioningOperationsIntfEJB_4xftoh_tcProvisioningOperationsIntfRemoteImpl.__WL_invoke(Unknown Source)
       at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
       at Thor.API.Operations.tcProvisioningOperationsIntfEJB_4xftoh_tcProvisioningOperationsIntfRemoteImpl.retryTasksx(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
       at $Proxy172.retryTasksx(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
       at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
       at $Proxy347.retryTasksx(Unknown Source)
       at Thor.API.Operations.tcProvisioningOperationsIntfDelegate.retryTasks(Unknown Source)
       at com.thortech.xl.webclient.actions.ResourceProfileProvisioningTasksAction.retryTasks(ResourceProfileProvisioningTasksAction.java:702)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:269)
       at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(tcLookupDispatchAction.java:133)
       at com.thortech.xl.webclient.actions.tcActionBase.execute(tcActionBase.java:894)
       at com.thortech.xl.webclient.actions.tcAction.execute(tcAction.java:213)
       at org.apache.struts.chain.commands.servlet.ExecuteAction.execute(ExecuteAction.java:58)
       at org.apache.struts.chain.commands.AbstractExecuteAction.execute(AbstractExecuteAction.java:67)
       at org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
       at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
       at org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:305)
       at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
       at org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
       at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
       at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
       at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at com.thortech.xl.webclient.security.CSRFFilter.doFilter(CSRFFilter.java:76)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.iam.platform.auth.web.PwdMgmtNavigationFilter.doFilter(PwdMgmtNavigationFilter.java:121)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.iam.platform.auth.web.OIMAuthContextFilter.doFilter(OIMAuthContextFilter.java:107)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
       at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
       at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
       at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
       at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
  Caused by: java.lang.NoSuchFieldError: CURRENT_ATTRIBUTES
       at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.getCurrentAttributes(ICProvisioningManager.java:408)
       at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.updateChildTableValues(ICProvisioningManager.java:485)
       ... 104 more
  com.thortech.xl.dataobj.util.tcAdapterTaskException: CURRENT_ATTRIBUTES
       at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADIDCUPDATECHILDTABLEVALUES.UPDATECHILDTABLEVALUES(adpADIDCUPDATECHILDTABLEVALUES.java:117)
       at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADIDCUPDATECHILDTABLEVALUES.implementation(adpADIDCUPDATECHILDTABLEVALUES.java:56)
       at com.thortech.xl.client.events.tcBaseEvent.run(tcBaseEvent.java:196)
       at com.thortech.xl.dataobj.tcDataObj.runEvent(tcDataObj.java:2492)
       at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(tcScheduleItem.java:2917)
       at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(tcScheduleItem.java:547)
       at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
       at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
       at com.thortech.xl.ejb.beansimpl.tcProvisioningOperationsBean.retryTasks(tcProvisioningOperationsBean.java:4042)
       at Thor.API.Operations.tcProvisioningOperationsIntfEJB.retryTasksx(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
       at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
       at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
       at $Proxy348.retryTasksx(Unknown Source)
       at Thor.API.Operations.tcProvisioningOperationsIntfEJB_4xftoh_tcProvisioningOperationsIntfRemoteImpl.__WL_invoke(Unknown Source)
       at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
       at Thor.API.Operations.tcProvisioningOperationsIntfEJB_4xftoh_tcProvisioningOperationsIntfRemoteImpl.retryTasksx(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
       at $Proxy172.retryTasksx(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
       at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
       at $Proxy347.retryTasksx(Unknown Source)
       at Thor.API.Operations.tcProvisioningOperationsIntfDelegate.retryTasks(Unknown Source)
       at com.thortech.xl.webclient.actions.ResourceProfileProvisioningTasksAction.retryTasks(ResourceProfileProvisioningTasksAction.java:702)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:269)
       at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(tcLookupDispatchAction.java:133)
       at com.thortech.xl.webclient.actions.tcActionBase.execute(tcActionBase.java:894)
       at com.thortech.xl.webclient.actions.tcAction.execute(tcAction.java:213)
       at org.apache.struts.chain.commands.servlet.ExecuteAction.execute(ExecuteAction.java:58)
       at org.apache.struts.chain.commands.AbstractExecuteAction.execute(AbstractExecuteAction.java:67)
       at org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
       at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
       at org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:305)
       at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
       at org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
       at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
       at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
       at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at com.thortech.xl.webclient.security.CSRFFilter.doFilter(CSRFFilter.java:76)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.iam.platform.auth.web.PwdMgmtNavigationFilter.doFilter(PwdMgmtNavigationFilter.java:121)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.iam.platform.auth.web.OIMAuthContextFilter.doFilter(OIMAuthContextFilter.java:107)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
       at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
       at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
       at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
       at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)

