Auto Provisioning backend and appropriate portal group in CUP

Similar Messages

• Auto provisioning users and send email notification to the users

  I currently have CUCM 10.5 setup to auto register phones and I use Cisco prime provisioning 10.5 to auto provision the users.
  Self provisioning is setup and users can call the IVR number enter the self service ID, which is their DN.
  what I would like to do is send an email notifying  the end user of their setup and how to use their telephony device Example (Self-service ID: 8888, auth code: 3333) is this possible from Prime Provisioning or CUCM.

  Thanks Jamie
  Wishful thinking I guess. It would have been seamless if they added that form of email notification to end users when auto provisioning. Anyways to get around that I used MS word mail merge and used the same spread sheet I used to batch provision the users to send the Self-service ID to the email contacts.

• WCS 5.0.56.2 Auto-Provisioning

  In WCS 5.0 Cisco introduces Auto provisioning of WLCs.
  Unfortunately there is not much documentation available, except for option explanation.
  If i understood this right, Auto-Provisioning takes care of the initial setup of an out-of-the-box WLC. A very handy solution for wide spread WAN environment.
  Has anyone here been working with this option, and can direct me into the right direction?
  I try to auto-provide initial setup parameters from my WCS 5.0.56.2 to a WLC 4402 running 4.0.128.0 on a factory default configuration.
  I hooked up the WLC with his glasfiber and his management port to our management vlan and also configured DHCP on one of the switches for our management vlan.
  WCS is also hooked up to this management vlan.
  I created filters, in WCS for either Serial No. and MAC-ADDRESS providing required parameters for initial setup.
  Those filters remain idle, and the WLC doesn't recieve an IP-address from the DHCP scope configured.
  Am i missing something? Do i like this function to do things it is not supposed to do?
  Please let me know if someone had better experience.
  Cheers,

  Hey Sebastian,
  Could you tell us a little more? I try to make it work too, but with little success.
  What I do is:
  - create a config group from my controller templates, do not add any controller to this config group, put in it all templates from my controller (including the local management user and WLANs).
  - Create an auto provisioning filter, using this config group and my controller Ip addresses and MAC address, enable the filter and make sure it is not set to monitor only.
  - I do see a file with my controller MAC address created at that instant, so I am close to being happy.
  - In my DHCP server, option 150 points to WCS.
  When I clear my controller config and reboot, it gets to autoinstall, receives an IP address from DHCP and the option 150 information. It then downloads the file with its MAC address... but no template is in there! I can't connect to my controller until I push a username and password to it, and none of my templates are there, no WLAN, nothing...
  Any quick idea on what you did that I do not do?
  thanks
  Jerome

• GRC 5.3 CUP auto provisioning of Mitigation Assignment in RAR

  Hello,
  Is there any other workflow that needs to be triggered for the auto provisioning of the Mitigation control id assignment to the userid in RAR system from CUP,  upon request completion?
  I created a request that after the final stage of sox approver, got auto provisioned roles assigned to the user id in the SAP system , but it also stated that auto provisioning failed and got re-routed to the detour path of the security admin as I configured in case of auto provisioning failure. When I look at the error log, it states:
  User Provisioning failed for System(s) : XYZ. Error Message : User type TE is unknown
     Role: ROLEA assigned to user: TESTER1 in System(s): XYZ.
  1). So, even though the approved role is being assigned to the user in the backend system, some other stuff is failing at auto provisioning. And I thought it might be the mitigation control assignment to the userid in RAR. I have the mitigation fields/objects active. But how do I ensure the auto-assignment of mitigation control ids also gets assigned on the same request upon sox approval?
  2). The other question is where is the value of the 'controller' stored when configuring a stage for workflow approver determinator in the sox approver stage? Where is this value picked up from? We don't want to use the RAR mitigation approvers or monitors, we want to use a custom approver id from CUP and then the control id to be assigned upon approval automatically to the userid in RAR via CUP request completion during auto provisioning. Is this possible? The only thing failing for us is trying to determine how to create the custom approver determinator for SOX approver in CUP since it asks for 'attribute' value for workflow type 'Compliant User Provisioning' which doesn't make sense for this.
  And then the above error even though the user role assignment is auto provisioning already but still giving the error as I listed above and re-routing to detour path instead of completing the request. Is it due to auto provisioning failure of mitigation control assignment in RAR?
  Thanks in advance,
  Alley
  Edited by: Alley1 on Sep 20, 2011 1:15 AM

