Disable AD account with access policy

Similar Messages

• Help Required With Access Policy Trigger On Enable User In Oim 11gR2

  My scenario is:
  We have a created a access policy for the user.
  Scenario1:
  As soon as the role is added to user, the account is provisioned.  -Working
  Scenario 2:
  As the user is disabled, the account gets revoked-Working
  Scenario 3:
  As the user is enabled, the new instance of the account should get provisioned.(It was earlier working in 11G r1)
  "Evaluate User Policies " is running every ten minutes.Manually also triggered it. but the account doesn't get provisioned after the user is enabled.
  Any inputs?
  Please help

  Your Scenario 2:
  As the user is disabled, the account gets revoked-Working ----> ITS WRONG if you are using OOTB feature of OIM
  -> When the user gets disabled, the accounts should get disabled. The result which u are getting above is not OOTB. Have you made any customization to any logic?
  Just for your info, there is one system property which is used to enable disabled resources when the user is enabled:
  http://docs.oracle.com/cd/E27559_01/admin.1112/e27149/system_props.htm#OMADM884
  Enable disabled resource instances when a user is enabled
  If the value is TRUE, then the disabled resource instances are enabled when a user is enabled.
  XL.EnableDisabledResources
  TRUE

• Linking resource accounts to access policy from a database

  As part of the seeding process, we assign roles to the users and then run the recon to assign resources to the user. We have an access policy which is supposed to assign AD resource when a User has an Employee role. After we seed all the existing users, we enable to policy to assign AD for the new users, but since we recon the user's instead of access policy, it doesn't link the access policy to resource account.
  How can I link those two in the database so next time when someone is removed from the Employee role, it will also remove the AD account. I tried setting the pol_key attribute in UD_ADUSER with the id of the policy found in table pol but that didn't help.
  Thanks

  As part of the seeding process, we assign roles to the users and then run the recon to assign resources to the user. We have an access policy which is supposed to assign AD resource when a User has an Employee role. After we seed all the existing users, we enable to policy to assign AD for the new users, but since we recon the user's instead of access policy, it doesn't link the access policy to resource account.
  How can I link those two in the database so next time when someone is removed from the Employee role, it will also remove the AD account. I tried setting the pol_key attribute in UD_ADUSER with the id of the policy found in table pol but that didn't help.
  Thanks

• Role getting revoked with Access Policy

  Hi,
  I have a Access Policy which will provision to a Resource Object with only one special role. Whenever a user belongs to the group according to a rule called USR_UDF_GLOBALSTATUS == Active, automatically user is getting provisioned to the Resource object with that Role as per the access policy.In this access policy, "Revoke if no longer applies" option is disabled for that Resource Object.
  Whenever for that user, USR_UDF_GLOBALSTATUS == Active is changed as USR_UDF_GLOBALSTATUS == InActive from reconciliation, the user is removed from that Group. Till here everything is fine. But the Special Role assigned to that user is also getting revoked. I haven't enabled "Revoke if no longer applies" option. But how come the role is getting revoked?
  According to my requirement, that special role should still stay even if the user is removed from the group. Please help...
  - Pavan

  Enable all logging. Check and see if the user was a member of more groups than just the one. There might be more than one access policy for the user, one that gives the resource with a base set of values for the parent form, and then another access policy that has a lower priority that provides the role. Also look at the Xellerate User object and check for any tasks that might be triggered on this change in value as well as other values. Your best bet is to look at the user and all their groups and resources. Then perform your change, and look on their resource profiles both in targets, and on the xellerate user object, and see what all tasks were inserted.
  -Kevin

• Provisioing with Access Policy

  Hi All
  I have made one Access policy for Full-Time employees.
  I want that if admin creates a user who is Full-Time employee, it shouls automatically get provisioined with AD.
  I have made that Access Policy. But If Admin craetes one user who is Full-Time Employee then provisioing status goes into *"READY"* State.
  It stucks in Resource form.
  And in my resource form only one lookup field is there. And i have put Value already in that lookup.
  Could any one please tell me the solution for this.
  Thanks a lot!