  Hello
  1. Download the latest version of Connector Server.
  2. Stop OIM
  3. Take from Connector Server Distr:
  connector-framework.jar
  connector-framework-internal.jar
  to
  $XEL_HOME\apps\oim.ear\APP-INF\lib
  $XEL_HOME\ext\internal
  4. Delete temporary cached libs from:
  $DOMAIN_HOME\servers\$WEBLOGIC_NAME\tmp\_WL_user\oim_11.1.2.0.0\*
  5. Start OIM-server
  Записки на полях внедрения: java.lang.NoSuchFieldError: CURRENT_ATTRIBUTES

• Bhold attestation setup if FIM POrtal is already used for Group Membership

  Background - We had a FIM 2010 deployment in production deployment. Few
  months ago, we upgraded it to FIM R2. There are already about 4000 Criteria based Groups and Request Based Groups at FIM portal. FIM portal is used as an authoritative source for group membership.
  Problem Statement -  The requirement is to attest the existing and
  ongoing Request Based group membership of users using BHold User Attestation module. We want to continue FIM portal (not Bhold UI) as the end user interface for requesting the group membership.
  Hence, for metaverse' group object's member attribute, FIM Portal should have higher precedence than Bhold MA.
  From available documentation of Bhold, I understand that BHold is more suitable in cases where FIM Portal is not already the Group Membership deciding system. However, in our already existing
  deployment, both group membership is given by FIM portal. In fact this should be the case with all the FIM deployments before Bhold’ s release.
  Please suggest on how to attest the group memberships.
  Mayank Vaish

  I would not expect to have to attest group membership where that membership is controlled programmatically. The idea of Attestation is for a responsible person to attest and confirm that the membership of a given group/role/permission is correct (and remove
  users who don't need that permission). As long as someone responsible has attested that the rules that govern the automatic group membership are appropriate for the permission controlled by that group, then another round of attestation via BHOLD would seem
  like overkill.
  However, in the case where membership of FIM groups is managed via FIM's approval mechanism then there may well be a case for BHOLD attestation. It will depend on the business's audit requirements and how well the FIM logs are being maintained, and
  also the sensitivity/importance of the permission being managed by the group. If it is not possible to prove who approved membership of what group - and to confirm that that membership is still appropriate - then regular attestation may still be required,
  in which case BHOLD is an easier way of doing it than trying to build your own or do it manually.
  Cheers,
  Dave

• Gregory Johnson, Director of the Consumer Defense Resource Group, responds to the recent iPhone price drop.