  Hi Karell,
     Here is response to your questions:
  I can use the following CAD in an AE workflow: web service to fetch role approvers. I question this as it is merely a RE workflow service : No. As far as I know the web service is only for RE/ERM.
  Can the Risk Analysis be initiated in stage x automatically once stage (x-1) was completed. So no person involved, it is mandatory however, in my opinion there should be no extra person involved to actually press the button "Risk Analysis" : No. There is no way to automate the risk analysis part. Someone will have to click on the button to check for SoD violations. You can configure to run automatic risk analysis when the request is submitted but this is not 100% perfect. If someone adds or removes role during approval phase, it will invalidate the risk analysis which was run during request submission.
  Can somehow the Risk Owners defined in the RAR componed be asked to approve/reject risk that came out of the Risk Analysis described in my previous point. They should only be contacted when there is a risk indicated. : This is possible by following Babak's workflow.
  Regards,
  Alpesh

• Portal Groups not Importing after Synchronization

  Hi all,
  I am currently running GRC 10 SP 15 and have completed the AC 10 EP Config guide. So far I have managed to complete all steps in the guide including the synchronization. However, when I try to import the roles the nwbc mass role import, I return 0 results. I have check the GRACLCONN table and the portal groups are definitely there. Does anyone know why the Mass Import would be failing?
  Thanks,
  James

  Hi,
  Only ABAP system based Technical roles can be imported via the Mass Import tool without the use of Import sheets. If you are using a import sheet already, just double check your entries. For EP groups, you will have to maintain and upload a sheet manually.
  Ensure that the role type is set to 'GRP' in the sheet and the roles have been synced in via the Repository Object Sync job first.
  Cheers.

• CP-7821 - How to auto provision this phone

  Hello,
  I have a set of 7800 series ip phones. I'm trying to register them on my system. I have already registered various SPA50X phones on my system and I do this by -
  -Powering on the phone and connecting to the same network as my computer
  -Find the Ip address of the phone and type into browser, to locate the web-ui
  -Setup my auto-provision server and "point" the phone to this server
  -The phone checks in and pulls down its configuration file and this provisions the phone in my system and once it checks in with the SIP server, can be used freely
  Can I do this with the 7800 series phones or do i need the "Cisco Call Management" to get these phones working

  This is Video Over IP, please move to a relevant area.

• EBusiness Suite User "Auto-provisioning" and  "Self-Request" Problem

  I have two types of OIM User, Staff and Contingent
  Staff (Role = Full-Time)
  Contingent (Role = Contractor / Role = Consultant)
  Resource Object: eBusiness Suite User
  Here's my RO configuration:
  Auto Pre-populate: true
  Allow Multiple: true
  Self Request Allowed: true
  Allow All: true
  Auto-Launch: true
  EBS Connector, by default has two forms:
  UD_EBS_UO: Object Form
  UD_EBS_USER: Process Form
  I have requirement which will auto-provision eBusiness Suite User resource to Staff users.
  Originally, UD_EBS_OU is the table name used by the RO. For auto-provisioning to work, I have implemented it this way:
  First, I have defined a User Group for Staff and assign an Access Policy to it (for users with Role == Full-Time).
  Then, I have detached Object Form UD_EBS_UO from the RO. This way, when Staff user is created in OIM, it is automatically provisioned with eBusiness Suite User, though it won't have a Resource Form, only a Process Form. Process Form fields are automatically pre-populated with values (via my Pre-populate adapters).
  Now my problem is during Self-Request. Contingent user doesn't get auto-provisioned with EBS RO, but he can self-request for it. Problem is, since I detached the Object Form from the RO, user is not seeing any form during request. And I have a requirement that approver of the request should also be able to view/modify the details of the request form. But that is not possible now that Object Form does not exist for this RO.
  Is it possible that Self-Request and Auto-Provisioning works both ways under the same Resource Object? How do I configure that? Appreciate your quick response and help. :)
  Edited by: user10202544 on Feb 10, 2010 3:27 AM

  Yes I have set permissions to all users for the Object Form.
  It is required for me to have both Self Request and Auto-provisioning work for eBusiness Suite RO.
  During approval, however, the approver needs to see the Object Form (where he can view/modify its values before approving it). That's impossible for me since I detached the Object Form from the Resource Object. I need do to this for auto-provisioning to work.
  It seems that it doesn't work both ways. Any other suggestions?

