Child form for Group Membership OID -OIM 11g

Similar Messages

• Custom Event Notification (email) for Approval Tasks in OIM 11g

  Hi,
  how to create event notification for approval tasks in OIM 11g. I mean how to send email notification to user who sholuld accept or reject approval task?
  best
  mp
  Edited by: J23 on 2011-05-30 04:08

  Here is the documentation http://download.oracle.com/docs/cd/E21764_01/integration.1111/e10224/bp_notif.htm#SOASE548
  Search for SOA BPEL Email Notifications for more information:
  http://soa-bpel-esb.blogspot.com/2010/01/email-notification-in-bpel.html
  http://download.oracle.com/docs/cd/B31017_01/core.1013/b28764/bpel013.htm
  There are many more search links that can help you out.
  -Kevin

• Bhold attestation setup if FIM POrtal is already used for Group Membership

  Background - We had a FIM 2010 deployment in production deployment. Few
  months ago, we upgraded it to FIM R2. There are already about 4000 Criteria based Groups and Request Based Groups at FIM portal. FIM portal is used as an authoritative source for group membership.
  Problem Statement -  The requirement is to attest the existing and
  ongoing Request Based group membership of users using BHold User Attestation module. We want to continue FIM portal (not Bhold UI) as the end user interface for requesting the group membership.
  Hence, for metaverse' group object's member attribute, FIM Portal should have higher precedence than Bhold MA.
  From available documentation of Bhold, I understand that BHold is more suitable in cases where FIM Portal is not already the Group Membership deciding system. However, in our already existing
  deployment, both group membership is given by FIM portal. In fact this should be the case with all the FIM deployments before Bhold’ s release.
  Please suggest on how to attest the group memberships.
  Mayank Vaish

  I would not expect to have to attest group membership where that membership is controlled programmatically. The idea of Attestation is for a responsible person to attest and confirm that the membership of a given group/role/permission is correct (and remove
  users who don't need that permission). As long as someone responsible has attested that the rules that govern the automatic group membership are appropriate for the permission controlled by that group, then another round of attestation via BHOLD would seem
  like overkill.
  However, in the case where membership of FIM groups is managed via FIM's approval mechanism then there may well be a case for BHOLD attestation. It will depend on the business's audit requirements and how well the FIM logs are being maintained, and
  also the sensitivity/importance of the permission being managed by the group. If it is not possible to prove who approved membership of what group - and to confirm that that membership is still appropriate - then regular attestation may still be required,
  in which case BHOLD is an easier way of doing it than trying to build your own or do it manually.
  Cheers,
  Dave

• OID OIM 11g reconciliation

  Hello,
  I am looking in the design console at the OID User Resource Object (11g), and in the previous version for 'Reconcilation Action Rules' we had 'assign to group' for 'No user found' rule condition, however, this no longer seems to exist in 11g.
  Where can this condition and action be found (note: I have tried adding a rule, but still can't see the condition)

  You'll need to identify an AD Recon then. This is from the Reconciliation Insert task. This event is inserted on every creation through a recon. Next, you'll need to identify on the user profile when this happens because you'll need to integrate it into your access policy. I would suggest a user defined field as a checkbox. In your group membership rule that adds the user to a group for OID provisioning, add an AND rule into it that requires the checkbox = 0. When the reconciliation insert happens, trigger a task that updates the UDF on the user profile to make the checkbox = 1. Now when the user is reconciled and the Reconciliation Insert event happens, it will update the User Profile, and the user will no longer qualify for the OID access policy. If you have it configured to revoke if no longer applies, OID will get revoked.
  -Kevin

• Manually execute a povisioning task for a user in OIM 11g

  Experts,
  In OIM 11g, I would like to execute a resource provisioning task for a user thru OIM admin console.
  In OIM 10g, when we select a resource profile for a user, it used to show the list tasks that are executed. There we can add a new task to run manually there.
  How to do the same in OIM 11g. in OIM 11g, it is not even showing the lists of tasks executed during provisioning.
  Please let me know.