  Gregory Johnson, Director of the Consumer Defense Resource Group, responds to the recent iPhone price drop.
  In a strange turn of events this week, some consumers are upset now because as of Wednesday (Sept. 5) Apple lowered the retail price of their iPhone by $200. The 8GB iPhone is now $400 rather than $600. Customers raised such an outcry that Steve Jobs has published an open letter in response.
  Apple and other companies are continually coming out with new products that usually offer more speed, more storage, more features, and cost less than previous models. Nobody has ever complained -- until now. Why haven't people complained in the past when Apple has had significant price drops and major upgrades on their other products? There wasn't a revolt then. There were no mobs of angry customers demanding rebates.
  My first CD drive was a 2X speed external drive that required a special interface card in the computer. It cost $1,200 and today better drives are available for about $30. My first scanner was a very slow and big unit costing over $1,000. Today, better scanners are available for under $100. My first computer cost more than $2,000 and had a 20MB hard drive. With 8GB of storage, the iPhone should cost about $800,000. So, $600 didn’t seem too expensive.
  I bought my iPhone for $600 knowing that by next year they would probably drop to about $300 or $400. I didn't think there would be a mid-year drop, but so what. I knew the trajectory of technology progress would mean that a better phone will be available in 6 to 9 months at probably a lower price -- more apps, faster, more features, more memory. It's a given. You buy something this month. Next month it will be obsolete. That's just the way it is. Perhaps Apple should put a disclaimer on their website stating: "Warning: Our products will increasingly become faster, cooler, more innovative, and offer greater value for the dollar as time goes on. Get used to it."
  Apple is progressing so quickly now, beyond any other technology innovation company, that this kind of thing is likely to happen again in the future with some other product of theirs. Are people going to complain each time? Must the company give out rebates each time? This all seems so silly. It’s no longer possible to compare Apple to other companies with regard to their ability to implement product improvements. It’s like dog years versus human years. Two months in Apple’s world of product development is equal to about 6 to 9 months for most manufacturers. I know it is difficult, but people need to get used to that.
  To the complainers out there, I have a few questions. Would you like Apple to be less innovative? Would you like Apple to not give you more value and voluntarily drop their prices by hundreds of dollars? Is that what you want? Don't get upset at Apple just because they are pushing the envelope of technical innovation and value from one month to the next. What if Apple released an 8-core computer this summer and then by fall they announced their new 16-core computer? This is the kind of development and progress pace we need to start expecting from Apple. The migration to Intel processors went much faster than anticipated.
  Some research suggests that the iPhone cost of materials are about $300. So, there had been some complaints that Apple is price gouging by selling the iPhone for twice that amount. What people don’t understand is that there are other costs in building a piece of technology and running a business beyond the electronic components that go into them. The actual cost per 8GB iPhone is probably about $550. When Apple sells them for $400 each, I calculate they are taking a loss on the phone of about $150 per phone. Why would a company do this? There is something called a “lost leader” in retail sales. It’s a product you sell below your cost in an effort to rapidly expand your customer base. I’m guessing this is what Apple is doing by offering the iPhone at such an amazingly low price.
  I'm planning to purchase an Apple notebook sometime soon. I'm not in a hurry, so I'm waiting until they announce the next major upgrade to their notebook line. I'm guessing it will be this fall. If I really was in a rush to get a notebook, I'd get one now, and then be a little disappointed when the new ones are announced -- but I wouldn’t be surprised. Instead, I'm waiting. I'd like to see built-in broadband cards (cellular data access) and LED back lighting in the 17-inch notebook. Perhaps larger hard drives and faster processors would be nice. It would be wonderful if it had an optical glass touch screen like the iPhone.
  This latest uproar reminds me of the consumer complaints about iPods scratching. For decades, portable handheld computing devices have been available. They get scratched, and nobody says anything. Anyone concerned about their device scratching can purchase a protective cover. Then Apple comes along and offers their product. Suddenly consumers are in an uproar about it scratching and there is a class action lawsuit. It doesn’t seem fair that the most progressive and innovative company out there is the one that gets beaten up by consumers the most.
  My comprehensive review of the iPhone can be found here:
  http://web.mac.com/resourcesforlife/journal/writings/Entries/2007/8/18iPhoneReview.html
  The Consumer Defense Resource Group is online here:
  http://www.resourcesforlife.com/groups/cdrg/
  The above article can be found here:
  http://web.mac.com/resourcesforlife/journal/writings/Entries/2007/9/7iPhone_Price_Drops_-_ConsumersUpset.html

  Junk Mail Designer wrote:
  I'm not biting.
  I've read too many reports in the media from people more highly credentialed than Mr. Johnson to the contrary.
  The analogies and comparisons are still way off. Production didn't get cheaper, the phone didn't get upgraded, no carrier's are subsidizing, retailer's are not discounting. Never has the MSRP of CD-ROMs, nor cellphones, nor HDTV's dropped this quickly in history.
  I'm tired and going to bed. But here's your assignment. Apple's price decrease rate is 33.3% in 67 days. What would a $10,000 item cost at that rate in one year?
  Actually product advancement and innovation are very much the central issue here. Apple has effectively "upgraded" the 4GB unit to 8GB and reduced the price by $100. It's all in how you look at it.
  The real issue of innovation and development has yet to be seen, but the recent price drop is an indicator that Apple already has something "in the shoot" to be released soon.
  I was thinking it might take a year for a new version of the iPhone to be announced. Yet, with the recent price drop, it seems they may be lowering the price on the original unit to make room for a new one. Which is my point exactly. Apple is so fast at innovating that they already have something new to release (that's my prediction).
  They can't release something new and sell the old units if the "something new" and the "something old" are at the same price. It makes sense that the 8GB unit would drop to $400 and the new one will be $600.

