Delegated Admin Deleted org and attribute violation

Similar Messages

• XI3.1 and delegated admin?

  hi,
  we have two distinct project. each project must have delegated admin (manage user and group) : each admin must see only its users and groups...
  we have apply this :
  1/create specific admin groups
  2/ create specific acces level (view object/general +add objects/content folder all rights/system user all rights/system usergroup)
  3/ on user and groups/manage top level security/all group :
  add the two admin groups and apply acces level
  4/ on each group and subgroup remove acces on the admin group that does not (because each admin group is  in inherited rigth...)
  this work, but not for for user level, delegated admin can't create user and if we apply top level security acces level , the admingroup can see ALL user. it's not that we want...
  have you ideas?
  thank's

  Hi Phil!
  I think it is designed as is - but did you try to use Windows AD Groups.
  You can enable specific windows AD groups to BO. These will be created automatically the first time they logon, or you can trigger an AD refresh. So the users are created automatically.
  You admins could then have the rights to see the users only and  to see/edit their own set of Groups, where they can put these users to. Also you can define which admin sees which objects (reports, universes, connections, ...)
  But: you will get an issue if you loose/change your AD connection to your server, then everything must be redone.
  ciao Hakan

• Deleting users with Delegated Admin

  Hope anyone can help with this:
  When I delete a user with Delegated Admin (For Messaging 5.x) the user
  seems to be deleted in iDA, but it is not deleted in LDAP.
  Therefore, I cannot re-use it's attributes (like E-mail address) for
  another (new) user.
  This causes all kind of problems.
  I can go into the Console and through away the user, then everything
  works again. But I expected iDA also to delete the user if I use the
  delete button.
  Any ideas? Did I forget something?
  Thanks in advance,
  Niels de Troye

  Hi..
  the nda does not remove the user... is put it in suspend mode...
  you have to run the imsimta purge command to remove the user.. or to wait
  the server to do that
  in a day or so....
  take a look at the manual to see how you can do that...
  "N. de Troye" wrote:
  Hope anyone can help with this:
  When I delete a user with Delegated Admin (For Messaging 5.x) the user
  seems to be deleted in iDA, but it is not deleted in LDAP.
  Therefore, I cannot re-use it's attributes (like E-mail address) for
  another (new) user.
  This causes all kind of problems.
  I can go into the Console and through away the user, then everything
  works again. But I expected iDA also to delete the user if I use the
  delete button.
  Any ideas? Did I forget something?
  Thanks in advance,
  Niels de Troye--
  Over and Out
  Giorgos Kiriakidis
  Technical Department
  NetSmart S.A.
  Panepistimiou 58.
  Athens 10678
  Hellas
  Tel +3013302608
  Fax +3013302658
  Email [email protected]
  This message contains confidential information intended for a specific
  individual and purpose,
  is protective by law. If you are not the intended recipient, you should
  delete this message.
  Any disclosure, coping, distribution or taking any action based on this
  message is strictly prohibited.

• Delegated Admin and Class of Service

  Hi
  we have configured
  Messaging Server
  Calendar server
  Instant Messaging Server
  and Portal Server
  We would like use delegated admin for user provisioning.
  We are able to modify default Class of Service templates to suit our needs for Messaging and Calendaring.
  We would also like to provide Portal desktop and Instant messaging access thru' delegated admin.
  Help us to configure these class of services either using directory console or any other method
  Thanks
  Saba

  rkbunca wrote:
  Recently we deleted about 3K users using: commadmin domain purge, and while
  it appears to have successfully deleted the users -- ldapsearch doesn't yield any
  output. The lower number of users is NOT reflected in the field "Number of Users"
  on the Delegated Admin page. It still shows the same number of users >11K we
  "had" prior to the deletion process.
  Any ideas to explain this discrepancy?The number of users displayed in the DA GUI is recorded in the "sunNumUsers" attribute associated with the domain e.g.
  dn: o=aus.sun.com,dc=aus,dc=sun,dc=com
  sunNumUsers: 11
  This is to avoid having to do an ldapsearch across the domain to get a count. You can manually update this attribute to get the number back-in-sync.
  The commadmin domain purge should have updated this value -- I couldn't find any pre-existing bugs to explain why it didn't happen in your case. I suggest you log a support case to get this looked into further.
  You may also want to check your directory audit logs to see if an attempt was made to update this attribute but failed for some reason.
  Regards,
  Shane.

