Authorization Policy for Modify user in OIM 11gR2

Similar Messages

• Usr_key: Modifying user in OIM 11gr2

  Hi Experts,
  My requirement: while modifying the user i need to get the "usr_key" or "User Login" of that user for further use.
  I am new to OIM, so can anyone of you help me in resolving my isseu.
  Thanks in advane.

  Hi
  Can anyone let me know the steps to restrict modify user operation for the users belonging to specific organization in OIM 11gR2. The condition which I specified under Authorization Policy in APM console is not triggering at all.
  Thanks!

• Not able to create request for multiple user in oim 11gr2

  Hi,
  I am trying to assign a resource to multiple user using oim identity console as System Administrator.
  But when i am assigning the resource to multiple user its taking the same value for both the users.
  Please let me know how to add the different value for different users.
  Thanks

  That's the rules of how it works.  A request has 1 request form per resource for all users on the request.  Those fields must all be marked as available in bulk as well to be viewed if you have more than 1 user on the request.  If you need to provide different values based on the user, your best option is pre-populate adapters on the process form and use logic to populate the fields.  You will not be able to manually provide different values during the request.
  -Kevin

• Authorization Policy for only search users

  Hi all,
  I need create a custom authorization policy for only search all users in create request. The users can't see any profile information of others users.
  Anyone can help me ?
  Regards,
  Joel

  ViewUser Admin Role can search and view users by default. Since the OES policies for this admin role has action as ViewSearch Entity. In your case, you can write EL's to hide Admin tab which will hide Admin ltab links based on current logged-in user profile.
  http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/uicust.htm#BABHBFGH

• Help Required With Access Policy Trigger On Enable User In Oim 11gR2

  My scenario is:
  We have a created a access policy for the user.
  Scenario1:
  As soon as the role is added to user, the account is provisioned.  -Working
  Scenario 2:
  As the user is disabled, the account gets revoked-Working
  Scenario 3:
  As the user is enabled, the new instance of the account should get provisioned.(It was earlier working in 11G r1)
  "Evaluate User Policies " is running every ten minutes.Manually also triggered it. but the account doesn't get provisioned after the user is enabled.
  Any inputs?
  Please help

  Your Scenario 2:
  As the user is disabled, the account gets revoked-Working ----> ITS WRONG if you are using OOTB feature of OIM
  -> When the user gets disabled, the accounts should get disabled. The result which u are getting above is not OOTB. Have you made any customization to any logic?
  Just for your info, there is one system property which is used to enable disabled resources when the user is enabled:
  http://docs.oracle.com/cd/E27559_01/admin.1112/e27149/system_props.htm#OMADM884
  Enable disabled resource instances when a user is enabled
  If the value is TRUE, then the disabled resource instances are enabled when a user is enabled.
  XL.EnableDisabledResources
  TRUE

• How to Apply a Newly Created Access Policy on Existing Users in OIM????????

  How to Apply a Newly Created Access Policy on Existing Users in OIM?
  When the rule is getting failed the user is getting removed from the group but resource is not getting revoked. This is happening only for the old uses..for the users which i created now it working fine..i mean its resource is getting revoked.
  (Retrofit access policy" is checked on the Access Policyand Revoke if not longer applied is checked.)
  For the old users i see the POl_Key is null, for new users i see a value '10'. So i updated the pol_key for old users same as it got generated for new users '10'.
  i even updated the form version too but still revoke doesn't work.
  I cant go for the below approach..
  In order to apply a newly created Access Policy on existing users, one has to make sure that:
  1) "Retrofit access policy" is checked on the Access Policy.
  2) Then run the "Set User Provisioned Date" Schedule task to apply the Access Policy on the existing users in OIM.
  Note: After 9.1.0.1 BP03 the access policy execution has been moved to a new scheduled task "Evaluate User Policies" as mentioned inDocument 839368.1 :How to Use Access Policies to Provision with Groups.
  Is there any other approach i can try.. if you have any idea please reply me asap
  Thanks..

