Create OID Group through OIM

HI ,
i have a requirement which is when i create a Group in OIM , then the OID will create a corresonding Group as well , i run out of my idea of how to do it , can anyone give some guides on this
thx in advance
Edited by: crazyJew on 1/07/2010 22:44

Yes you need to provide an organization key to the group provisioning api - tcOrganizationOperationsIntf -> provisionObject.
One you provision the resource OID Group you can get the process instance key and set the data in process form using tcFormInstanceOperationsIntf ->setProcessFormData. setProcessFormData takes the data which needs to be set for the OID group.
Hope the helps,
Sagar

Similar Messages

  • Not able to create Organizations & Groups through OIM in OID.

    Hi,
    I am trying to create organizations and groups in OID through OIM. The steps are:
    1. Organizations-->create-->name=test, parentorg=null,type=company-->create organization.
    2. Drop down-->resource profile-->provision new resource-->OID organisation unit-->continue-->IT Serve=OID IT Resource-->continue
    3. The create ou task is getting rejected with error as "Response: Invalid Naming Error
    Response Description: Naming exception encountered "
    Please help.

    See the process form what it displayed. I think values are not getting populated properly in process form.

  • Migrating OID groups to OIM

    We have been given the task of migrating our existing identity management systems to OIM (Oracle Identity Manager).
    Part of our existing system uses OID (Oracle Internet Directory). All users have an entry in OID. Some of our systems use OID for authentication.
    We also use OID to hold users' entitlements/privileges that control access to our applications. We use OID groups (represented by entries based on groupOfUniqueNames and orclGroup objects) to do this. For example we might have an application called 'Finance' with three levels of access represented by OID groups e.g. 'finance_enquiry', 'finance_updater', 'finance_superuser'. Those groups would all belong to a parent group called 'finance_application'. To access the application the user needs to be a member of 'finance_application' group or one of its child groups. Access to features of the application are controlled by membership of the 3 child groups. We have an application that maintains groups, group membership, and user entitlements in OID.
    As part of the migration project we want to move maintenance of groups and group membership from our own application into OIM. The above scenario seems quite basic.
    My main question is how would this be done in OIM? Do our current OID groups become OIM Groups? Do they become entries in some lookup table in OIM? Are there any case studies or other documentation that describes this kind of requirement?
    I've looked at the OIM Connector for OID documentation but it doesn't describe typical scenarios. It assumes that you know what you are doing.
    We also want to give users the ability to request entitlements, and to provide an approval process. So we could have a user who approves/rejects entitlement requests to access to the applications they control. But that's a another topic.
    Cheers,
    Eric

    PeachEye wrote:
    We have been given the task of migrating our existing identity management systems to OIM (Oracle Identity Manager).
    As part of the migration project we want to move maintenance of groups and group membership from our own application into OIM. The above > scenario seems quite basic.You're about to find out otherwise.
    >
    My main question is how would this be done in OIM? Do our current OID groups become OIM Groups? Do they become entries in some lookup table > in OIM? Are there any case studies or other documentation that describes this kind of requirement?You'll need a custom connector and lots of OIM tweaks. Your groups will stay in OID, OIM will replace the current application you use to maintain them. That's one way of doing it, no impact to OID schema is the benefit of this way, there are other ways.