• Delegated Admin and Number of Users

  Recently we deleted about 3K users using: commadmin domain purge, and while
  it appears to have successfully deleted the users -- ldapsearch doesn't yield any
  output. The lower number of users is NOT reflected in the field "Number of Users"
  on the Delegated Admin page. It still shows the same number of users >11K we
  "had" prior to the deletion process.
  Any ideas to explain this discrepancy?
  -- Bob

  rkbunca wrote:
  Recently we deleted about 3K users using: commadmin domain purge, and while
  it appears to have successfully deleted the users -- ldapsearch doesn't yield any
  output. The lower number of users is NOT reflected in the field "Number of Users"
  on the Delegated Admin page. It still shows the same number of users >11K we
  "had" prior to the deletion process.
  Any ideas to explain this discrepancy?The number of users displayed in the DA GUI is recorded in the "sunNumUsers" attribute associated with the domain e.g.
  dn: o=aus.sun.com,dc=aus,dc=sun,dc=com
  sunNumUsers: 11
  This is to avoid having to do an ldapsearch across the domain to get a count. You can manually update this attribute to get the number back-in-sync.
  The commadmin domain purge should have updated this value -- I couldn't find any pre-existing bugs to explain why it didn't happen in your case. I suggest you log a support case to get this looked into further.
  You may also want to check your directory audit logs to see if an attempt was made to update this attribute but failed for some reason.
  Regards,
  Shane.

• Delegated Admin and non-flat user/group structures

  Hello, I am trying to build a directory structure with several containers under an organization used to store different portions of userdata and group data (i.e. not only ou=people and ou=group, but also a few ou's like them). Server software is from OUCS 7u2 release. Users in "other" containers are populated into LDAP (ODSEE 11) by replication, filling in all the same attributes as a freshly DA-created account has.
  The Delegated Admin interface and other parts of the software accept this and work okay with this setup, displaying user information, allowing logins and so on - except for attempts to edit user accounts in the alternate containers in the DA (i.e. add/remove service packages, change quotas, etc.). First I've verified that this is not an LDAP problem - I can use both command-line ldapmodify and an LDAPBrowser GUI to edit the entries with no hiccups.
  I tracked that when trying to save account information for accounts in non-standard containers, the DA still tries to use a hard-coded path (i.e. uid=USERNAME,ou=people,o=DOMAINNAME,dc=DOMAIN,dc=NAME) despite the fact that the user account is (and DA displayed it from) uid=USERNAME,ou=morePeople,o=DOMAINNAME,dc=DOMAIN,dc=NAME.
  Possibly, this "hardcoding" stems from DA configuration in WEB-INF/classes/sun/comm/cli/server/servlet/serverconfig.properties which does list components of the LDAP structure:
  # Ldap configuration.
  # List of ldap hosts. Form is <ldaphost>:<portnumber>. (Default port = 389)
  # add additional hosts with ldaphost-<consecutive number>
  # Schema type is either "1" or "2".
  # Reconnect interval is in seconds
  # Group and people container is dn from organization dn (e.g ou=people)
  ldaphost-1=oucsldap01:389
  ldaphost-2=oucsldap02:389
  ldaphost-suffix=dc=DOMAIN,dc=NAME
  ldaphost-dcsuffix=dc=DOMAIN,dc=NAME
  ldaphost-maxcount=50
  ldaphost-schematype=2
  ldaphost-reconnectinterval=60
  ldaphost-peoplecontainer=ou=People
  ldaphost-groupcontainer=ou=Groups
  ldaphost-orgadminrole=cn=Organization Admin Role
  While the organization root dn is not explicit here (and shouldn't be), the default people container is... I might guess a coding error logic like this: indeed, the "ou=People" container should be used by default when creating a user via DA; as a likely error, it might also be used when editing existing users - instead of their existing full DN/parent DN.
  Questions:
  1) Does anyone have a working configuration with several user/group containers within an organization like this? Would you care to share details and workarounds, if were needed?
  2) I think that possibly the "shared domain/organization hosting" mode might help here - at least it is expected to have several LDAP trees with their delegated administrators performing as a single e-mail domain. Before I go and reconfigure everything, I'd love to hear if there are any success stories with this route? Is it a proper solution (or THE solution) for such config?
  Thanks,
  //Jim Klimov