  Thanks for the reply kevin..
  We decided to try the Schedule task (Set User Provisioned Date).
  But i see one problem here after seeing this post in metalik --> Can Access Policies Manage The Life-cycle Of Users Created via Reconciliation? [ID 1136540.1]
  According to this post Access Policies framework does not manage users who are obtained either through trusted reconciliation or target reconciliation.
  Is there any custom way to achieve this??
  How does the access policy framework revoke resource work? (revoke if no longer applies)??
  Edited by: IDMuser19 on Jun 21, 2011 11:43 PM

• Manually execute a povisioning task for a user in OIM 11g

  Experts,
  In OIM 11g, I would like to execute a resource provisioning task for a user thru OIM admin console.
  In OIM 10g, when we select a resource profile for a user, it used to show the list tasks that are executed. There we can add a new task to run manually there.
  How to do the same in OIM 11g. in OIM 11g, it is not even showing the lists of tasks executed during provisioning.
  Please let me know.

  If you are talking about manually adding the provisioning tasks to a user for a particular resource, then you can go to the resource profile of the user, select the particular resource -> click the 'Resource History' button on the right corner and from there you can manually add the tasks.
  -Bikash

• How to change password for  XELSYSADM user in OIM?

  Hello Gurus and Experts!
  How to change password for XELSYSADM user in OIM?
  Your help is appreciated.

  Follow the undermentioned steps to change the password:
  1) Change the password from oim Design Client as usual.
  2) Open xlconfig.xml present in <XL_HOME>\xellerate\config folder.
  3) This step is optional and should only be used if you have a <XLPassword encrypted> tag in the <Scheduler> section. In the scheduler section, change the encrypted="true" to encrypted="false" and replace existing encrypted password with new clear text password, as shown below:
  <Scheduler>
  <XLUserName>xelsysadm</XLUserName>
  <XLPassword encrypted="false">NEW_PASSWORD</XLPassword>
  </Scheduler>
  4) Restart server.
  Now login with the new password.

• Authorization key for a user

  Hi experts,
  How can i get the authorization key for the user.

  thanks for the reply
  when iam creating a sales order , i need to check wheather the user creating the sales order has authorization depending on the authorization key

• How to reset password for  XELSYSADM user in OIM?

  Hello Gurus and Experts!
  How to change password for XELSYSADM user in OIM?
  Your help is appreciated.
  Edited by: mc2 on Aug 25, 2011 4:27 PM

  Follow the undermentioned steps to change the password:
  1) Change the password from oim Design Client as usual.
  2) Open xlconfig.xml present in <XL_HOME>\xellerate\config folder.
  3) This step is optional and should only be used if you have a <XLPassword encrypted> tag in the <Scheduler> section. In the scheduler section, change the encrypted="true" to encrypted="false" and replace existing encrypted password with new clear text password, as shown below:
  <Scheduler>
  <XLUserName>xelsysadm</XLUserName>
  <XLPassword encrypted="false">NEW_PASSWORD</XLPassword>
  </Scheduler>
  4) Restart server.
  Now login with the new password.

• OIM Authorization policy for specific resource

  Hi gurus,
  Can we create an authorization policy in OIM 11.1.1.5 for allowing resource administrators to add/modify a specific resource only?
  Example: For all users, Admin user-A should be able to add/modify AD resource only.
  Admin User-B should be able to add/Modify iPlanet resource only
  Thanks in advance.
  -J

  OIM 11.1.1.5 authorization policies do not extend to resource operations, only operations on OIM users and roles. For restricting operations on resources you can set data object permissions on the resource objects themselves. An alternative approach in OIM 11.1.1.5 is to provision resources via requests, where you can limit requests to work with specific allowed resources and be accessible to specific administrators.

• How can I set OIM password policy for OID Users.

