Design question: Change Group membership for a AD resource via SelfService
Hi all,
based on the OIM tutorials, I designed OIM that way that an end user can successfully request a resource. Is there a way to allow end users to modify their resource "subscriptions"? For example, I would like to allow end users to change their AD group memberships after the initial provision to the resource.
From what I have learned from the tutorials, I would assume to create an AD group membership attribute in the user account profile form and propagate changes to that attribute back to AD.
Or is there a way to allow end users to change their resource data directly under "My Resources" ?
there is no concept of requesting a modification of an already provisoned account. Like you said this can be achieved thru an attribute on the user's profile and on changing that attribute, downstream applications can be propagated the new value.
Typically if changes to an already proviisoned account needs to be done in oim and through oim, an oim admin goes to the user's resource profile and clicks on edit on the process form and can edit any data there. in case of ad groups, there will be a child process form that shows the groups that the user is a member of, you can insert(add) new groups or delete existing groups from there and save the form. In the proviisoning porcess of AD you will need to write a porcess task, which should add/remove the user from the specified group in AD on the trigger when a new group is added or an existing group is removed wehn the admin is modifying the user's AD process form/process child forms in oim.
Similar Messages
-
How to see the group membership for a user in oidadmin
how to see the group membership for a user in oidadmin?
I see the memberships in oiddas, but I would like to know if its possible to see them in oidadmin? Thanks.Hi,
For what I understand, you know the user and want to know the groups that the user is member of (am i wrong?)...
With this query you pass the user's DN to the ldapsearch and the search gives you back the list of groups the member is a member of, all you need to do is change the value "uniquemember=cn=orcladmin" in the query for your own user.
For example:
$ORACLE_HOME/bin/ldapsearch -h localhost -p 389 -D "cn=orcladmin" -w oracle10g -b "dc=acme,dc=com,dc=au" -s sub "uniquemember=cn=orcladmin" dn
will give you the list of groups that the user "cn=orcladmin" is a member of.
$ORACLE_HOME/bin/ldapsearch -h localhost -p 389 -D "cn=orcladmin" -w oracle10g -b "dc=acme,dc=com,dc=au" -s sub "uniquemember=cn=smithj,cn=Users,dc=acme,dc=com,dc=au" dn
will grive you all the groups that the user smithj is a member of.
if you don't want to get the DN of the group you can change the last parameter of the query like this
$ORACLE_HOME/bin/ldapsearch -h localhost -p 389 -D "cn=orcladmin" -w oracle10g -b "dc=acme,dc=com,dc=au" -s sub "uniquemember=cn=smithj,cn=Users,dc=acme,dc=com,dc=au" cn
will give you the CN of the groups the user is member of.
let me know if this is what you need.
Regards,
Juan -
Com.apple.alf.plist file keeps changing group membership
Hey All, I've read several discussions about this issue. The com.apple.alf.plist file keeps changing group membership from admin to wheel. Disk Utility repair changes the group membership to admin but it will change back to wheel during normal use of the computer, it seems that accessing systempreferences.app and security preferences will change the group to wheel.
I don't really want to get into a discussion about the wheel account, unless necessary, but since this is a very important system settings file I'd like it to work correctly. I have noticed several issues with the firewall not responding as expected such as turning off by itself, and app settings changing or disappearing from the security preference pane. So, I have deleted the plist file and restarted as recommended on other discussions but the issue always returns during normal use. I think it might be the application owning the plist file causing the issue, but I am not sure which one owns the plist file. I assume it would be systempreference.app since I think it is a firewall plist file. The permissions for systempreferences.app is strange also;
- everyone - custom
- system - read/write
- wheel - read/write
- everyone -read
This may be the culprit but I tried to make a minor change, so as not to mess up the operating system, and disk utility repair permissions just puts it back the way it was. Any ideas about this would be very appreciated.
Note: I have done a complete system reinstall and the issue still returns.OK, Since I haven't gotten any responses about this it must be a complicated issue. Just as a quick check could some of you good people out there look at the "Get Info" window for the systempreferences.app and see if your permissions look like mine? I'm still having trouble with the firewall settings not acting as expected such as apps and processes that I have approved/denid connection access not showing up in the firewall pane of system preferences and having to reapprove each startup. Thank you in advance for any help on this.
-
Changed group membership in WGM 10.6.3 from the 10.6 server. The change takes overnight to work. Formerly ran WGM from my 10.6.8 mac (worked perfectly) but now I am at 10.7.5 and must use WGM on the server. Has anyone else seen this behavior?
Hi
"Changed group membership in WGM 10.6.3 from the 10.6 server. The change takes overnight to work"
If I've understood you correctly I've never known this or anything else to take that long? What were you trying to do exactly?
"Formerly ran WGM from my 10.6.8 mac (worked perfectly) but now I am at 10.7.5 and must use WGM on the server. Has anyone else seen this behaviour?"
http://support.apple.com/kb/HT1822
HTH?