  I wanted to follow up that reconfiguring the directory structure according to shared domain hosting, with branches for ISW-synchronized accounts as one of the sub-organizations which share the domain, and manually created OUCS-only accounts being in another sub-organization. This works for both messaging components and the DA, as long as UIDs are in ou=People in their organization. Somewhat unfortunately, ISW config seems to allow only one DSEE target branch and puts groups (CN) there as well. Well, for our needs to edit user attributes and service packages via DA, this suffices. Sometimes there are hiccups (Can not save changes), but they are intermittent and harder to trace debug; usually go away with restart of the DA web container. The DSEE LDAP instances are configured with plugins to enforce uid uniqueness across the organization and uniqueness of values of messaging email address attributes (mail, mailAlternateAddress, mailEqiuvalentAddress) to avoid mixups between user accounts in different branches.
  Also, we had a problem with Calendar server after migrating the LDAP entries: since our deployment used the nsUniqueID for calendar user identification, relocation of entries (the way we did it) generated new values for new entries and users got new empty caledar databases. On this POC this was not a major problem, and newer OUCS releases with a davUniqueID attribute should specifically be immune to this problem. However, for others trodding this path I can suggest that they export the LDAP database into LDIF including the unique IDs, recreate the suffixes as needed (the ISW target organization in DSEE should be a separate LDAP database suffix), change the LDIF entry pathnames, and import the LDIF anew. This would wipe old LDAP data and should add old nsUniqueIDs to relocated entries (unlike recreation via ldapadd or relocation via ldapmodrdn).
  We have also hit a problem with DA refusing to render the list of accounts (returning 0 or 25 empty entries in a table). The LDAP logs showed that on the LDAP side all is ok, and expected amount of replies was located. Pattern searches often produced the proper table with a subset of users in DA. Ultimately, we linked the problem to ISW binary base64-encoded attributes (dspswuserlink et al; some of those values also garbaged output of commadmin queries in a terminal) and created an LDAP ACI which forbade our DA-admin user to read,search,compare these attributes. This solved the problem for us. I wonder if a more generic solution is possible, so as to apply this ACI not to an explicitly named admin user but to any users with DA admin privileges (by group or role? which string, to cover them all in advance)? Or, perhaps, nobody except the ISW user account should see these ISW attributes?
  Hope this report helps others who would try to pioneer this path of messaging integration
  //Jim Klimov

• Jes3 and Delegated Admin

  I'm setting up a demo of JES3 Messaging for a customer with the Delegated Admin. It seems to work for I can create users with the correct attributes. These users can log into Messagent express and can see their mail but cannot send outgoing mail. Also I can't pop from the command line fror any of these users but sending mail to them from he command line does work. This seems to be probles with MailAllowed Services, but it seems ok on a ldapsearch (see below).
  Synopsis of results:
  I can send mail to these users with a telnet to port 25. But MExpress canot send mail from any of these users.
  Messaging Express smtp error:
  "Not authorized to sned messages"
  But MExpress get's incoming mail for these users.
  Messager Express gets mail for the users but pop fails:
  Telnet <server> 110
  User testuser2
  pass password
  "-ERR [AUTH] Not authorized to login as specified user"
  ldapsearch output for testuser2
  uid=testuser2,ou=People,o=myjazz.com,dc=myjazz,dc=com
  psIncludeInGAB=true
  uid=testuser2
  iplanet-am-modifiable-by=cn=Organization Admin Role,o=myjazz.com,dc=myjazz,dc=com
  givenName=Test
  [email protected]
  mailUserStatus=active
  sn=User2
  cn=Test User2
  inetCOS=gold
  preferredLocale=en
  mailHost=bigun.myjazz.com
  objectClass=userpresenceprofile
  objectClass=top
  objectClass=iplanet-am-managed-person
  objectClass=iplanet-am-user-service
  objectClass=inetadmin
  objectClass=organizationalperson
  objectClass=person
  objectClass=inetuser
  objectClass=inetlocalmailrecipient
  objectClass=iplanetpreferences
  objectClass=ipuser
  objectClass=inetorgperson
  objectClass=inetsubscriber
  objectClass=inetmailuser
  inetUserStatus=Active
  userPassword={SSHA}I8oftLKYhg0DzYAzCh1UfzaluWNuKVNIjXO7RQ==
  mailDeliveryOption=mailbox
  preferredLanguage=en
  nswmExtendedUserPrefs=meDraftFolder=Drafts
  nswmExtendedUserPrefs=meSentFolder=Sent
  nswmExtendedUserPrefs=meTrashFolder=Trash
  nswmExtendedUserPrefs=meInitialized=true
  pabURI=ldap://bigun.myjazz.com:389/ou=testuser2,ou=People,o=myjazz.com,dc=myjazz,dc=com,o=pab
  mailAllowedServiceAccess=+imaps:ALL$+pops:ALL$+smtps:ALL$+http:ALL
  mailMsgMaxBlocks=700
  mailMsgQuota=3000
  mailQuota=8000000

  I had the same problem. When I created a user account through the Delegated Admin interface the user could log into Communications Express, but was unable to send outgoing email. I then created another user account using the command below and this user is able to send email. I have not quite figured out the significany difference yet.
  ./commadmin user create -D admin -w <password> -X host.domain.com -n domain.com -d hosteddomain.com -l test5 -F Test5 -L User -W pass -S mail,cal -k legacy -E [email protected] -H host.domain.com

• I tried to make another account on my school Macbook Pro, made the Admin, account with the same name as the one I was using, deleted it and then all my desktop data is gone.