• ACS 5.3 Group Mapping based on AD group membership

  Hi,
  I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
  What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
  It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
  I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
  Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
  Thank you,
  Sami

  Ok, my case is like this.
  I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
  I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
  In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
  Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
  I have a case with Cisco engineer now and still in the middle to sort things out.
  The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
  Wondering whether there is a fix for this.
  Thanks.

• Error while creating resource group using non-globalzones.

  Dear all,
  Hi techs please guide me how to create failover resource group in nongloablzones.
  I'm getting error while creating resource group using non-globalzones.
  My setup:
  I have two node cluster running sun cluster 3.2 configured and running properly.
  node1: sun5
  nide2: sun8
  I have create non-globalzone "zone1" in node:sun5
  I have create non-globalzone "zone2" in node:sun8
  node:sun5# clrg create -n sun5:zone1,sun8:zone2 zonerg
  *(C160082) WARNING: one or more zones in the node list have never been fully booted in the cluster mode,verify that correct zone name was entered.*
  kindly guide me how to create Apache resource group using non-glabalzones, i'm new to sun cluster 3.2. please guide me step by step information.
  Thanks in advance,
  veera
  Edited by: veeraa on Dec 19, 2008 1:54 AM

  Hi Veera,
  Actually you are getting a warning message where one of two things could have happened. Either you specified an incorrect zone name or one of the zones has not been fully booted. It's likely that you haven't booted the zones, so please follow this:
  zoneadm list -iv
  If zone1 or zone2 are not running then boot and configure them
  zoneadm -z <zone> boot
  zlogin -C <zone>
  After that you can continue to follow the step by step instructions at
  http://docs.sun.com/app/docs/doc/819-2975/chddadaa?a=view
  These may also help
  http://blogs.sun.com/Jacky/entry/a_simple_expample_about_how
  http://blogs.sun.com/SC/en_US/entry/sun_cluster_and_solaris_zones
  Regards
  Neil

• OIM: What is the purpose of "Update" while editing group memberships

  Hi,
  This is when you lookup a user's Resource Profile and go to "Edit" link. The process form shows up along with a drop down to edit the group memberships. When we select one of the choices such as "Groups" another window pops up where we could add more entires into the child form. In this form there is an "Update" column with a radio button besides a "Remove" column. What is the purpose of this "Update" column? We can add or delete child entries but what does update do? Is there a way to remove this selection altogether?
  Thanks in advance

  Update I can see used for a cases where you have multiple columns on a child table entry and want to change one of them. Strictly speaking, you can update a single column child table rather than delete and insert also. Access policies always do insert and delete actions, but you will want to implement an update task as well if you expect anyone to be editing child tables on resources directly.

• OIM 9.1.0.2 Group Membership Removal for Disabled Users

  Hello
  In OIM 9.1.0.2, when a user is disabled, they are removed from the groups they are a member of within 24 hours. i was wondering if this is a set time and if so, can this be extended to a specified time so membership can be left for a week before it is removed from the user. If you can let me know on this I would appreciate it.
  Thanks
  Nick

  Today, when accounts are disabled, within 24 hours all the group memberships are removed on the OIM side. I would like to change the interval for the cleanup so that when an account is disabled, all the existing group (role) memberships stay assinged to the account then after 30 days of the account being disabled, the group (role) memberships are removed. Not sure if this would be an ORM thing or OIM, but I think it would be OIM since ORM still has the role mappings for users when they are disabled.
  Thanks
  Nick

• Map a network drive by group membership

  Hello,
  I'd like to map network drives by group membership.
  To begin I just tried with this command.
  $TestMembers = Get-ADGroupMember -identity Test
  $TestMembers | foreach-object {New-PSDrive -name T -PSProvider FileSystem -Root \\MyServer\MyShare -persist}
  My network drive is well mapped but for all my domain users.
  Could you please tell me what's wrong in my command ?
  I know I could use Group Policy Preferences but I'd like to know the powershell command.
  Thanks by Advance.
  Seb.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Hello,
  Thanks for your answer it will help me.
  Best Regards.
  Seb.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• AD Group Membership with User From Domain Outside of Forest

  Here's one to twist your brain around -
  I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
  I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
  Approach #1
  Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
  Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
  Approach #2
  Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
  Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
  adTHANKSvance
  Eric

  You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
  This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
  If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
  Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
  http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
  Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
  You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
  objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
  String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
  //Specify the Base for the search
  String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
  ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
  Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
  System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
  Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
  BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
  Good luck.