Create or link a resource-account
Hi all,
I create idm-users based on an hr-system, but don't assign them roles or resources during creation. Later, roles are assigned to those accounts which can imply resources.
To keep it simple, there is a role "member in active directory" and when this role is assigned, a distinguished name shold be constructed and the resource account should be created.
This is simple and works. :-)
However, this process is slow and some admins just can't wait and they manually create an account in our active directory. They follow the same naming conventions, so when a role is assigned to the idm-account, SIM tries to create an account in the AD, finds one and links it. This is exactly what I want to happen.
But: SIM assigns default values for the resouce account, e.g. default group memberships. Currently I can't detect that there are already values (since according to SIM the account doesn't exist yet) and customised group memberships are overwritten by SIM.
That's BAD.
Any suggestions how to handle this setup would be greatly appreciated.
Yours,
Patrick.
HI,
I dont mean to be rude or anything; but, it might be a good idea to tell those "admins" directly NOT to create accounts themselves!
IDM's purpose, after all, is to manage situations like these. IDM is, and should be, the only "governing body";
IDM is a complicated enough software, without having to create more problems for it. Which is exactly what your "admins" are doing by side-stepping IDM and creating accounts themselves in the Resource.
Similar Messages
-
When I try to download apps or update apps on my iphone I'm being asked for a password to an apple id (email address) that I have not created or linked to my account. I've tried re-setting my apple id - but same message keeps appearing - so can not access itunes app store or update apps I've already downloaded.
Has any one else experienced this? Or any ideas how to remove this email address?You cannot merge accounts.
You need to sign into the old account on your computer.
iTunes Store: Retrieving and changing passwords (Apple ID) -
Linking Multiple Resource Accounts via Active Sync
Ok guys/gals the scenario is... We have one idm account linked to accounts on one resource, and we want to be able to link them up via Active Sync...We don't care about the attributes, just want to make sure that if a another account for a user is created outside of IDM we can grab it and link it. So far, I've seen that the active sync process will see the new account, correlate it to a user, but it will not link the user...And outside of doing a custom Process Rule workflow, I'm not seeing any other way to get the accounts to link via active sync. Is what we are trying to do a reconciliation thing only? Have I missed something?
Yes. You can add a field to your ActiveSync form to do this: Here is an example with AD:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Configuration PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Configuration name="Sample ActiveDirectory ActiveSync Form" wstype="UserForm">
<Extension>
<Form name="Sample ActiveDirectory ActiveSync Form">
<Field name="processType">
<Default>
<s>NONE</s>
</Default>
</Field>
<Field name="dispatcher">
<Expansion>
<cond>
<eq>
<upcase>
<ref>feedOp</ref>
</upcase>
<s>UPDATE</s>
</eq>
<block>
<set name="update.selectAll">
<s>false</s>
</set>
<dolist name="resObj">
<ref>waveset.accounts</ref>
<block>
<set name="resName">
<get>
<split>
<ref>resObj</ref>
<s>:</s>
</split>
<i>1</i>
</get>
</set>
<set>
<concat>
<s>update.accounts[</s>
<ref>resName</ref>
<s>].selected</s>
</concat>
<s>false</s>
</set>
<cond>
<match>
<ref>resName</ref>
<ref>activeSync.resourceName</ref>
</match>
<cond>
<eq>
<ref>
<concat>
<s>waveset.accounts[</s>
<ref>resName</ref>
<s>].accountGUID</s>
</concat>
</ref>
<ref>activeSync.objectGUID</ref>
</eq>
<set name="resourceName">
<ref>resName</ref>
</set>
</cond>
</cond>
</block>
</dolist>
<cond>
<isnull>
<ref>resourceName</ref>
</isnull>
<set name="processType">
<s>LINK</s>
</set>
<set name="processType">
<s>UPDATE</s>
</set>
</cond>
</block>
</cond>
</Expansion>
</Field>
<Field name="IAPI.cancel">
<Expansion>
<s>true</s>
</Expansion>
<Disable>
<eq>
<ref>processType</ref>
<s>LINK</s>
</eq>
</Disable>
</Field>
<Field name="doLinking">
<Expansion>
<block>
<append name="waveset.resources">
<ref>activeSync.resourceName</ref>
</append>
<set>
<concat>
<s>waveset.accounts[</s>
<ref>activeSync.resourceName</ref>
<s>].accountId</s>
</concat>
<ref>activeSync.identity</ref>
</set>
<set>
<concat>
<s>waveset.accounts[</s>
<ref>activeSync.resourceName</ref>
<s>].sAMAccountName</s>
</concat>
<ref>
<s>activeSync.sAMAccountName</s>
</ref>
</set>
<set>
<concat>
<s>waveset.accounts[</s>
<ref>activeSync.resourceName</ref>
<s>].accountGUID</s>
</concat>
<ref>activeSync.objectGUID</ref>
</set>
</block>
</Expansion>
<Disable>
<neq>
<ref>processType</ref>
<s>LINK</s>
</neq>
</Disable>
</Field>
</Form>
</Extension>
<MemberObjectGroups>
<ObjectRef type="ObjectGroup" id="#ID#Top" name="Top"/>
</MemberObjectGroups>
</Configuration> -
ActiveSync - link resource account and password push
Is it possible to push a password from an IDM account to a resource account at the same time as linking the two accounts, during ActiveSync?