  Hi,
  For me the target resourec is OID. When I create users in OIM, they get provisioned to OID. Their password also gets stored in OID.
  Now, I have a password policy in OIM. In that policy, the password exipration day is set to 28 days. After 28 days, the user's password will expire in OIM. Is there any way that password will also expire in OID too, so that user will not be able to login in OID?
  Thanks in advance.

  You need to do the following.
  1. Find the attribute in OID that determines the disable date.
  2. Add a field to your provisioning process definition form.
  3. Using a pre-populate adapter, use an input of your oim user account expiration date, and convert that to the format OID uses.
  4. Update your lookup for provisioning attributes to include this new field to map the field name to the OID attribute.
  5. Create an "Updated" task for this field so that when it gets changed, the new value is pushed to OID.
  6. Create a user form trigger value for the field that maps to the oim user account expiration field. For this trigger, add a task to your oid provisioning process that does the same tasks as your pre-populate adapter to determine the new date value and pass it to the field on the process form.
  Now when the OIM expiration date changes, this value will be passed to OID, and also when the account is first created.
  Does this work for you?
  -Kevin

• How to apply Software Restriction policy for specific user in local group policy object ?

  I am working on implementing user based software restriction policy programmatically for local group policy object.
  If i create a policy through Domain Controller,i do have option for software restriction policy in user configuration but in local group policy editor i don't have option for that.
  When i look for the changes made by policy applied from Domain Controller in registry, they modifies registry values for specific users on path HKEY_USERS\(SID of User)\Softwares\Policies\Microsoft\Windows\Safer\Codeidentifiers
  They also have registry.pol stored in SYSvol folder in Domain Controller. When i make the same changes in registry to block any other application, application is getting blocked.
  I achieved what i wanted but is it right to modify registry values ?  
  PS:- I am using Igrouppolicyobject API

  I achieved what I wanted but is it right to modify registry values ?
  You also can modify a registry programmatically based policy. Check this:
  http://blogs.msdn.com/b/dsadsi/archive/2009/07/23/working-with-group-policy-objects-programmatically-simple-c-example-illustrating-how-to-modify-a-registry-based-policy.aspx
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• PF attribute modification in Access Policy for existing users.

  Hi Guys,
  I have an access policy for provisioning a resource. Suppose if I make some changes for the process form attribute value inside the access policy,How can I have the same attribute value reflected in the process form of users who are already provisioned by the access policy?
  Direct database update wont be a good idea here as I am having multiple access policies for the same resource. Is there any table which is having the relation between provisioned resource and curresponding access policy if at all I have to go for a custom scheduled task?
  Thanks,

  Does this solution also supposed to work in OIM 11g? I Tried it but data on the main form does not get reflected on the process form of existing users. For child data it does work.
  Edited by: bsteen on Aug 5, 2011 5:21 AM

• Different Password Policy for Different User Groups in ACS 4.2

  Hi All,
  Can some one provide a solution for the below requirement?
  We do have ACS 4.2 appliance managing firewalls of different clients. The users are common i.e, helpdesk administrators. One of the client came up with setting different password policy for managing their devices i.e, the client wants to have min 15 characters as password length. We do have currently 8 characters as min password length. Can we change the password policy to min 15 characters only for managing the firewalls of this client whereas for all other client firewalls we feel better to have 8 characters as min password length?
  It seems that these password policies are global & affects all the users.
  This is something like, having two sets of password (for each user) policy depending on the client which he is going to manage.
  For my knowledge, i think that this is not possible. But, thought to cross-check with experts!
  -Jags.

  Hi jags,
  Yor're correct. Password policy on ACS will affect all internal user. We can't create different password policies for diferent clients/connections/set_of_users
  Password validation options apply only to user passwords that are stored in the ACS internal database. They do not apply to passwords in user records in external user databases; nor do they apply to enable or admin passwords for Cisco IOS network devices.
  HTH
  Regards,
  JK