  Hi
  I made access policy Without Approval.
  That extra field i.e. AD SERVER, I have already filled with ADITResource.
  Actually i have made one resource form, i'm giving value of AD Server from there & it is prepopulation in process form.
  But When user gp for provisioning then it stuck in Resource Form not in Process form. It shows status Ready.
  Is it possible to remove that Resource form from access policy, I think it may remove my problem ?
  But i don know how to remove resource form from Access Policy region.
  Please suggest.
  Thanks for these replies.

• New iMac 21.5". How can I set up a new user account with access to all the files of the original user account?

  Running Mavericks on a 2013 iMac 21.5". I want to set up a second user account with different settings that meet the requirements of specific software. I need the files to be accessible by both users. I have made both the main and secondary accounts administrators. I have also enabled file sharing for both. Neither account can see the other's files in Finder.
  How can I make all files accessible to both accounts? I read that administrator accounts automatically can see all files on the computer, but it is not working out that way. I have restarted the computer, to no avail.

  Comcast only offers POP accounts, and one way to set up the account and enter all the settings before it connects to the mail server, might be to do it Offline:
  https://support.mozilla.org/en-US/questions/991539#answer-547878
  The server settings are given [http://customer.comcast.com/help-and-support/internet/setting-up-thunderbird/ here], but the method is for Online account setup.

• Problem with Access Policy

  Hi All!
  OIM 11g:
  1. I have installed DBUM 9.1.0.4
  2. I have configured IT Resurce, and RO for granting user MS SQL User and database role (for example in HRData db)
  3. I have created Role named: "HRData DB User" and Access Policy named: "HR Data DB User" wchich grants correct RO.
  4. When role is granted by xelsysadm for specific oim user everything is OK.
  Problem:
  when user request for role: "HRData DB User" from Self-Service portal, and request is approved by xelsysadm, role is granted but RO is not granted. I have following error:
  +<Nov 19, 2010 1:12:46 PM CET> <Error> <XELLERATE.SERVER> <BEA-000000> <Class/Method+
  +: tcDataObj/eventPreInsert Error :Insert permission is denied>+
  +<Nov 19, 2010 1:12:46 PM CET> <Error> <oracle.iam.accesspolicy.impl.handlers.provis+
  ioning> <IAM-4030308> <An error occurred in oracle.iam.accesspolicy.impl.handlers.p
  rovisioning.ProvisionAccountActionHandler while provisioning resource 161 to user 4
  +3 and the cause of error is DOBJ.INSERT_PERMISSION_DENIED: H: You do not have permi+
  ssion to insert this object..>
  +<Nov 19, 2010 1:12:46 PM CET> <Warning> <oracle.iam.callbacks.common> <IAM-2030081>+
  +<[CALLBACKMSG] Inside completion plugin for request 68.>+
  +<Nov 19, 2010 1:12:46 PM CET> <Warning> <oracle.iam.callbacks.common> <IAM-2030082>+
  +<[CALLBACKMSG] Inside completion plugin for request 68, target tye is Role and ope+
  ration is SELFASSIGNROLES.>
  +<Nov 19, 2010 1:12:46 PM CET> <Warning> <oracle.iam.callbacks.common> <IAM-2030082>+
  +<[CALLBACKMSG] Inside completion plugin for request 68, target tye is RoleUser and+
  operation is CREATE.>
  Any suggestions?
  best
  mp

  Hi Rajiv,
  So, there is no way we can implement this?
  My requirement is same as this,
  OIM: Question about "Auto Save" option on Resource Object
  I have a Resource Object that needs to be provisioned at least two ways:
  1) thru an access policy by group membership
  2) thru user self-request, who is not already in that group membership
  The problem is if I don't check the "Auto Save" check box the automatic assignment thru access policy is not completing and If I do check the check box then user request is not letting the user to enter values into the resource form. Instead it is directly going to submit request. Looks like these are mutually exclusive.
  Is there a way to make both work on the same Resource Object?
  Thanks
  SK

• Problem with Access policy Provisioning on AD

  Hi,
  I have created an access policy, which will trigger the provisioning the user to AD when the user is added to group 'abc'.
  Its without approval.
  We have object form and process form. Process form is autosave.
  But, the problem is, as soon as the user is added to the group 'abc'.
  It triggers the provisioning flow. But the provisioning will be in ready state only.
  When we go and save the resource form only the provisioning flow triggers.
  If we make the object as auto save, it will work. But in our case we cannot make the object autosave as it has a resource form to be filled by user in other flow.
  Is there any approach to solve the issue?
  Regards,
  SK