Scenario: I have an account in IDM and an account on a resource. I use ActiveSync to "discover" the account on the resource and link the IDM account with the resource account. At the same time I would like to push the IDM password to the resource. Thereby, synchronizing the IDM password with the resource password.
I have unsuccessfully tried to accomplish this in many ways:
1) Within the Admin GUI, I've edited an account and when I assign the resource to the account the password in IDM does not push to the resource.
2) Within ActiveSync, I have used global.password, password.password, password.confirmPassword, password.targets, password.accounts[resource].selected
NOTES:
- when the account exists on the resource and IDM links to the resource account, the password does not push
- when the account does not exist on the resource and IDM is required to create the resource account, the password is pushed
At this point my guess is that I will have to kick off a workflow to trigger the password push as the ActiveSync cannot handle linking and subsequently updating an attribute on that resource at the same time. Any ideas would be helpful. Thank you in advance.I have been able to successfully push the password to the resource both during activesync and within the Admin console. However, I have found some inconsistencies with IDM that might need attention or an explanation.
First off, the key to pushing the password from IDM to the resource in the above scenario is....within the Resource Schema don't map IDM user attribute "password" but map an attribute such as "resource_password" to the password field on the resource. When I did this, I was able to provision the resource to the user in IDM and push the password to the existing resource account.
Secondly, there is an inconsistency with IDM and how it treats password and the other fields. I mapped lastname to a field on the resource. From the admin console, I edited the user and the only change I made was to provision the resource to the user (Resources tab). After saving this user, the lastname field from IDM was updated on the resource.
Why doesn't this work with password? -
Linking resource accounts to access policy from a database
As part of the seeding process, we assign roles to the users and then run the recon to assign resources to the user. We have an access policy which is supposed to assign AD resource when a User has an Employee role. After we seed all the existing users, we enable to policy to assign AD for the new users, but since we recon the user's instead of access policy, it doesn't link the access policy to resource account.
How can I link those two in the database so next time when someone is removed from the Employee role, it will also remove the AD account. I tried setting the pol_key attribute in UD_ADUSER with the id of the policy found in table pol but that didn't help.
ThanksAs part of the seeding process, we assign roles to the users and then run the recon to assign resources to the user. We have an access policy which is supposed to assign AD resource when a User has an Employee role. After we seed all the existing users, we enable to policy to assign AD for the new users, but since we recon the user's instead of access policy, it doesn't link the access policy to resource account.
How can I link those two in the database so next time when someone is removed from the Employee role, it will also remove the AD account. I tried setting the pol_key attribute in UD_ADUSER with the id of the policy found in table pol but that didn't help.
Thanks -
Using a custom anonymous regestration process a new user is created, this user is created with a LDAP resource. After the process is approved the user is now in SIM but the account not provisioned to LDAP. In order to get this to provision to LDAP you have to :
1. Open the user in the admin interface and click Save.. Or
2. Check the user and Update
If either of these are done, the LDAP account is created sucessfully.
We have the same configuration on another machine and the account is created without having to update.Hi. I think that your workflow that is on charge of the provision has some definition or property where you define the Workflow context were his process will run.
I will like to know how to set up a custom anonymous registration process that starts with a login page. I really will appreciate if you can help me with this.
Best regards. -
Task object: Linking Opty to Account: on the NEW/create from LookUp
Hi,
The User creates a Task from the Account Detail page.
The Task page has the Opty field (LookUp).
On the LookUp, User clicks the NEW button to create a new Opty record.
The Opty page has the Account field (LookUp) -here is it possible to get the original Account Name into the Account field on the Opty page?
The standard facility is that the Account Name does not get picked up here.
I understand that the above process/flow is not in the standard model...