  If you are talking about manually adding the provisioning tasks to a user for a particular resource, then you can go to the resource profile of the user, select the particular resource -> click the 'Resource History' button on the right corner and from there you can manually add the tasks.
  -Bikash

• OVD/OID group reconciliation in OIM 11g with LDAP sync

  Hi All!
  Is it possible to reconcile OID groups to OIM using LDAP sync? How to achieve such configuration?
  I have OIM with LDAP sync and user and roles provisining to OVD is working.
  best
  mp

  Hi,
  I want to Integrate OIM and OID. Can you guide me in doing so?. The platform I will use is Windows 2003 Server, OIM version is 9.1. Also please tell me which version of OID i should use.
  Note: I am new to OID and OIM.
  Thanks in advance.
  Regards,
  Kazmi

• How to make a process form field non updatable in OIM 11G PS1

  Hello all - I have a filed in process form, which once filled should be not be updated. Could you please let me know how to achieve this?
  Should we create a process task, where in we can say 'updating this filed is not possible' ?
  I tried this. But OIM shows the filed with updated value but 'Resource History' shows status as Rejected.
  Please help. Thanks
  Manju

  The only way i would see this possible would be through an event handler if you can make it work for this form. On your pre-update, you would need to make sure to always return the original value back to the form so even if changed, it would change it back.
  -Kevin

• AD Query String for Group Membership

  Hi
  I have found that inbound mail to distributions groups (Ex07) are not being delivered. Running a trace, I am seeing they are failing on LDAP match. I tracked it down to the qroup query not working. We are using the default query. Running a test, it fails. I think that is the problem. I can mail the group internally just fine.
  Anyone have a good query string that will check for distribution groups? Below is the query being used. Thanks for the help.
  (&(memberOf={g})(proxyAddresses=smtp:{a}))

  Can you go to the LDAP section and provide all the fields that are relevant?
  I'll need the LDAP configuration fields (minus the password of course) and what you're using for the LDAP Accept.
  Well I opened a ticket with support, and it appears that I have them stumped. From what they tell me it isn't the ldap group query that is failing, but rather the ldap accept query failing.
  Sending to the group does work internally so It looks like ldap is good with the the proxy address, but ironport is failing on the query.
  Snippit from trace:
  Envelope Recipient Processing
  Envelope Recipient: [email protected]
  LDAP Accept Lookup: Result: failed
  Default Domain Processing: No Change
  Domain Map Processing: No Change
  Recipient Access Table Processing: Behavior: ACCEPT Matched On: [email protected]
  Alias Expansion: No Change

• Audit query for user history in OIM 11g

  I would like to know if we can come up with a query to get the details of when and by whom a user has been modified over a certain time frame.
  Thank you in advance.
  Edited by: 937937 on Jan 30, 2013 1:00 PM

  You should be able to use the OOTB reports for the User Profile History. Here is the query that is used in the report:
  SELECT DISTINCT UPA_USR.USR_LOGIN AS USERID,
  upa_usr.usr_first_name as FirstName,
  upa_usr.USR_LAST_NAME as CurrentLastName,
  upa_usr.ACT_NAME as Organization,
  upa_usr.USR_MGR_FIRST_NAME as ManagerFirstName,
  upa_usr.USR_MGR_LAST_NAME as ManagerLastName,
  upa_usr.USR_MGR_LOGIN as ManagerUID,
  upa_usr.USR_STATUS as Status,
  upa_usr.USR_EMP_TYPE as EmployeeType,
  upa_usr.create_date as IdentityCreationDate,
  UPA_USR.UPA_USR_EFF_FROM_DATE AS EFFECTIVEFROMDATE,
  UPA_USR.UPA_USR_EFF_FROM_DATE AS EFFECTIVEFROMTIME,
  f1.field_name as UserProfileParameterName,
  f1.field_new_value as UserProfileParameterValue
  FROM UPA_USR LEFT OUTER JOIN UPA_GRP_MEMBERSHIP
  ON upa_usr.upa_usr_key = upa_grp_membership.upa_usr_key,
  upa_fields f1
  WHERE UPA_USR.UPA_USR_KEY = F1.UPA_USR_KEY
  And f1.field_name not like '%Key%'
  And (nvl(:p_varchar_FN, ' ') = ' ' or upper(upa_usr.usr_first_name) like upper(:p_varchar_FN))
  And (nvl(:p_varchar_LN, ' ') = ' ' or upper(upa_usr.usr_last_name) like upper(:p_varchar_LN))
  And (nvl(:p_varchar_UID, ' ') = ' ' or upper(upa_usr.usr_login) like upper(:p_varchar_UID))
  And (nvl(:p_varchar_Org, ' ') = ' ' or upper(upa_usr.act_name) like upper(:p_varchar_Org))
  And (nvl(:p_varchar_GrpN, ' ') = ' ' or upper(upa_grp_membership.ugp_name) like upper(:p_varchar_GrpN))
  And (nvl(:p_varchar_MgrID, ' ') = ' ' or upper(upa_usr.USR_MGR_LOGIN) like upper(:p_varchar_MgrID))
  And (nvl(:p_varchar_Status, ' ') = ' ' or upper(upa_usr.usr_status) like upper(:p_varchar_Status))
  AND (NVL(:P_VARCHAR_EMPTYPE, ' ') = ' ' OR UPPER(UPA_USR.USR_EMP_TYPE) LIKE UPPER(:P_VARCHAR_EMPTYPE))
  AND upa_usr.upa_usr_eff_from_date between :p_date_UDateFrm And :p_date_UDateTo
  AND NVL(upa_grp_membership.upa_grp_eff_from_date,:p_date_GDateTo) <= :p_date_GDateTo
  AND NVL(UPA_GRP_MEMBERSHIP.UPA_GRP_EFF_TO_DATE,:p_date_GDateFrm) >= :p_date_GDateFrm
  Order by upa_usr.usr_login, EffectiveFromDate, EffectiveFromTime
  -Kevin