  • Unlocking OID User Through OIM

    Hi all,
    I am testing an OID User Process task in OIM which can be run on a user's OIM account and unlock a locked user in OID
    However, I am getting the following error after executing the task:
    ERROR 11:54:51,375, RMICallHandler-113 XL_INTG.OID - ====================================================
    ERROR 11:54:51,376, RMICallHandler-113 XL_INTG.OID - ERROR in OID:com.thortech.xl.integration.OID.util.tcUtilLDAPOperations:modifyAttributesReplace(S,A) NamingExceptionUnable to add attributes of the object
    ERROR 11:54:51,376, RMICallHandler-113 XL_INTG.OID - ====================================================
    ERROR 11:54:51,376, RMICallHandler-113 XL_INTG.OID - ====================================================
    ERROR 11:54:51,376, RMICallHandler-113 XL_INTG.OID - [LDAP: error code 53 - Account Policy Error :9051: GSL_ACCOUNTUNLOCK_EXCP : Only Modify-add allowed on orclpwdaccountunlock attribute. Modify-delete and Modify-replace are not allowed.
    ERROR 11:54:51,376, RMICallHandler-113 XL_INTG.OID - ====================================================
    ERROR 11:54:51,377, RMICallHandler-113 XL_INTG.OID - ====================================================
    ERROR 11:54:51,377, RMICallHandler-113 XL_INTG.OID - ERROR in com.thortech.xl.integration.OID.tcUtilOIDUserOperations:modifyUser(S,S,S,S) NamingExceptionError while connecting to target
    ERROR 11:54:51,377, RMICallHandler-113 XL_INTG.OID - ====================================================
    ERROR 11:54:51,377, RMICallHandler-113 XL_INTG.OID - ====================================================
    ERROR 11:54:51,377, RMICallHandler-113 XL_INTG.OID - com.thortech.xl.integration.OID.util.tcUtilLDAPOperationsNamingException[LDAP: error code 53 - Account Policy Error :9051: GSL_ACCOUNTUNLOCK_EXCP : Only Modify-add allowed on orclpwdaccountunlock attribute. Modify-delete and Modify-replace are not allowed.
    ERROR 11:54:51,378, RMICallHandler-113 XL_INTG.OID - ====================================================
    ERROR 11:54:51,378, RMICallHandler-113 XL_INTG.OID - ====================================================
    ERROR 11:54:51,378, RMICallHandler-113 XL_INTG.OID - com.thortech.xl.integration.OID.util.tcUtilLDAPOperationsNamingException[LDAP: error code 53 - Account Policy Error :9051: GSL_ACCOUNTUNLOCK_EXCP : Only Modify-add allowed on orclpwdaccountunlock attribute. Modify-delete and Modify-replace are not allowed.
    ERROR 11:54:51,378, RMICallHandler-113 XL_INTG.OID - ====================================================
    DEBUG 11:54:51,378, RMICallHandler-113 XL_INTG.OID - com.thortech.xl.integration.OID.tcUtilOIDUserOperations:modifyUser(S,S,S,S) Returning with code: INVALID_NAMING_ERROR
    I am using the adapter adpOIDMODIFYUSER to update the orclpwdaccountunlock attribute to 1.
    Not sure if this is a correct method. Any ideas would be appreciated :)

    Bbagaria: OIDDAS is not enabled in our environment. However, I can unlock the user in OID using ldapmodify
    ldapmodify -p 636 -h **** -D "cn=orcladmin" -w *** -v -f /home/oracle/unlock.ldif
    dn: cn=JENZO,ou=***,dc=***,dc=***,dc=***
    changetype: modify
    add: orclpwdaccountunlock
    orclpwdaccountunlock: 1
    Rajiv: I did try that. Same results unfortunately.

  • Issue in creation of group in oim database through sql query.

    hi guys,
    i am trying to create a group in oim database through sql query:
    insert into ugp(ugp_key,ugp_name,ugp_create,ugp_update,ugp_createby,ugp_updateby,)values(786,'dbrole','09-jul-12','09-jul-12',1,1);
    it is inserting the group in ugp table but it is not showing in admin console.
    After that i also tried with this query:
    insert into gpp(ugp_key,gpp_ugp_key,gpp_write,gpp_delete,gpp_create,gpp_createby,gpp_update,gpp_updateby)values(786,1,1,1,'09-jul-12',1,'09-jul-12',1);
    After that i tried with this query.but still no use.
    and i also tried to assign a user to the group through query:
    insert into usg(ugp_key,usr_key,usg_priority,usg_create,usg_update,usg_createby,usg_updateby)values(4,81,1,'09-jul-12','09-jul-12',1,1);
    But still the same problem.it is inserting in db.but not listing in admin console.
    thanks,
    hanuman.