(the current solution is to ask users to create the task from the Opty Detail page, which reflects the actual intent as well; but a config solution to the above process would be helpful).Hi,
Siebel pics up the relevent informaiton like account name or opportunity name automatically if that any record you create from with in the any record. And if you consider the normal sales practice, one create an opp first and then a follow up task for that opp.
Nisman -
Resource account password set during User Update process.
Hi friends,
I added to the Update WF a step to initialize an account password when, during the update of the user, IDM creates the new resource account.
This is an initial password (known).
This event basically happens in two User's Update cases:
A. when the account was (accidentally) removed from the resource
B. when a new Role requires to add a new resource account to the user
In both cases IDM (re)creates the user account on the resource.
In order to set this account initial password, I check (in the Update WF) the value of 'user.update.toCreate': if it contains the resource name, then I set the pw after the account has been provisioned.
This method fails during case B. only when, for some reason, the resource account already exists BEFORE the update starts: even if the account is already there, IDM sets 'user.update.toCreate', leading my step to reset the account password to the initial value.
What could I check in order to avoid it? (I don't want to reset account passwords when linking existing accounts)
The only way I see at the moment would be to query the resource at the beginning of the Update WF to check if the account is already there...
MTIAHi,
Have you found a resolution to this problem?
Thanks
Edited by: sun_to_Orcl on Jan 31, 2010 8:28 PM -
Reconciliation: Manually link not matched accounts to OIM users
Hi all,
Is it possible to manually link a reconciled account to a OIM user?
When reconciliation process is finished, in the reconciliation manager there are a few accounts that are not matched (to OIM users). This is beacuse they are "service accounts" or resource "administrative accounts", and the user ID of the reconciled account is not equal to any existing OIM user (xellerate users).
In that case, we want to manually link those accounts to an administrator (OIM users). So, when listing the resource profile of that user, those accounts are showed as provisioned.
By now, we are trying to achieve that, only that, not any service account behaviour (that will be the next goal).
Regards.
Edited by: user643044 on Feb 3, 2009 9:12 AMThank you.
We have solved it in the following way:
1.- RO: create a "dummy" recon field.
2.- Recon Connector (java code): create a field (uid_to_map), but not added to the hashmap. So, this field is added to the reconciliation event as "unprocessed".
3.- Create a Recon Rule, to map OIM "User Id" -> RO "dummy"
4.- Perform reconciliation.
5.- Edit the reconciliation event. Edit the unprocessed field "uid_to_map", linking it with "dummy" recon field, and introducing the OIM user ID of the OIM user we want to link to.
6.- Re-apply the matching rule.
So, the account is linked to the user.
Maybe it could help somebody who needs the same functionality. -
Assigning Multiple Resource Accounts to IdM User Account in IdM 7.0
Hi All -
Has anyone tried assigning multiple resource accounts to a IdM User with IdM 7.0 by creating a Account type using Identity Rules. I tested it on Simulated Resource and it works fine. But for Active Directory, which has personal accounts and Admin accounts on different OU on AD, when I am trying to do the Bulk Upload. The bulk upload is able to do link up the Admin account on AD to user account. But then it tries to create an additional account as well even though the user that executed the Bulk action has a Blank form assigned. Has anyone been able to figure this out yet ? If yes, can you please provide some inputs on this ?Hi All -
Has anyone tried assigning multiple resource accounts to a IdM User with IdM 7.0 by creating a Account type using Identity Rules. I tested it on Simulated Resource and it works fine. But for Active Directory, which has personal accounts and Admin accounts on different OU on AD, when I am trying to do the Bulk Upload. The bulk upload is able to do link up the Admin account on AD to user account. But then it tries to create an additional account as well even though the user that executed the Bulk action has a Blank form assigned. Has anyone been able to figure this out yet ? If yes, can you please provide some inputs on this ? -
Link existing resource to Active Directory
I am working with an existing implementation of Project Server 2010 where Active Directory is used to synchronize resources. When initially implementing this environment, it was decided that most people in the department would be created as resources,
however, they would not be given the "logon to Project Server" permission (they were created manually). There have been some cases where these existing resources have later needed to have access to the server, so they are added to the necessary
AD group, and synchronized into Project Server. Due to the existing account already being in the resource pool, it creates a 2nd resource with the same name but the windows user account tagged to the end (example, Jane Doe [DOMAIN\jdoe]).
Is there any way to update the existing resource information so that Project Server knows to link that resource with the new resource in Active Directory? We have tried manually selecting "logon to Project Server" and entering the windows
user ID, but it has the same behavior (adds a second resource to the enterprise resource pool).