• Bulk Load and Auto-Provision

  I am wondering if there is an easy way to trigger auto-provisioning of managed resources based on a bulk load. For instance, after importing users through the bulk load utility I want the the Membership rules to be executed, which will assign user to the correct roles and therefore initiate the provisioning process.
  Thanks,
  Pete

  I would suggest a custom scheduled task that updates users with an empty hashmap. Essentially a "touch" function to update a user with the same data which will then trigger the group memberships.
  -Kevin

• Provisioning Allowed and Allow Auto-provisioning YES   Role exists No

  Hello,
  I am unable to select the roles while submitting the user provisioning request.
  The role additional details are set Yes for Provisioning Allowed and Allow Auto-provisioning
  But Role exists is showing No; i have tried updating the roles in many ways, everything is getting updated except this paricular field.
  Could you pls help me ...
  Regards,
  Sumanth

  Hello Sumanth,
  Can you successfully generate roles using the role generation option?
  I have the same issue but I presently have issues with generating single roles ONLY as posted on this thread - "Illegal tcodes" error during the role generation phase of ERM in AC10
  ...so I am thinking it is becuase I can't generate single roles that is why the roles are not displaying. However, I can view the roles in other environments like risk analysis but not at the point of access request provisioning. It tells me no roles are available.
  I sure hope someone will be able to help us out.
  Thanks

• Bea Portal Group and Group selection / um:getPorperty

  Hi,
  I would like to know if it is possible to set the default group
  in which <um:getProperty> looks into when the user does not have
  the requested property set into his profile.
  I noticed that by default it looks into the current group portal.
  However I would like to make it look into a specific sub group
  of the group portal.
  In the same way there are checks to dertermine if a user belongs to
  several portal groups, I would like to extend these checks and include
  sub groups in the tests and selection.
  I saw that the webflow uses GroupFormProcessor and GroupProcessor but
  couldn't find the source code to see what needs to be initialized for
  <um:getProperty> to work correclty.
  I saw the successor attribute in <um:getProfile>, but I would like to
  know if there's a way to avoid specifying it each time... by setting a
  value in the session for instance ?
  Thanks for your help,
  Best Regards,
  Thierry

  Hello Thierry,
  You probably want to set the explicit successor in the session. A
  successor is a group from which a user inherits properties. An explicit
  successor is one that is specified in the getProperty() call underlying the
  <um:getProperty> tag. Just for your information, this is as opposed to an
  implicit successor, which is persisted for the user and is associated with a
  property set. You can use the methods of ProfileWrapper to persist an
  implicit successor for a user for a specific property set.
  The portal framework sets the ProfileWrapper in the session using the
  com.bea.p13n.usermgmt.SessionHelper.putProfileInSession() method. It sets
  the explict successor for this profile to be equal to the group that was
  selected by the user to apply for this portal session when they logged on
  (if they are only a member of 1 group, then they were not prompted for which
  group...the group was simpley set as the explicit successor). The call to
  SessionHelper.putProfileInSession() is done in the PostLoginProcessor in the
  portal security webflow (see the webflow in your EBCC).
  You can override this by using SessionHelper.putProfileInSession()
  yourself or by putting <um:getProfile> into your portal.jsp page.
  <um:getProfile> does the same thing (uses
  SessionHelper.putProfileInSession() to put the ProfileWrapper into the
  session).
  If I were you, I'd put <um:getProfile> with session scope at the top of
  portal.jsp and use the group that you are interested in as the explicit
  successor.
  See the <um:getProfile> docs at
  http://edocs.bea.com/wlp/docs70/jsp/p13njsp.htm#1001358
  "Thierry Bensoussan" <[email protected]> wrote in message
  news:[email protected]...
  Hi,
  I would like to know if it is possible to set the default group
  in which <um:getProperty> looks into when the user does not have
  the requested property set into his profile.
  I noticed that by default it looks into the current group portal.
  However I would like to make it look into a specific sub group
  of the group portal.
  In the same way there are checks to dertermine if a user belongs to
  several portal groups, I would like to extend these checks and include
  sub groups in the tests and selection.
  I saw that the webflow uses GroupFormProcessor and GroupProcessor but
  couldn't find the source code to see what needs to be initialized for
  <um:getProperty> to work correclty.
  I saw the successor attribute in <um:getProfile>, but I would like to
  know if there's a way to avoid specifying it each time... by setting a
  value in the session for instance ?
  Thanks for your help,
  Best Regards,
  Thierry

• Auto provision different groups in oim 11g

  Hi,
  While provisioning a user to AD, I need to add few different different groups based on the user's dept code.
  We have around 250 dept codes and I dont want to create 250 access policies to provision different groups based on the dept code.
  Is there any other way to resovle my issue?
  I am using OIM11g. Please let me know.