    Hanuman Thota wrote:
    hi vladimir,
    i didn't find this 'ugp_seq'.is this a table or column?where is it?
    It is a sequence.
    See here for details on oracle sequences:
    http://www.techonthenet.com/oracle/sequences.php
    Most of the OIM database schema is created with the following script, located in the RCU distribution:
    $RCU_HOME/rcu/integration/oim/sql/xell.sql
    there you'll find plenty of sequence creation directives like:
    create sequence UGP_SEQ
    increment by 1
    start with 1
    cache 20
    to create a sequence, and
    INSERT INTO UGP (UGP_KEY, UGP_NAME, UGP_UPDATEBY, UGP_UPDATE, UGP_CREATEBY, UGP_CREATE,UGP_ROWVER, UGP_DATA_LEVEL, UGP_ROLE_CATEGORY_KEY, UGP_ROLE_OWNER_KEY, UGP_DISPLAY_NAME, UGP_ROLENAME, UGP_DESCRIPTION, UGP_NAMESPACE)
    VALUES (ugp_seq.nextval,'SYSTEM ADMINISTRATORS', sysadmUsrKey , SYSDATE,sysadmUsrKey , SYSDATE, hextoraw('0000000000000000'), 1, roleCategoryKey, sysadmUsrKey, 'SYSTEM ADMINISTRATORS', 'SYSTEM ADMINISTRATORS', 'System Administrator role for OIM', 'Default');
    as a sequence usage example.
    Regards,
    Vladimir

  • OVD/OID group reconciliation in OIM 11g with LDAP sync

    Hi All!
    Is it possible to reconcile OID groups to OIM using LDAP sync? How to achieve such configuration?
    I have OIM with LDAP sync and user and roles provisining to OVD is working.
    best
    mp

    Hi,
    I want to Integrate OIM and OID. Can you guide me in doing so?. The platform I will use is Windows 2003 Server, OIM version is 9.1. Also please tell me which version of OID i should use.
    Note: I am new to OID and OIM.
    Thanks in advance.
    Regards,
    Kazmi

  • OIM-OID Connector: OID Group Recon Task and organizations

    Hi,
    I'm evaluating OIM and its OID Connector.
    We have groups in our existing OID. We thought that we could use the OID Connector OID Group Recon Task to import those groups into OIM and make them Groups in OIM.
    However, when we run the task, it appears to import our groups from OID as organizations, not as groups. It's not clear to me from the OID Connector documentation what exactly the OID Group Recon task is supposed to do. That's why we assumed it was an OOTB method for reconciling OID groups into OIM groups.
    What are we doing wrong? Why do we end up with our OID Groups becoming OIM Organizations after running the task?
    We are using version 9.4.11 of the OID Connector.
    Also, a side issue: how can we delete unwanted organizations from OIM? There's a delete option but it just seems to mark the organizations as deleted but they are still there.
    Thanks
    Eric
    Edited by: PeachEye on 17/03/2010 11:49

    Hi,
    I am also facing the similar issue. I want to reconcile OID groups into OIM User Groups menu item. Please suggest how to proceed.
    I ran the schedule task- OID Group Recon Task, but it throws error-
    ERROR,12 Mar 2010 09:16:44,265,[XL_INTG.OID],OID:tcTskOIDGrouporRoleReconTask:pe
    rformReconciliation():com.thortech.xl.integration.OID.util.tcUtilLDAPOperations:
    NamingException :Unable to search LDAP. Check the following values and try agai
    n: Base Search detail: cn=abc,ou=Q System1,dc=xoserve-apps,dc=com, filter expres
    sion is (&(objectClass=groupOfUniqueNames)(modifytimestamp>=19000101010001Z)), A
    ttributes : DN, modifytimestamp, Organization Name, orclguid, cn,]
    ERROR,12 Mar 2010 09:16:44,281,[XL_INTG.OID],===================================
    I want to bring OID groups into OIM so that I can manager those OID groups from OIM. Is there any other way to so this? I have to make changes in the OID object class or in the OID field mappings? I have not done any changes in Lookup OID configuration or LookUp Field map parameters.
    Please help.

  • How to create Dimension group in ATG-endeca ecommerce application

    We have requirement where we have to specify dimensions and their schema from BCC in ATG. Now the problem is we want to dimension groups and we don't see anywhere in documents to create it. Since this dimensions are created through FCM so we are not able to see in /config/pipeline directory but we see only in processing directory. So we don't see any means to create dimension group through dev studio too. Please tell us how we can do it.

    we have to do it through EP interface through BP TMS.
    1. connect EP to SAP system
    2. Configure all the iviews of TMS business package so it can communicate with SAP system (change only SAP system name for all iviews)
    3. Assign the roles to user of EP
    4. run application using TMS

  • How to create OID attributes from command line in unix system

    Hi,
    I have to create OID attributes through ldif files in unix system. I dont know how to run it in unix system under which folder. I already have ldif files for creating OID attributes. Please help.

