Disable resource account via Workflow
Hello I created a transition in the Update User workflow to disable a resource account if a field is indicated in the admin tabbed user form.
This activity works but all resource accounts (email, AD) are being disabled. Only email needs to be disabled. How do I get the 'services' value to take effect?
<Activity id='9' name='DisableAccountAccess'>
<Action id='0' application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='disableUser'/>
<Argument name='accountId' value='$(user.waveset.accountId)'/>
<Argument name='doWaveset' value='false'/>
<Argument name='services'>
<list>
<s>emailResource</s>
</list>
</Argument>
</Action>
<Transition to='Notify'/>
</Activity>also tried below code but have been unable to get it to work.
<Activity id='9' name='DisableAccountAccess'>
<Action id='0' application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='checkoutView'/>
<Argument name='type' value='disable'/>
<Argument name='id' value='$(user.waveset.accountId)'/>
<Argument name='authorized' value='true'/>
<Return from='WF_ACTION_ERROR' to='error'/>
<Return from='view' to='disableAccView'/>
</Action>
<Action id='1'>
<expression>
<block>
<set name='disableAccView.resourceAccounts.currentResourceAccounts[emailResource].disabled'>
<Boolean>true</Boolean>
</set>
<set name='disableAccView.accounts[emailResource].disabled'>
<Boolean>true</Boolean>
</set>
</block>
</expression>
</Action>
<Action id='2' application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='checkinView'/>
<Argument name='view' value='$(disableAccView)'/>
<Argument name='authorized' value='true'/>
</Action>
<Transition to='Notify'/>
</Activity>I would prefer to use the first method. Thank you in advance for your help
After having a chance to actually look at the documentation I figured I'd add one more thing for those who happen to stumble across this in a search later. You are, of course, right. The services argument is what you need for disable user.
For others reading this I should correct my previous posting. The "TargetResources" setting tends to be more of a form property rather than a workflow argument although it can be used with the checkoutView and checkinView workflow services. It is recommended by Sun, in the performance tuning guide, to keep views as small as necessary in order to speed things up.
Similar Messages
-
Disabling a resource account through workflow
Hi All,
How to disable a resource account through a workflow?Something like this in your workflow
<Field name='waveset.disabled'>
<Expansion>
<s>true</s>
</Expansion>
</Field>
<FieldLoop for='name' in='waveset.accounts[*].name'>
<Field name='accounts[$(name)].disable'>
<Expansion>
<s>true</s>
</Expansion>
</Field>
<Field name='TraceExecution'>
<Expansion>
<block trace='true'>
<invoke name='println'>
<ref>java.System.out</ref>
<concat>
<s>ActSyncUserForm Processing Disable For: </s>
<ref>name</ref>
</concat>
</invoke>
</block>
</Expansion>
</Field>
<Field name='update.accounts[$(name)].disable'>
<Expansion>
<s>true</s>
</Expansion>
</Field>
</Field> -
Issue Setting Resource Attributes via Workflow Process
I'm currently trying to set resource attributes via a workflow process, but for whatever reason the attribute is not detected as "changed" and the update object has nothing about the attribute. I'm wondering if I'm just doing something wrong with the way I'm setting it, or if I'm missing a piece to apply the upate.
What I'm doing is...
1. Checking out the user view
2. updating the attribute via code something like this...
<set name='user.accounts[ldap].attributeIWantToChange'>
Logic in here
</set>
3. then I'm checking the view back in.
Anyone know why this isn't working(I can set other attributes like waveset.roles fine this way)?
Edited by: UNO-AD-HM on Jul 6, 2009 12:54 PMFigured it out, have to load a different form in when I check the view out, the tabbed user's form will not update resource attributes.
-
Disabling Resource Governor via trace flag 8040 is failing
Hi,
I am attempting to disable resource governor completely via trace flag 8040 (specified at startup in windows server) for SQL Server 2012 is faling. DBCC TraceStatus (8040) does show status as "1" and Global as "1" which means it
took the flag, but apparently I'm still able to "enable" resoure governor - which should have failed (at least according to Microsoft SQL Server 2012 Internals book by Kim Delaney).
I was wondering if anyone else has faced the similar issue, and knows the workaround then please share it on this forum.
Thanks,
VijayI am experiencing this issue.