  So, the problem is,
  I used these school Macs right? They're school handed and stuff. Then one day I decided I want admin so I do this thing where I "reset" everything on the Macbook using this Video (at the bottom) http://www.wikihow.com/Reset-a-Lost-Admin-Password-on-Mac-OS-X
  Then I do it, it takes me to the new User. That's not what I want so I shut down, then made an account with the same name as my current account (let's call it Y). Then I delete Y on purpose. I deleted it because I didn't want my school to know I had this account. Realise I wanted it again so I made an account, let's call it X then when I have X I deleted Y. Then I realised my AirDrop name said X so then I made a new account, this time let's call it Z, with Z I delete X and then I deleted Z because I don't want my school to know I have Z but then Z is also the same name as my main/current account. Somehow or something I delete my current account leaving me with Z. Now I can see my account and stuff but don't know how to restore it.
  Picture will be provides later.
  PLEASE PLEASE PLEASE HELP ME. I HAVE SCHOOL TOMORROW AND I DON'T WANT MY PARENTS TO FIND OUT.

  It is a bad idea to hack computer passwords when you don't own the computer
  Good luck with the school and the parents.

• While installing IMS on p4, the delegated admin, MTA and IWS6.0 could not be started

  I am installing IMS 5.1 NT version on a p4 machine and my MTA services are not starting, i searched for the IMTA.conf file but that was not found. Also the IWS 6.0 that was installed additionally for the upgraded JVM is not getting started , and the delegated admin through the browser could not be accessed

  I am installing IMS 5.1 NT version on a p4 machine and my MTA services are not starting, i searched for the IMTA.conf file but that was not found. Also the IWS 6.0 that was installed additionally for the upgraded JVM is not getting started , and the delegated admin through the browser could not be accessed

• CRMD_BUS2000108 - organizational unit and attributes for org. unit

  Hi all!
  As I'm customizing Lead creation (and in a second step lead generation)
  I would like to receive tips about "selection of organizational unit and attributes for org. unit".
  I expected that, by entering a BP number of a prospect or sold-to party, the organizational unit and its attributes would be displayed automatically on the tab "organization".
  This is not the case. When I start the lead creation, there is a pop-up screen inviting me to choose the organizational unit. afterwards a pop-up screen for the attributes of the org unit. Only after setting a flag in both pop-ups, I see the actual "lead" transaction. When I enter a BP number, the sales assistant and sales rep are found automatically.
  Could anybody please explain how to change the customizing?
  I would like to see the lead transaction (create) first, enter a bp number and than have the org unit and its attributes, the sales rep and sales assistant found automatically.
  Any usefull answer (would make my day ), will be rewarded.
  Thank you very much for your suggestions and time in advance!
  I. Van Acker

  hi
  this is happening because you have not done the org data determination in your transaction,just go to SPRO and there in org data determination ,you have many standard ORGMAN rules available which you can use which will pick the data according to the user ,BPs etc.
  it will enable you to first give BP and then the org data will be driven automatically from the system according to the rule in org data determination.
  so first go and use rule ,try using rule ORGMAN_12
  then attach this rule to the org data profile and then add this org data profile to the transaction in basic settings in transaction where you have defined your lead transaction.
  it will solve your purpose
  best regards
  ashish