    Hi,
    unser the /your_ODI_HOME/agent/bin folder.
    Excute this
    sh startscen.sh REFRESH_ID 001 GLOBAL 5 -NAME=agent_ODI
    REFRESH_ID=Your Scenario name
    001:Version
    GLOBAL:Context name
    5=Log Level
    agent_ODI=Your agent name
    Regards

  • Create Response groups multiple reponse groups using CSV file

    Hi Champs,
    We have good amount of response groups has to be created, I try to write the script but failed. Can any one help me to create Response groups through script.
    In below script agents should be taken from CSV file.
    Import-Module Lync
    $serviceId="service:"+(Get-CSService | ?{$_.Applications -like "*RGS*"}).ServiceId;
    $ag = New-CsRgsAgentGroup -Name "agent group" -Parent $serviceId;
    $ag.Description = "Contain the agents";
    $ag.ParticipationPolicy = "Formal"
    $ag.AgentAlertTime = "20"
    $ag.AgentsByUri.Add("sip:[email protected]")
    $ag.AgentsByUri.Add("sip:[email protected]")
    $ag.AgentsByUri.Add("sip:[email protected]")
    Set-CsRgsAgentGroup $ag
    Regards
    Vijendhar

    You also need to create queue and workflow. Please check how to create Response Group using Lync Server Management Shell at
    http://blogs.technet.com/b/csps/archive/2010/09/15/rgscreateresponsegroup.aspx.
    Lisa Zheng
    TechNet Community Support

  • OIM-OID Provisioning - OID Group PrePopulate Approach :

    Hi,
    I am working on OID Connector 9.0.1.14 with OIM 11.1.1.5.
    I have reconciled all the Roles and Groups from OID to OIM and can successfully provision users to the OID along with membership to these specific Roles and Groups.
    I want to prepopulate the OID Group based on certain attribute from the OIM User form. My Approach so far is :
    1) Created an Entity Adapter with a variable : say Org and GroupName.
    2) Set the Logic as if Org = XYZ (+XYZ does exist on OIM+) set GroupName as = "OID Group 1" else set GroupName as = "OID Group 2"
    3) Attached this adapter to the "OID User Group" form on the "Data Object Manager" at the pre-insert stage.
    4) Mapped the Adapter variable as :
    a) Org Maps to "Organization Definition" with the qualifier "Organization Name"
    b) GroupName maps to the "Entity Field" with the qualifier "UD_OID_GRP_GROUP_NAME"
    However nothing seems to happen when I create/modify a user with Orgization Name as XYZ and manually Provision the OID Resource. I can see the form but nothing is populated in the Group Field. Upon completing the request, I get the user provisioned to OID but without any Group information..
    Is my approach right ? Am I missing something ?

    Here is what I have done for a client. My requirement was for a given department, a user must have a list of groups provisioned to them. So here is what i've done:
    1. Create a lookup that has Code Key = Department, Decode = CN of the groups in a delimited format.
    2. Create a provisioning task that will look at the department code from the user form, reference the lookup and find the decode values. Split them based on a delimiter. Then using each value, lookup the code key value from the real lookup that contains the full distinguished name of the group in the OID Group lookup. I even appened the IT Resource Key and ~ so that my search would be Decode or Code = "IT Resource Name~CN=<CN VALUE>%". This would return only the single group code key value. And then i add it to the child table. Repeat this for all the values in the delimited field.
    3. Create a provisioning task that removes the values from the child table based on the delimited value. You'll need to search through the existing child table values.
    Once you have the 2 tasks, you'll want to add a value to the your Lookup.USR_PROCESS_TRIGGERS that is your group determining field. Create your task name in this lookup. On your provisioning workflow, for the Adding of the groups task, make this unconditional, and have a preceding task of the Create User. Give it the name from your Lookup.USR_PROCESS_TRIGGERS and append " - Add Groups" to the task name. Create another task called the same, but append " - Delete Groups" to the task name. On the Add Groups task, make the preceding task the Delete groups. When you map your inputs to the adapters, on the delete, select the old value check box from the User Form so that you get the old value. Now, when the value changes on the user form, it will first remove the old groups, then add the new ones. All this will be done using the child table APIs, so that the existing Insert and Delete task triggers for your child table will run.
    -Kevin