  Hi Rajiv,
  So, there is no way we can implement this?
  My requirement is same as this,
  OIM: Question about "Auto Save" option on Resource Object
  I have a Resource Object that needs to be provisioned at least two ways:
  1) thru an access policy by group membership
  2) thru user self-request, who is not already in that group membership
  The problem is if I don't check the "Auto Save" check box the automatic assignment thru access policy is not completing and If I do check the check box then user request is not letting the user to enter values into the resource form. Instead it is directly going to submit request. Looks like these are mutually exclusive.
  Is there a way to make both work on the same Resource Object?
  Thanks
  SK

• Issue with UAG/TMG communication to published SharePoint application is blocked by access policy settings

  We have a UAG/TMG server set up with SharePoint published. The UAG is also doing load balancing for the SharePoint farm. We have an MDM application that is trying to connect to our SharePoint but our SharePoint is routed through the UAG. The MDM application
  does not need to be published neither is there any component that can be accessed directly by end users. It is more of a proxy to relay content to mobile devices. It is using 443 and two other secondary ports.
  On the TMG logs, we can see requests hitting the TMG over port 443 from the MDM application server. We can also see that it is trying to be routed to our SharePoint but we get the following error in the TMG log:
  “Filter information: A request from source IP address xx.xx.xx.xx, user to trunk portal; Secure=1 for application SharePoint of type SharePoint15 failed. The endpoint device does not comply with access policy settings ([%PolicyId%]) for session [%SessionId]”
  The source IP is the internal IP of the host running the MDM application. In the UAG side, under the SharePoint publishing rule, for Access Policy Settings we have tried selecting the 'Always' option but that had no effect. It appears like there is a policy
  blocking communication to SharePoint. Does anyone have a suggestion on which policy or where the policy that is controlling this is located so that we can try to resolve this issue? Thanks.

  Looking at the UAG Web Monitor, it says that the access policy is 'Hybrid_Default_Session_Access' and the URL is /_vti_bin/Webs.asmx. 
  We can't find a 'Hybrid Default Session Access' policy. In the Endpoint Policy Settings tab, we tried using 'Always' for the Access Policy for the published SharePoint application but that did not make any difference. 

• ACS 5.3 Authorization problem with using Identity Groups in Access Policy Rule

  Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.
  ACS version: 5.3.0.40.6 (internal build B.839)
  I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.
  Requested Identity Group exist
  Testing user is created in Internal Users and has assigned requested Identity Group
  Radius Access Policy: 
  Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
  Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.
  When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.
  I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.
  What I am tested:
  Remove testing user and create his account again.
  Rename Identity Group
  Use another Identity Group
  Remove Access Policy rule and create it again
  Use Compound Condition: System:Identity Group
  Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)
  Do you have any idea where problem can be?

  OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.

• [Forum FAQ] How to disable Microsoft account default sign-in behavior when accessing Microsoft website on Windows 8.1

  Scenario
  By default it will sign in with current Microsoft account, if a user accesses Microsoft website (www.live.com, www.bing.com, etc.) with Microsoft account on Windows 8.1. This article describes how to disable this default sigh-in behavior if you want to use
  different Microsoft accounts every time. 
  Method
  To disable this default sign-in behavior, we can deny current Microsoft Account read permission of MicrosoftAccountTokenProvider.dll, please follow the following steps:
  Run Command Prompt with elevated permissions.
  Run the following command to take ownership of MicrosoftAccountTokenProvider.dll:
    takeown /f C:\Windows\SysWOW64\MicrosoftAccountTokenProvider.dll
  Run the following command to deny the read permission of the Microsoft:                                
   icacls C:\Windows\SysWOW64\MicrosoftAccountTokenProvider.dll /deny
  [email protected]:r                                                                                                                
  Note: Please replace your current Microsoft Account with the example
  [email protected]
  Change the owner of this file back to TrustedInstaller:
  Right-click MicrosoftAccountTokenProvider.dll under
  C:\Windows\SysWOW64\, choose Properties. Under
  Security tab, click Advanced.
  Click Change, in the box Enter the object name to select, type
  NT Service\TrustedInstaller.
  Click OK.
  Note: This operation would take some hours to work.
  Apply to:
  Windows 8.1
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  Error: System cannot find the specified path
  I am getting this eroor
  Parashuram Singade www.distinctnotion.com