You cannot disable the resource governor, this is a serious terminological fail from the developers. It is always enabled, and the default values which it uses are challenged. In my case they effectively limit the number of concurrent jobs to 4.
My counter intuitive partial solution is this.
Enable the resource governor
Modify the default resource pool to "High Importance" and with "memory grant" = 100 (this is in the SSMS interface). Leave the other exposed values at zero (unlimited)
Increase the maximum queued IO per volume to the maximum value of 100 (pretty low value, but there you have it). http://msdn.microsoft.com/en-us/library/bb934013%28v=sql.120%29.aspx
Doing this enabled me to have up to 12 serious threads of execution concurrently in operation, before jobs stall with memory allocation grant wait. So far so good, but ...
The target and actual CPU usage shown in perfmon SQLServerResourceStats is still pegged around 75%. CPU monitor shows 85% for SQLServer though (go figure). In my real live case, the processes are CPU bound, so I expect to get all the CPU available.
However, the next attempt to do anything at all on the instance will wait for some indeterminate amount of time before the grant memory allocation occurs. There is no LOCK shown in the LOCK statistics that I have found and sp_who2 simply reports the active
verb (INSERT etc) with no indication that the SPID is doing nothing.
This will let you know that the governor is stalling requests. You have to figure out which ones and when.
select pool_id, name, active_memgrant_count,memgrant_waiter_count,* from sys.dm_resource_governor_resource_pool
All in all a sub-optimal solution. It is better than the default, which is fatally crippled, but still a completely inappropriate result -
Linking Multiple Resource Accounts via Active Sync
Ok guys/gals the scenario is... We have one idm account linked to accounts on one resource, and we want to be able to link them up via Active Sync...We don't care about the attributes, just want to make sure that if a another account for a user is created outside of IDM we can grab it and link it. So far, I've seen that the active sync process will see the new account, correlate it to a user, but it will not link the user...And outside of doing a custom Process Rule workflow, I'm not seeing any other way to get the accounts to link via active sync. Is what we are trying to do a reconciliation thing only? Have I missed something?
Yes. You can add a field to your ActiveSync form to do this: Here is an example with AD:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Configuration PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Configuration name="Sample ActiveDirectory ActiveSync Form" wstype="UserForm">
<Extension>
<Form name="Sample ActiveDirectory ActiveSync Form">
<Field name="processType">
<Default>
<s>NONE</s>
</Default>
</Field>
<Field name="dispatcher">
<Expansion>
<cond>
<eq>
<upcase>
<ref>feedOp</ref>
</upcase>
<s>UPDATE</s>
</eq>
<block>
<set name="update.selectAll">
<s>false</s>
</set>
<dolist name="resObj">
<ref>waveset.accounts</ref>
<block>
<set name="resName">
<get>
<split>
<ref>resObj</ref>
<s>:</s>
</split>
<i>1</i>
</get>
</set>
<set>
<concat>
<s>update.accounts[</s>
<ref>resName</ref>
<s>].selected</s>
</concat>
<s>false</s>
</set>
<cond>
<match>
<ref>resName</ref>
<ref>activeSync.resourceName</ref>
</match>
<cond>
<eq>
<ref>
<concat>
<s>waveset.accounts[</s>
<ref>resName</ref>
<s>].accountGUID</s>
</concat>
</ref>
<ref>activeSync.objectGUID</ref>
</eq>
<set name="resourceName">
<ref>resName</ref>
</set>
</cond>
</cond>
</block>
</dolist>
<cond>
<isnull>
<ref>resourceName</ref>
</isnull>
<set name="processType">
<s>LINK</s>
</set>
<set name="processType">
<s>UPDATE</s>
</set>
</cond>
</block>
</cond>
</Expansion>
</Field>
<Field name="IAPI.cancel">
<Expansion>
<s>true</s>
</Expansion>
<Disable>
<eq>
<ref>processType</ref>
<s>LINK</s>
</eq>
</Disable>
</Field>
<Field name="doLinking">
<Expansion>
<block>
<append name="waveset.resources">
<ref>activeSync.resourceName</ref>
</append>
<set>
<concat>
<s>waveset.accounts[</s>
<ref>activeSync.resourceName</ref>
<s>].accountId</s>
</concat>
<ref>activeSync.identity</ref>
</set>
<set>
<concat>
<s>waveset.accounts[</s>
<ref>activeSync.resourceName</ref>
<s>].sAMAccountName</s>
</concat>
<ref>
<s>activeSync.sAMAccountName</s>
</ref>
</set>
<set>
<concat>
<s>waveset.accounts[</s>
<ref>activeSync.resourceName</ref>
<s>].accountGUID</s>
</concat>
<ref>activeSync.objectGUID</ref>
</set>
</block>
</Expansion>
<Disable>
<neq>
<ref>processType</ref>
<s>LINK</s>
</neq>
</Disable>
</Field>
</Form>
</Extension>
<MemberObjectGroups>
<ObjectRef type="ObjectGroup" id="#ID#Top" name="Top"/>
</MemberObjectGroups>
</Configuration> -
I'm trying to use disableAppsForUser found in tcUserOperationsIntf:
The method requires 2 parameters:
plUserKey - The key of the user.