  • Users not provisioned from OIM to OID groups

    I've created an Access policy such that when i create a user with role as consultant he is automatically provisioned to OID resource and OID group( cn=group1,cn=groups,dc=ad,dc=company,dc=com ).
    The user is provisioned to OID users(cn=users) but not to cn=group1,cn=group....
    What could be wrong?
    i have run the OID group lookup tasks to generate freshly added group lookups. Theses lookups are populated in process form when i create an access policy.
    For ex the lookup generated is cn=group1,cn=group,dc=ad,dc=company,dc=com and the decode value is group1
    The user profile and process form are not linked. That means changes in process form are not reflected to user profile. Can this be possible reason for the hassle defined above
    please help me resolve this issue.
    Edited by: Chhavi Saluja on Feb 15, 2010 1:30 AM

    Hi,
    Today I have also done the same thing of auto provisioning of OID through access policy. Only difference is that for selecting "Container DN" and "User group" we have created two user defined fields(lookup)in the user form which will refer to the lookups "Lookup.OID.Organization" and "Lookup.OID.Group" for inputs.These lookups are already reconciled once from OID.
    As far as "container DN" iam successful but while selecting "user group" iam able to select and when i click on "create user" user is getting provisioned to OID into Container DN i specified.But user is not going into that particular group i specified.Iam assuming the reason is that as User Group is a mutivalued attribute and if we observe the process form of group selection we will see the add button. But on user form we dont have the option of child form to ADD/REMOVE the groups.
    Someone pls suggest how to proceed further on this.How do i push the user into particular group/groups from the create user form itself?

  • Cannot create a group with no members through DAS

    I'm using OID 10.1.2.0.2.
    It seems that the DAS Self Service Console cannot work with groups with no members:
    - When creating a group, it always assigns orcladmin as a member.
    - When deleting the last member from a group, an error is shown ("Require at least one user or group member").
    - If you create an empty group via other means (e.g. the oidadmin tool), the group will not be visible in the "role assignment" section when creating a new user (even though we enabled that group for role assignment in the "user entry" configuration). After adding one member through the "edit group" page, the role shows up in the role assignment section.
    I have a couple of questions regarding this:
    1) Is this limitation (group must have at least one member) an ldap or OID limitation, or is it only a DAS or even "self service console" limitation?
    2) Why is this limitation there?
    3) Is there a way to work around this, i.e. make self service console be able to handle empty groups?
    Any help would be greatly appreciated.
    Regards,
    Johan

    I do not agree that a group owner should be a member of that group. For example, I have a group "admins" and a group "analysts". The "admins" group is owner of the "analysts" group, since the users in the "admins" group must be able to create users and assign them to the "analysts" group. However, the "admins" group is not member of the "analysts" group, because I do not want the admins to act as analysts in my application. Ownership of a group (being able to manage it) and membership of a group are two different things. Besides, I also do not understand why the OIDDAS makes the orcladmin user a member of every group that you create there.
    Of course, eventually I will have members in my group. But why is it a problem that there are initially no members of a group? I see no reason at all why this would be a problem.
    The reason why I ask this is that creating an empty group (initially) is a requirement of my setup process. I am trying to release a clean setup script (with an ldif file) out of development, that our operational department can use to set things up. I want my ldif file to prepare all the necessary groups and owners, but not to create members in those groups (that's the task of the operational people).
    However, as soon as I have these empty groups in place, the OIDDAS starts to act strangely (namely, the groups are not visible in the "role assignment" section when creating a user, until there is at least one member in the groups). That's when I found out that the OIDDAS actually does not like having empty groups (error when creating group without members, error when removing last member, ...).
    If anyone knows, can you give me one good reason why the OIDDAS does not allow empty groups (or making groups empty)? As far as I can see, the OID/LDAP itself does not have a problem with this (you can create an empty group without any problem via the oidadmin application, or via import of an ldif file).
    Thanks,
    Johan