• Delete in xsql:dml vs xsql:delete-request and returned rows attribute

  There is a difference in the number of rows returned between using a delete in xsql:dml vs xsql:delete-request. If I issue a delete via xsql:dml and the row I wish to delete is not in the table, then I get a result with rows equal to 0 as expected. However if I issue a delete via xsql:delete-request and the row I wish to delete is again not in the table, then I get a result with rows equal to 1.
  It appears that the value of rows in the response to xsql:delete-request is the number of rows to be processed, ie the number of rows in the posted document, whereas the value of rows in the response to xsql:dml is the number of rows processed in the database.
  I'd expect that the result that we want is the number of rows processed in the database. Thus xsql:delete-request should use the rows attribute in the response to reflect the number of rows processed in the database and thus be consistent with xsql:dml, and possibly use another attribute to reflect the number of rows to be processed.
  The same problem occurs with an update in xsql:dml vs xsql:update-request.
  http://aetius/xsql/demo/dmldelete.xsql?cxn=demo&bind=ename&ename=COMPAQ&sql=delete+from+EMP+where+ENAME+%3d+?
  result is
  <xsql-status action="xsql:dml" rows="0"/>
  where dmldelete.xsql is
  <xsql:dml
  null-indicator="yes"
  connection="{@cxn}"
  bind-params="{@bind}"
  xmlns:xsql="urn:oracle-xsql">
  {@sql}
  </xsql:dml>
  http://aetius/xsql/demo/reqdelete.xsql?cxn=demo&table=EMP&key=ENAME
  where posted document is
  <ROWSET><ROW><ENAME>COMPAQ</ENAME></ROW></ROWSET>
  result
  <xsql-status action="xsql:delete-request" rows="1"/>
  where reqdelete.xsql is
  <xsql:delete-request
  connection="{@cxn}"
  key-columns="{@key}"
  table="{@table}"
  xmlns:xsql="urn:oracle-xsql">
  </xsql:delete-request>
  Steve.

  If you post as an HTML parameter, then you can directly reference the parameter value as either a lexical parameter:
  <xsql:dml>
  insert into foo(xml_column) values ('{@paramname}')
  </xsql:dml>
  or as a bind parameter:
  <xsql:dml bind-params="paramname">
  insert into foo(xml_column) values (?)
  </xsql:dml>
  I'd recommend the latter since it's more robust to the presence of quotes in the XML that's being posted.
  If you post the XML HTTP body, then you'd have to write a custom action handler that called the getPageRequest().getPostedDocument() to get hold of the posted XML Document.

• Difference between SU01 ROLE and attribute ROLE in org.structure

  HI,
  In SU01 transaction ROLE tab employee role is assigned to the user.
  In org. strucute attribute ROLE also contains the employee role.
  what is the difference between ther two ?
  we should mention employee role for the user in SUO1 and attribute ROLE both places to create shopping cart ?
  please guide...points are alloted.
  Thanks
  mani

  Hi SRM guys,
  Just i want to know what is the perpose of the attribute - ROLE in Org.structure
  and what is use of the  ROLE tab in SU01 for user.
  Both places ( attributes and in SUO1-ROLE tab ) need to give the sap_bbp_stal_employee role ???  to shop the user... 
  please confirm ..

• Using Mail, Calendar and Delegated Admin

  I�ve installed mail, calendar and delegated admin for one of the domains I�m hosting.
  I can�t figure out where I can adjust the settings for service packages ex earth. I�d like to have 60 mb mail box in stead of 6. (Changing this on user level in LDAP is not an option.)
  Any one who can give me some tips about where to change this?
  Tnx.
  Kristian

  Sounds like you need to change one of your Service Package templates. Alas, I've not had time to dive into that.
  There is a default config setting for quota, that's global. If you set that, and don't put anything into the user's individual ldap entries, then everybody gets that quota:
  store.defaultmailboxquota
  http://docs.sun.com/app/docs/doc/819-2651/6n4u5ce7i?a=view

• Delegated Admin and User Management in WLP 9.2

  Hi,
  I've made Delegated Administrator role and a user for it. The user is Delegated Admin for our users and groups. Still that user cannot create new users, only new groups.
  The error message that shows when creating new user is "The subject does not have access to the specified group".
  What should I do to make it work ?
  Regards,
  Tanja

  Unfortunately, you've run into a bug in the product. See CR282051 in the WLP 9.2 release notes.
  http://edocs.bea.com/wlp/docs92/relnotes/relnotes.html#wp1147925
  If you have a support contract, you might be able contact BEA Support to see if a patch might be available.

• Org. Attribute Inheritance Model and Strategy

  Hi all -
  We are currently replicating the org. from SAP HR, but are looking for any suggestions on defining an attribute inheritance model for SRM specific attributes.
  Any suggestions?  The org has approximately 15,000 positions.

  Hi,
  The following attribute which is common to all the users can be inherited at the Organisation level.
  Say for Example there are 5 organisation
  for Org : 1 :Common attribute : These are the attribute common for say 200 employees so you can give at the org and tick
  the inherited so that you can again enter the same for all the employees.
  ACS
  BWA
  CAT
  CNT
  EXT_ITS
  KNT
  ROLE
  SYS
  VENDOR_ACS.
  Like this first chart out and give the attributes
  Regards
  G.Ganesh Kumar