• OIM 11g R2 Group Membership

  Hi All,
  In OIM 11g R2, when i try to manually add a user to a group (custom or OOTB), i do not see the "Assign" button active and with the absence of the assign button, i could not assign a new user to the group. But, I can see that the Create Rule option is active.
  Does this mean that the group membership in OIM 11g can only happen through Group membership rule satisfaction?
  Please help.
  Thanks,
  Srini

  You can manually add an user to a role in OIM 11gR2. Open identity console --> Click on Roles--> Search
  You will get all the roles listed. Select the role to which you want to add a member. Assign tab will be visible under the Members panel layout in the bottom frame.
  When you click on assign the request catalog opens with the selected target user and the role. You can change the target user or add another target user.
  Then click on submit.
  If this process is done through sysadmin login then directly the member is assigned to the role
  Else it will create a request and after approval is completed the member will be assigned to the role.

• OIM Group membership rules

  Hi Friends,
  I want to create groups in oim on the basis of complex rules(It requires some Java coding) but for attaching group membership rule we use Rule Designer and in rule designer we can't user adapter that means no java code.
  What is the solution for this problem?
  One solution could be create entity adapter for group membership and execute it on pre-update.
  Thanks
  Edited by: user10968321 on Oct 28, 2009 7:06 AM

  The entity adapter on the user form in pre or post update mode is the standard way to solve complex membership rules.
  Works well as long as you can accept a slight performance decrease on user updates (including things like password resets). Make sure your code is decently fast.
  Good luck
  /Martin

• Create Access Policy with OIM API: can't fill child form

  Hi!
  I'm having a problem with creating OIM Access Policy with API. I'm doing the following:
  1. Create a new access policy via AccessPolicyIntf
  2. Add a resource object which will be provisioned to all users who are within policy scope
  3. Get Resource Object (Parent) Form Definition via FormDefinitionIntf
  4. Add data to parent form (AccessPolicyIntf setFormData(FormDefinitionKey))
  5. Now I want to add data to the child form, for that purpose I need to know child form definition key, but I can' get one, because there's no method like 'getChildFormDefinitionKey' in FormDefinitionIntf interface.
  Please, help me to get child form definition key, knowing parent form definition key and version