  • Request OID group access in OIM

    Hi All,
    I have OIM (11.1.1.5.2) and the OID Connector (9.0.4.14) installed. Is it possible for a user to request access to a specific group in OID using the OIM Self Service Console?
    Regards,
    user10233157

    Yes, This is possible. You need to create request dataset with Group details and import it to MDS.
    Sample Dataset for AD Resource is
    *<?xml version="1.0" encoding="UTF-8"?>*
    *<request-data-set xmlns="http://www.oracle.com/schema/oim/request" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oracle.com/schema/oim/request" name="ModifyResourceAD User" entity="AD User" operation="MODIFYRESOURCE">*
    *<AttributeReference name="City" attr-ref="City" available-in-bulk="true" type="String" length="20" widget="text"/>*
    *<AttributeReference name="Pager" attr-ref="Pager" available-in-bulk="true" type="String" length="20" widget="text"/>*
    *<AttributeReference name="Group" attr-ref="UD_ADUSRC" available-in-bulk="true" type="String" length="500" widget="text">*
    *<AttributeReference name="Group Name" attr-ref="Group Name" available-in-bulk="true" type="String" length="500" widget="lookup" lookup-code="Lookup.ADReconciliation.GroupLookup" entitlement="true">*
    *</AttributeReference>*
    *</AttributeReference>*
    *</request-data-set>*
    Then in OIM Self Service console select Self Modify Provisioned Resource request type and you will see the OID Groups in the list of available groups to request.

  • OIM-OID! provisioning users to OID groups-QUICK HELP NEEDED

    hi,
    I've installed OIM connected to OID.
    I've been assign some tasks:
    1) Creating access policy such that when a user is created in OIM, he is provisioned to two groups in OID.... ie. in cn=users and cn=employees (where cn=employess is the group i create under cn=Groups,dc=ad,dc=company,dc=com)
    2)Creating an access policy such that when a user is created in OIM, he is provisioned to two additional groups in OID, say I've created two custom groups in OIM and attached membership rules to them. Now when i create a user satisfying the two membership rule,he is assigned to those two OIM groups and provisioned to cn=users,dc=ad,dc=company,dc=com and cn=group1,cn=Groups,dc=ad,dc=company,dc=com and cn=group2,dc=ad,dc=company,dc=com.
    Also i want to populate those OID groups into a child table and create their lookups in Process form
    Please help me materialise and understand these concepts.
    The OID Lookup Recon task for group is running fine, lookup.oid.group is populated with values.
    how those groups can be populated in process form child table(OID user group table).
    Edited by: Chhavi Saluja on Feb 12, 2010 12:51 AM

    As mentioned in my other post you can put these groups in access policy form and all the users assigned by this policy will get these groups. Any issue revert back.

Maybe you are looking for

  • Help with getting Web Start working with two-way SSL

    I have successfully transferred data (myclient.jnlp) utilizing web browsers (IE and Mozilla) from my web server (which is set up for two-way SSL "CLIENT-CERT" required) after using the browser's utility to "import" my client-side cert (in .p12 format

  • Problem with CFCACHE and cookies

    I have set a heavy usage page to cache itself <cfcache action="cache" timeout="#dateadd("h","-24",Now())#"> BUT find that when this code is added as the first line of CF code, then the page does not then pick up the user from their locally stored coo

  • Deployment issue in weblogic 10.3

    Hi, I am facing the below error when am trying to deploy the ear on my weblogic server in Linux Env. I have gone through the posts here for similar problem and tried all the suggestions with no results. Tries changing the permissions on _WL_TEMP_APP_

  • Including min(modified date) from results of data

    I am getting the following error message when trying to use min function for a modified date in my data: ORA-00934: group function is not allowed here I am trying to get counts of incidents closed each month. However Incidents can be closed, then reo

  • Error while parsing the Tag Library Descriptor

    Hi, We are installing LC ES2 on Suse64 / weblogic platform. When the adobe-conmtentservices application is starting, we see a lot od error like this: <Mar 24, 2010 10:56:53 AM CET> <Warning> <HTTP> <BEA-101196> <[/contentspace]: Error while parsing t