  Adding more to Bikash Reply...
  Create a Lookup with codekey as Dept Code and Decode as Groups like
  Dept1->Group1
  Dept1->Group2
  Dept1->Group3
  Write a code which retrieves the groups for corresponding dept code from the lookp, and in the same code call addProcessFormChildData(under tcFormInstanceOperationsIntf) for each group retrieved from lookup. Attach this adpater to new process task and call this task on success of create user task.
  Reference:
  JavaTask to be called after AD User provisioning succeeds
  HTH

• Limitations of Auto-Provisioning through CUP (AE)

  Hi all,
  I am looking for some information on what are all the benefits and limitations of using auto-provisioning over manual provisioning for the backend systems through CUP (AE).
  We are implementing GRC AC 5.3 and it is organization's business decision whether we need the proviosing piece to be automated or not. However, I would like to get your suggestions based on your project experiences esp in a decentralized security administration where security admins are in different geographical locations and have to provision only for their user groups.
  Can we perform all the activities thro' auto-provision similar to a security administrator manually creating a user, assign appropriate user groups etc.,  or is there any limitation?
  Which approach would be better for decentralized administration?
  Appreciate your suggestions..
  Thanks
  Siri

  Hi Alpesh & Williams,
  The user default settings such as date, timezone, decimal etc can be configured through the 'user defaults' and 'user default mapping' . I see the option of assigning user  groups and appropriate parameters too.
  Say the user belong to user group AAA_XXX  and another user belongs to AAA_YYY, where
  AAA - location
  XXX - Dept
  I have configured these (location, dept) as required fields while entering the request in CUP .
  However, during run time how will the correct user group be assigned to the user. Is it through the user default mapping? Where do we maintain all the user group information that is available in the ECC system? Do we have to create user default, user default mapping for each user group??
  The documentation from SAP is not very clear .. Appreciate if you can provide some lights on this area.
  Thanks
  Siri

• Users not provisioned from OIM to OID groups

  I've created an Access policy such that when i create a user with role as consultant he is automatically provisioned to OID resource and OID group( cn=group1,cn=groups,dc=ad,dc=company,dc=com ).
  The user is provisioned to OID users(cn=users) but not to cn=group1,cn=group....
  What could be wrong?
  i have run the OID group lookup tasks to generate freshly added group lookups. Theses lookups are populated in process form when i create an access policy.
  For ex the lookup generated is cn=group1,cn=group,dc=ad,dc=company,dc=com and the decode value is group1
  The user profile and process form are not linked. That means changes in process form are not reflected to user profile. Can this be possible reason for the hassle defined above
  please help me resolve this issue.
  Edited by: Chhavi Saluja on Feb 15, 2010 1:30 AM

  Hi,
  Today I have also done the same thing of auto provisioning of OID through access policy. Only difference is that for selecting "Container DN" and "User group" we have created two user defined fields(lookup)in the user form which will refer to the lookups "Lookup.OID.Organization" and "Lookup.OID.Group" for inputs.These lookups are already reconciled once from OID.
  As far as "container DN" iam successful but while selecting "user group" iam able to select and when i click on "create user" user is getting provisioned to OID into Container DN i specified.But user is not going into that particular group i specified.Iam assuming the reason is that as User Group is a mutivalued attribute and if we observe the process form of group selection we will see the add button. But on user form we dont have the option of child form to ADD/REMOVE the groups.
  Someone pls suggest how to proceed further on this.How do i push the user into particular group/groups from the create user form itself?