Tony -
Report of Groups owned along with group memberships for each group, all in a single .csv file
Hello all,
What I'm trying to do is generate a report of all groups owned by a specific user, along with the group memberships, and output it all to a single .csv file. In the .csv file, I would like to have the group names as the column headers, and underneath
the group name, list all the members of the group down through the column. So for example, if User1 owns 3 groups, the output would look like:
What I'm having trouble with is outputting the objects to the .csv using New-Object psobject, and I'm starting to wonder if there is an easier way to do this and my brain is just fried.
Any ideas?OK so I can try and give some code here, but I'm asking more of a concept question about how PowerShell builds objects so I'm not sure it will help....
$User = "User1"
get-adgroup -filter {managedby -eq $user} -pr member | %{
$_.name
$_.member
OK so this is a simple script that outputs a group name followed by the membership, all in a single column. What I would like is for the group names to each be the header of a column, and have the membership listed underneath. For example:
Is this possible in PowerShell? -
How to change Group membership
As number of VM servers we are using grows we would like to organize them into groups to simplify management (e.g. business critical, internal, test, ...).
We are aware we can change group name (membership) using "Deploy" option. This however requires to shutdown VM, re-deploy (copy) and remove the old one.
Is there more feasible option?
Do I need to use Oracle Grid Control for this ?
Thanks
HonzaHonza wrote:
Is there more feasible option? Not at the moment, no.
Do I need to use Oracle Grid Control for this ?Grid Control's VM Management Pack actually doesn't have the same group functionality that Oracle VM Manager does. If you do want to split your VMs into groups, you will have to stick to using Oracle VM Manager. -
Group membership for users is not reflected at the client until full reboot
Ok, so I am new to this:
So I created two groups on the server g1 and g2. Created two server users u1 and u1. I have one client with three accounts: System Admin, u1 and u1.
On the server:
g1 has one member u1
g2 has one member u2
When I swap the membership on the server using Server pref. or Workgroup manager, the users on the client still have access to their original group.
I tried logging everyone out of the client. I does not work.
The only way is to reboot the client completely. However, sometimes when I change the membership it does get reflected on the client. Any ideas?
Equipment:
One (1) Mac Mini Server 10.6.3, clean install. (defaults to OD)
One (1) MacBook Pro 17" , 10.6.4
Is there a way to push?Answer!
UAC (User Account Control) must be set to OFF to disable this message.
Another error message that really has nothing to do with what's really happening!
Ugh. -
How to change Group Asset for one Asset
Hi,
Please how can i change a Group Asset for one Asset ?
i try with Tcode AS02 but i find "Act determination" in grey.
i hope ur help
Regards
Edited by: jehade el aoumari on Jan 22, 2008 11:38 AM
Edited by: jehade el aoumari on Jan 22, 2008 12:35 PMHI,
In the Depreciation tab, double click on the the Depreciation area, where you want to change the Group Asset. because Group asset is specific to the Depreciation area.
You will see the Group Asset field.
If you still do not see the Group Asset field, then you have to change the Screen Layout in the Customisation for the Depreciation area in T-Code AO21.
Hope this helps you.
Thanks
Siva -
I have LON\JSmith in LON domain and DEL\JimSmith in DEL domain
I would like to extract group memberships of LON\JSmith in LON domain and append matching by email (i.e. DEL\JimSmith) user object in every group in LON domain.
for instance
LON\JSmith and DEL\JimSmith is the same person and has same email address [email protected]
LON\JSmith belongs to 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey
The outcome of the script should be
LON\JSmith; DEL\JimSmith should be in 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey.
How can i do it?
NavgupHi Navgup,
Please refer to the script below, to query users in other domain by specifying the parameter "-Server" in the cmdlet "get-aduser", and also note I haven't tested the script below:
import-module activedirectory
get-adgroupmember "group"|foreach{
$email=(get-aduser $_.samaccountname -properties *).EmailAddress#get the user email
Get-ADUser -filter {EmailAddress -eq $email} -properties * -server DomainB.company.com|select samaccountname, memberof}#filter user name and group with the email in other domain
To get users across domain, please also refer this blog:
Adding/removing members from another forest or domain to groups in Active Directory:
http://blogs.msdn.com/b/adpowershell/archive/2010/01/20/adding-removing-members-from-another-forest-or-domain-to-groups-in-active-directory.aspx?Redirected=true
I hope this helps. -
Minimum group membership for imp/exp for ora 8i(client) windows xp users
Hi to all,
For oracle 8i clients, windows xp users, what is the minimum group membership required that can be used so that the users can import or export dmps. Using Administrators imp/exp works ok... Any alternative?
ThanksHi Thierry,
Please do not confuse the issue. Here we have the windows Operating System - privilege and then the Oracle database user privilege. In my case the Oracle database user privilege is DBA. If the user is given a Windows - Administrators privilege (which I do want to give) the exp/imp creates the DMP and log file. But any other standard windows privilege (with DBA privilege) the exp/imp does not create the dmp and log file. I hope I am clear and now you can suggest some alternative solution to OS - administrator.