I understand that you can prevent active directory from synchronizing that account, but we are hoping there is a better solution that doesn't disable the inherant functionality of AD sync.
Thank you and let me know if you need additional information.Which group you have mapped with Resource pool sync.
When you sync reosurce pool with AD in that case only resource will be added to the project server i mean to say :
The "logon to Project Server" button is unchecked
The Windows User Account is not populated
The user is not added to the out of box Team Members security group
http://technet.microsoft.com/en-us/library/gg982985(v=office.14).aspx
http://technet.microsoft.com/en-us/library/gg750243(v=office.14).aspx
these link will give you better idea.
For giving user permission you map project server group with AD groups this will give you proper access.
For resources you use resource pool sync .
No Project Server user accounts will be automatically created for resources that are added to the Enterprise Resource Pool through Active
Directory synchronization.
If you go with 2nd approach you will not face any problem in future.
Once you do resource pool sync it will create reosurces without user login.
Then you can map Project Permission group with AD group it will add user account to the users who are present in ad.
For this you have to create different- different groups in Ad as per project server group and add user as per your need in ad group. be careful do not t map project server group
with group which you are suing for resource pool mapping sync.
kirtesh -
HELP! FOR LOOP TO SCROLL THROUGH TABLE AND CREATE DATABASE LINK
Hi,
Here's the scenario, not much of a PL programmer, just basic SQL so really need some help people!
I have 2 tables. 1 contains list of DB's and the other contains rules to follow.
I need to create a loop that goes through the table containing the DB's and on each row a DB link is created (Only 1 link allowed!)
Once created, the schema currently logged in with also has an account on the linked DB in order to run scripts- The scripts are stored centrally hence the requirement for the link to the target DB.
There are numerous scripts that need to be executed and can all be called from 1 script, once executed the loop exists and the database link needs to be dropped.
Once dropped, the first loop continues, creating a DB link for the next DB listed in the table (and all the scripts are fired again)
This continues against all the DB's listed in the table.Hi BlueShadow,
Thanks again for the response, you've hit the nail on the head. SQL scripts on a unix server, a loop goes through a table 1 at a time. Each row gets a link created and then all the scripts stored on the server are executed against the db linked to. So I'm assuming this is a loop within a loop.
1 loop to go through the table to create the link and then another loop within once connected to execute all the scripts against the connected DB. Once the scripts are run, the loop exits and moves onto the next server and so on until all the servers have the scripts are run.
It's PL/SQL scripts we're after and not shell scripts as this would free us from the OS constraints.
We have to drop the links due to security. Any idea on o -
Creating a link with the Link Tool
I used the Link Tool to create a Link in my pdf file. The link is set to open a website file. I created 2, one with just a little text and the other was a picture that was 200 X 300 px. When I follow the links, each is opening a full web page. I expected that with the Text link because I put the text on an html page but the picture I sized to the 200X300 but that opened a full web page also. When setting up the link to the Web File I did not see an additional settings as far as how to open the web page such as _parent or _child etc. I believe it is normally the Target.
Does anyone know how I would either do this with the link tool or know of a better way to do it overall?
Thanks
BobHi,
You may be confusing HTML markup for links with PDF links.
In PDF, HTML markup is not applicable.
So "target_xxxx" or any other HTML 'stuff' cannot be used.
For the graphic file (JPG, PNG, whatever), make a web page file that is configured to display the graphic file in a manner you desire.
The web link you set in the PDF, with Acrobat, will result in this web page file opening.
This is the file that will control how the graphic is rendered.
If needed, a resource for HTML "how to" is W3 Schools.
Be well... -
iClound Control Panel says my Apple ID is valid but it is not an iCloud account. How do I link the 2 accounts on a Windows 8 PC with iTunes 11. I go to Apple services and it gives some instructions; but they leave me hanging. They tell me to put in the same user name and then just stop. Doesn't say what to do next. I did what it said and the 2 accounts are still not linked. Anyone know how to assist? Thank you.
Apple isn't trying to be anti-PC with this; they support PCs going all the way back to Vista SP2, a 3-generation old version of Windows. To sync iCloud with a Mac you have to be running one of the last 2 versions of the OS X operating system (i.e., a newer version than you do on Windows). I assume it's set up this way because it's a service provided customers purchasing Apple devices that utilize iCloud syncing services, and if you happen to also you own a PC, it will sync with that as well. It wouldn't make sense for them to provide this service, including a free 5GB iCloud account, hosting for backups, syncing services, free photo stream, etc. for non-Apple customers (who, for example, may only own a PC).