  See if this code helps:
  public String addChildTableValue(long userKey, String group, String objectName, String fieldName tcDataProvider ioDatabase) {
  log.debug("addChildTableValue() Parameter Variables passed are:" +
  "userKey=[" + userKey + "]" +
  "group=[" + group + "]" +
  "fieldName=[" + fieldName + "]" +
  "objectName=[" + objectName + "]");
  try{
  tcUserOperationsIntf userIntf = (tcUserOperationsIntf)tcUtilityFactory.getUtility(ioDatabase, "Thor.API.Operations.tcUserOperationsIntf");
  tcFormInstanceOperationsIntf formIntf = (tcFormInstanceOperationsIntf)tcUtilityFactory.getUtility(ioDatabase, "Thor.API.Operations.tcFormInstanceOperationsIntf");
  boolean roleExists = false;
  //Result set of all Object for user
  tcResultSet obResultSet = userIntf.getObjects(userKey);
  if (obResultSet.isEmpty()){
  log.error("User has no provisioned objects");
  return "NO_OBJECTS_EXIST";
  }else{
  for (int ii=0; ii&lt;obResultSet.getRowCount(); ii++){
  obResultSet.goToRow(ii);
  if ((obResultSet.getStringValue("Objects.Name").equals(objectName)) &&
  (!(obResultSet.getStringValue("Objects.Object Status.Status").equals("Revoked")) &&
  !(obResultSet.getStringValue("Objects.Object Status.Status").equals("Provisioning")))){
  log.debug("Resource object found: " + objectName);
  //Process Instance Key of the object
  long plProcessInstanceKey = obResultSet.getLongValue("Process Instance.Key");
  log.debug("Process instance key: " + plProcessInstanceKey);
  //Process Key for the parent for
  long plParentFormDefinitionKey = obResultSet.getLongValue("Process.Process Definition.Process Form Key");
  log.debug("Parent form definition key: " + plParentFormDefinitionKey);
  //Form version of the parent form
  int pnParentFormVersion = formIntf.getProcessFormVersion(plProcessInstanceKey);
  log.debug("Parent form version: " + pnParentFormVersion);
  //Result set of Child Form information
  tcResultSet childFormResultSet = formIntf.getChildFormDefinition(plParentFormDefinitionKey, pnParentFormVersion);
  //Child form definition key
  long plChildFormDefinitionKey = childFormResultSet.getLongValue("Structure Utility.Child Tables.Child Key");
  String plChildTableName = childFormResultSet.getStringValue("Structure Utility.Table Name");
  log.debug("Child form definition key: " + plChildFormDefinitionKey);
  log.debug("Child table name: " + plChildTableName);
  tcResultSet childFormData = formIntf.getProcessFormChildData(plChildFormDefinitionKey, plProcessInstanceKey);
  if (!(childFormData.isEmpty())){
  log.debug("Searching child table current values");
  for (int iii=0; iii&lt;childFormData.getRowCount();iii++){
  childFormData.goToRow(iii);
  String fieldValue = childFormData.getStringValue(fieldName);
  log.debug("Child table entry: " + iii + " | value: " + fieldValue);
  if (fieldValue.equals(group)){
  roleExists = true;
  log.debug("Value already exists in child table");
  return "DUPLICATE_VALUE";
  log.debug("Value not found in child table");
  if (!roleExists){
  Hashtable childFormHash = new Hashtable();
  childFormHash.put(fieldName, group);
  formIntf.addProcessFormChildData(plChildFormDefinitionKey, plProcessInstanceKey, childFormHash);
  log.debug("Value successfully added to table");
  return "VALUE_ADDED";
  log.debug("Provisioned resource " + objectName + " object not found");
  return "OBJECT_NOT_FOUND";
  catch(Exception ex){
  ex.printStackTrace();
  return "ERROR";

• How to Create self Registartion form in OIM 11g r1 11.1.1.5

  Hi,
  As per my client requirement we have to create user self registartion form.
  We are using OIM 11g r1 11.1.1.5
  Can some one point me to the link for same.

  reply is in this id
  ADF Searchform with find and execute buttons in JDev 11.1.1.0.1 studio edi.

• OIM 11g R2 : AD Group Management

  Hi,
  I'm looking to implement a POC for creation and deletion of Active Directory groups (Group Management) from OIM 11g R2. I was going through AD connector documentation. But it doesn't see to be evident in the documentation on on how to achieve the functionality. Can anyone throw some light on how to implement this? Do we need any customizations?
  Thanks,
  Raj

  Hi,
  I'm looking to implement a POC for creation and deletion of Active Directory groups (Group Management) from OIM 11g R2. I was going through AD connector documentation. But it doesn't see to be evident in the documentation on on how to achieve the functionality. Can anyone throw some light on how to implement this? Do we need any customizations?
  Thanks,
  Raj

• OIM 11g support for Temporary roles with expiration date

  Dear All,
  Is there a support provided for temporary roles in OIM 11g?
  If not, what is the recommendation as for implementation?
  Kind regards
  Maria Adair

  I'm also interested if someone has any recommendation as for how to implement such a feature. Anyone has any ideas?