• CUP Provisions user to SAP successfully but gives "Auto-Provisioning" error

  Hi All,
  I'm getting an "auto-provisioning" error in CUP when a "Change Account" workflow is approved. The strange thing is, CUP does successfully provision the change to the SAP backend. Yet, the "New Account" provisions successfully without the error.
  Here is an example of the audit trail log from Change Account:
  Request submitted for approval by Dylan Hack(HACKDY) on 06/28/2010 17:14 
  Approved By Dylan Hack(HACKDY) Path AE_AUTO_APPROV_ERROR and Stage AE_AUTOPROV_ERR on 06/28/2010 17:14 
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
  Auto provisioned for request on 06/28/2010 17:14 
     User Provisioning failed for System(s) : DEV. Error Message :
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
  Request submitted for reroute by system on 06/28/2010 17:14 due to auto provisioning failure 
     Rerouted in the Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR to Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR
  Note: the role names were replaced with "xxxxxxx."
  The system log gives an error, but it is very vague:
  2010-06-28 17:14:34,682 [SAPEngine_Application_Thread[impl:3]_33] ERROR com.virsa.ae.service.ServiceException
  com.virsa.ae.service.ServiceException
       at com.virsa.ae.service.sap.SAPProvisionDAO.intializeWithChangeUserInputParameters(SAPProvisionDAO.java:762)
       at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3457)
       at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3419)
  Any ideas or suggestions?
  Current software level AC5.3 SP12.
  -Dylan

  Hello Varun,
  Thanks for the thought on this. We don't use User Defaults for Change Account, but do for New Account. You question prompted me to do more testing with very interesting results.
  Results
  New Account with User Defaults configured:
  User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
  New Account without User Defaults configured:
  User provisioned successfully, no Auto-Provision error.
  Change Account with User Defaults configured:
  User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
  Change Account without User Defaults configured:
  User provisioned successfully, Auto-Provision ERROR, Defaults NOT provisioned.
  In both New and Change Account, the configured User Defaults are NOT provisioned even though the user is provisioned. AC5.3 is on SP12, the RTA is VIRSANH SP12 and VIRSAHR SP10.
  For the Change Account, the user is always provisioned regardless of User Defaults; however, when no User Default is configured, the Auto-Provisioning error occurs. The User Defaults NOT provisioning is a real problem, the CUP error message, I can work around for now.
  What about on your side? Am I the only guy using SP12 here?

• ESS Benefits Generic Enrollment - Different behavior backend v/s portal

  We are using the ESS Benefits generic enrollment service for enrollment kicking off the adjustment reasons on IT 0378.
  Here is the configuration set up, trying to simplify to explain the matter. We are on ECC 6.0 with EHP2.
  1.  Configured one plan type in savings category.
  2.  Within this plan type,  configured 2 plans.
  3.  Configured all other related configuration to set up the 2 plans.
  4. Configured the adjustment reason and the appropriate plan type created in step 2.
  5.  Created the required adjustment reason on 378.
  In HRBEN0001 transaction via backendwe can  see the 2 plans configured within the plan type.
  But when Trying to enroll from ESS - only one plan can be seen for that plan type, the other plan is not shown at all.
  OK - eventually, debugged and found this piece of code in FM HR_BEN_ESS_FILL_SELECTION_DISP.  The 2 different plans are there until this piece of code takes one of them Off...
    CODE -
  3.) Reduce entries to one entry per type and period
    delete adjacent duplicates from selection_display_gt
      comparing pernr
                barea
                bpcat
                pltyp
                begda
                sprps.
  CODE -
  This FM is called only for ESS application and not for backed program.
  What we do not understand is why is it behaving differntly on backend v/s portal.
  Any information or experience with this form any one of you will be highly appreciated.
  Thanks.

  Siddharth,
  Thanks for your reply. Yes ESS has its own FMs.  The UI, user exits, BADIs etc are different for backend v/s front end.
  What we are not clear with, is the different behavior in core functionality --  i.e. When the adjustment reason is processed from the backend using HRBEN0001 - The 2 plans within the Plan Type are available for elections. BUT the same adjustment reason for the same penr when processed from  ESS - there is just one plan available for elections.
  It's clear from the code, that it is deleting one plan and this code is within the FM which is called only from ESS.  But we are still not sure why it should behave differently i.e. 2 plans via backend v/s one plan  via ESS. 
  Wanted to see if anyone can share any information if they have a similar benefits set up .. 2 plans within one plan type FOR savings plan category and then having a adjustment reason set up.
  Regards.