If you have a friend with one of these devices who is willing to let you create the account on their device, you could then use it on your PC. They would have to delete the existing account from their device in Settings>iCloud, then let you sign in with your ID to create a new account, then delete this account from their device and sign back into their own account. You could then use this ID to sign into the newly created account on your PC. Note: each device can only create 3 iCloud accounts, so you would be using one of their 3 alotted accounts, but they may be willing to do this for you.
iCloud is really designed to keep your data in sync across multiple devices that you may own, and with your computer. It will also automatically back up your device, stream photos taken on one device to all your other devices, and allow you to locate a misplaced device using Find My iPhone. It doesn't, however, sync music if that's what you're looking for.
If you want to be able to access your music from iCloud you don't need an iCloud account for this. As mentioned earlier, music purchased from the iTunes store is already available in iCloud. Music from other sources, such as in your case, can only be accessed from iCloud if you subscribe to iTunes Match (see http://www.apple.com/itunes/itunes-match/). If you do, you can then upload your iTunes library (up to 25,000 songs) to iCloud an access them from an iOS device via iCloud, even without an iCloud account. Music purchased from other sources that is copy protected (contains DRM) is not eligible and will not be uploaded to iCloud so be sure your music purchased from Amazon doesn't contain DRM before subscribing. -
I need to delete my Apple ID on my iPhone 4. I forgot my psw for my account. When I answer the security question, the system responds incorrect answer. I created a new Apple iTunes account but I still unable to delete the old iTunes account.
AppleFAN7591 wrote:
I need to delete my Apple ID on my iPhone 4. I forgot my psw for my account. When I answer the security question, the system responds incorrect answer. I created a new Apple iTunes account but I still unable to delete the old iTunes account.
How to reset your Apple ID password.
Go to iforgot.apple.com and type in your Apple ID, then click 'Next'.
Verify your date of birth, then click 'Next'.
You'll be able to choose one of two methods to reset your password, either E-Mail Authentication or Answer Security Questions.
If neither method works, then go to https://getsupport.apple.com
(If you see a message that says 'There are no products registered to this Apple ID, simply click on 'See all products and services')
Choose 'More Products & Services', then 'Apple ID'.
A new page will open.
Choose 'Other Apple ID Topics', then 'Lost or forgotten Apple ID password'.
Click the blue 'Continue' button.
Select the contact option that suits your needs best.
How to reset your Apple ID security questions.
Go to appleid.apple.com, click on the blue button that says 'Manage Your Apple ID'.
Log in with your Apple ID and password. (If you have forgotten your Apple ID password, go to iforgot.apple.com first to reset your password with a password recovery email)
Go to the Password & Security section on the left side, and click on the link underneath the security questions that says 'Forgot your answers? Send reset security info email to [email]'. This will generate an automated e-mail that will allow you to reset your security questions.
If that doesn't work, or there is no rescue email link available, then click on 'Temporary Support PIN' that is in the bottom left side, and generate a 4-digit PIN for the Apple Account Security Advisor you will be contacting later.
Next, go to https://getsupport.apple.com
(If you see a message that says 'There are no products registered to this Apple ID, simply click on 'See all products and services')
Choose 'More Products & Services', then 'Apple ID'.
A new page will open.
Choose 'Other Apple ID Topics', then 'Forgotten Apple ID Security Questions'.
Click the blue 'Continue' button.
Select the contact option that suits your needs best.
Maybe you are looking for
-
My iPhone 5 suddenly could not hop onto LTE anymore, after updating to IOS 6.1
My iPhone 5 suddenly could not hop onto LTE anymore, after updating to IOS 6.1. I know there is LTE coverage at my house, since before I updated it, it could hop on to LTE just fine, in the same location. My Carrier is CSL Hong Kong. Does anyone have
-
Help with Consuming a Webservice with the compact framework
Hi all, i want to consume a SAP WebService within .NET in a smart device application. When I create the proxy, I get the following procedure in the .cs class: <i>[System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://www.sap.com/_-ICO_-CM
-
we have one special ledger table ZZF10( Actual line item table), this table incorporate some SD/MM field, like customer code, plant, material group. we want to see cost of good sold and expense by customer. now the table only provide revenue break do
-
Change cursor color in Illustrator CS5
My cursor has decided to display in an impossibly light blue. I want my black cursor back. What do I do? Thanks, Dave
-
How About a LOGICAL Package????!!!!
Most After Effects animators use three packages: After Effects, Photoshop and illustrator. Why do we have to buy a lot of obscure software we will not use? I am still upset that I have to buy an intel Mac that I do not need yet, in order to learn the