• Please log-in with an admin account to access adobe premiere elements

  I have bought Premier Elements but it will not start. Keeps asking me to: "please log-in with an admin account to access adobe premiere elements". Then it closes.
  ASUS laptop, 17" Processor: i7- 4700HQ @2.4 GHz
  RAM 8 GB,   Win 8.1 64
  My account is Admin, and have started the program "As administrator."
  Have reinstalled elements.
  The computer ran a trial of Adobe Premiere Pro CC perfectly. Have uninstalled it to see if it fixes the problem.
  Quicktime ver. 7.7.5  It is up to date.

  johnminkara
  What version of Premiere Elements are you using on your Windows 8.1 64 bit computer? For now I will assume Premiere Elements 12.
  If you are running the program from a User Account with Administrative Privileges, then please apply Run As Administrator
  a. by right clicking the desktop icon and clicking on Run As Administrator
  or
  b. by right clicking the desktop icon, selecting Properties, and then putting a check mark next to Run As Administrator found at the bottom of Compatibility Tab's
  "Privilege Level". You could also apply Run As Administrator to the Adobe Premiere Elements.exe file, but one or the other above should do the job.
  In the final analysis, you may probably end up with Premiere Elements 12 uninstall usual Control Panel route, free ccleaner run through (regular cleaner and registry cleaner parts), and reinstall with antivirus and firewall(s) disabled. Did you use a "Clean Tool" for the removal of Adobe Premiere Pro CC.
  Use the CC Cleaner Tool to solve installation problems | CC, CS3-CS6
  We will be watching for your results.
  Thank you.
  ATR

• Disable / Delete OIM Access Policy - OIM11g

  Hi Experts,
  checking on these forums I realized that is not possible to delete an Access Policy due to DB constraints.
  I read somewhere that is possible to disable them, but I don't understand how.
  Any ideas?

  Hi
  In order to disable the access policy.. remove the role associated with it. Since it is mandatory for atleast one role..create and provide some dummy role..
  alternatively you can delete the membership rule which is reponsible adding users to the group.
  Regards
  user12841694

• When i login with microsoft account cannot access with administrative share c$

  i have a problem when i login to windows with microsoft account cannot access any network computer with administrative sharing c$,d$ with windows 8.1 
  but when i login with local account can access
  and some people tell  me create key in regedit t fix it 
  after enter user name and password show this error 
  and i apply your instruction  and not fix until now
  note:
   my Machine windows 8.1 if another machine in network windows 7 can access a hidden share if machine in network windows 8.1 show this message in image 2 
  but if i login with local user can i access all machine hidden share network windows 7 and 8.1

  yes this computer i want to access  name poland2-work and have two users 
  first :administrator
  second : poland 2

• How do I change my Ipad to access Itunes store in a different country than the one I usually use and have my account with?

  I usually use the Itunes application on my Ipad in FRence and use the French Itunes store. I am now in Cyprus and after synchronising my Ipad there I now can access the US Itunes Store but my purchases are refused as my account is with the French Itunes store.  How do I either open an account with the US Itunes store or revert to the French Itunes store on my Ipad?

  synchronising is not the problem i think, you need a new US apple id. i only have a malaysian credit card but i have separate ids for US UK and Malaysia. i have travelled to these 3 countries and have home adresses in each country but for buying stuff, I use an iTunes store card instead of a credit card cos its easier. you do not need a credit card that must have billing address from the same country as the iTunes store. So I would suggest if you are currently based in the US go the nearest apple store buy an iTunes store card (i buy in multiples of US$100 with a credit card) and use your current US home address as the US iTunes address.
  so log off your french iTunes store account, create new US apple id for your iTunes store account using your current US address and then redeem your itunes store card and voila you are set to go. (did i mention you will also need a new separate email address for the new apple id) i have one each from gmail, yahoo and hotmail for each separate id.
  the only drawback is that when you want to do an update for the apps that you buy from the different iTunes store, you must log in to that iTunes store account ie if you buy an app from the US store you must log in and update with the US store id and to update the apps from the French store you must log off from the US store and log in again with the french store id.
  hope this makes sense to you.