Thanks again -
Question on Group Membership issue in installation
Hi,
I am installing the Oracle DB and got this error in the 'Prerequisite Checks':
'Group Membership: <GroupName>
This is a prerequisite condition to test where user "<userID>" is a member of the group "<GroupName>"SD wrote:
Hi,
I am installing the Oracle DB and got this error in the 'Prerequisite Checks':
'Group Membership: <GroupName>
This is a prerequisite condition to test where user "<userID>" is a member of the group "<GroupName>"consider reading & following the Installation Guide found at http://tahiti.oracle.com -
OSB & WLST: changing operational settings for a proxy service via WLST
Hi all,
we are trying to change the operational settings for a proxy service via WLST.
In details we would like to change the "Logs" level (Monitoring section).
We have a lot of deployed services and our 'deployer people' need an automatic way (via WLST for example) for doing that instead of using the OSB console.
Thanks in advance
ferpHi,
OSB is the Oracle Service Bus. Oracle Service Bus is a configuration-based, policy-driven enterprise service bus.
The OSB is deployed into an Oracle WebLogic Server instance.
OSB uses also WLST functionality provided by WebLogic Server.
Best regards
ferp -
UPS not resolving group membership for domain group
I have two trusted domains A and B in a single forest. We have an AD group groupA in domain A that contains users from both domain A and domain B. SharePoint is installed in domain A. However, after UPS is run, when looking at the the group in the audience
setting, you see that the membership count only reflects the members of domain A but not in domain B. The AD permissions for Directory replication is set correctly.
So in summary-
Domain A and Domain B (Full Trust)
SharePoint in Domain A
GroupA in Domain A with 5 users from Domain A and 12 users from Domain B
Post UPS import in audience setup, group only shows membership count as 5 instead of 17
Users from both Domain A and Domain B show up in the User Profiles
Is this a known limitation? or is something wrong?did you configure the people picker
http://technet.microsoft.com/en-us/library/gg602075(d=lightweight,v=office.14).aspx#section4
http://jaredmatfess.wordpress.com/2013/02/26/sharepoint-2010-people-picker-is-having-a-hard-time-finding-people/
Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog
No need to configure the People Picker in a full trust between domains of the same forest.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
New Group Membership for users
Hello All,
Is there a way to add members based on their employee type to a new group without writing a program??
For ex: if employee type is Part-Time, then add to a Part-time group in OIM.
We need to do this for new users and also for existing users.
We have the code to do this task, but I want to make sure if we can do it via configuration in OIM admin console or design console.
Thanks u ll in advance.
Regards,
~VSNIf this is just OIM Groups we are talking about then why reach up to the Access Policies
- Create membership rules via Design Console -> Rule Designer as follows:
- Name=Sample Membership, Type=General, Description=Sample
Role == Part-Time
- Go to your group in OIM and add this to Membership Rules drop-down
For existing users, do it though a scheduler and use the same Java code which you have currently in place -
SQL 2014 - Group Membership for sysadmin permissions not working
I am using SQL 2014 on Windows Server 2012 R2 and am running into a permission issue. During the install I specified the local server's Administrators group as well as my specific domain account to have sysadmin privileges.
The issue is that accounts that are a member of the local server's administrators group can't even login to SQL Server Management Studio unless they are specifically granted permissions for their account (my domain account works fine as it has a specific
credential in SQL).
The log just gives the following error:
Login failed for user 'domainname\username'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: <local machine>]
Error: 18456, Severity: 14, State: 11.
I haven't had this issue in previous versions. Is there something that must be done differently in 2014 to grant permissions to groups?Hi, something like
this?
Bye
Questo post è fornito "così com'è". Non conferisce garanzie o diritti di alcun tipo. Ricorda di usare la funzione "segna come risposta" per i post che ti hanno aiutato a risolvere il problema e "deseleziona come risposta"
quando le risposte segnate non sono effettivamente utili. Questo è particolarmente utile per altri utenti che leggono il thread, alla ricerca di soluzioni a problemi similari. ENG: This posting is provided "AS IS" with no warranties, and confers
no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Maybe you are looking for
-
UPGARDING PROBLEMS!!! NO CD Drive on a Power Book Fire Wire
First Of All Hello Everyone: Here's my problem, a friend of mine ask me for help with he's power book Fire-wire the machine has (768 MB on RAM and 15 GB on HD),To upgrade his OS 9.2 to OS X, but (Here's the real problem) it has no cd or dvd drive, (A
-
Why can't I open another tab in the current window anymore?
I have not had an issue with this problem until today. I have had my laptop since May 2010 and I have been using firefox the whole time. Today, my roommate used my computer, but used internet explorer. Since then, I have not been able to open another
-
Post Author: BSockel CA Forum: General Is crystal Reports XI Compatible with Sharepoint services 3.0. I have seen a number of posts referencing referring to Sharepoint 2007.
-
No archive exists for output WEE3
I am using the following set up in NACE for GR Labels: Program: SAPM07DR FORM Routine: ENTRY_ETIES Form: RM07ETIKETT Now after I save MIGO the output its found and processed (green button) but nothing comes out, if I try to view the original document
-
I'm not sure if i am in the right room to ask but, i got a new job and my w-4 is online threw the adobe acrobat reader ans is filled out but it wont connect to the browser to get it submitted. what is wrong?@