plObjectInstanceForUserKey - The key of the object instance for a user in the system.
what is the plObjectInstanceForUserKey? Is this is the Process Definition > Process Instance? I tried passing that but it's giving me the error:
Class/Method: tcUserOperationsBean/disableAppForUser encounter some problems: Object instance for user with key '242' does not exist.Here is an old post i made. Re: Disable/Enable in place of Revoke/Provision while lifecycle of user
>
You will want to make sure the value you are getting is OIU_KEY for the object instance key. For each value, you can use the following API :
userIntf.disableAppForUser(userKey, objectInstanceKey);
Rather than trying to do the multiple apps, just do a single instance, and try that.
You could also put the following query to use. Generate your list of objects you want to disable. This will give you all the oiu_keys and you can loop through it:
select oiu.usr_key, oiu.oiu_key
from obj, oiu, ost, obi, usr
where oiu.obi_key = obi.obi_key
and obi.obj_key = obj.obj_key
and oiu.ost_key = ost.ost_key
and oiu.usr_key = usr.usr_key
and obj.obj_name in ('<Resource 1>', '<Resource Two>', '<Resource ...>')
and ost.ost_status in ('Provisioned', 'Enabled');
>
-Kevin -
OIM10g - Resource account last disabled datetime?
Hi All,
Please help me to find the exact disabled datetime through SQL query for any resource accounts. I've a requirement to revoke these accounts after configured number of days (30days) to current date through a custom scheduler.
Thanks,
VR
Edited by: 907571 on Feb 10, 2013 11:06 PMThru backend update its possible:
UPDATE [pub].[MSP_RESOURCES]
SET
RES_TYPE
= 101
WHERE
RES_NAME
= 'Resource Name'
Hope this will help you
Raushan Kumar |LinkedIn -
Automatic Deprovisioning of AD resource Accounts from CSV file attribute
My scenario is somewhat like this,
I have a CSV flatfile Active Sync which contains the following columns:
accountId,firstname,lastname,department,location,region
ausmani,Arsalan,Bhagwan,Uphone,Milpitas,US
aahmed,Aftab,Singh,Telenor,Cairo,EMEA
hkhan,Hello,Khan,Lahore,Dublin,EMEA
I have created a role and has assigned AD resource to it. I have hardcoded this role in the waveset.roles field name in my creation form.
When I start FlatFileActiveSync, these above mentioned 3 accounts are created in IDM and they are also assigned AD role, and hence they are automatically provisioned to AD as, due to the fact that I am assigning resource on role base.
I am using Update User workflow in my poll-workflow configuration in my Flatfile synchronization policy.
Currently I am able to automatically provision a account from CSV file towards IDM and towards AD. All this process is automatic.
My problem is that how can I automatically disable and deprovision accounts via a CSV. What I should include in CSV that IDM will know that this account has to be disable and deprovision from resource??? Moreover, which workflow I have to use?
Thanks,
Farhan.Even I am struck at the same place. Please let me know if you find out.
Thanks you in advance
Prabhu -
Prevent Resource Accounts been Deleted from a Particular Resource
Hi Everybody,
We have a situation where we want to prevent resource accounts been deleted from a particular resource when the user is deleted from IAM. All other accounts to other resources can be deleted as normal.
We are currently using version 5. Has anyone got any ideas on how to do this?
I tried modifying the target list in the Delete Users workflow but had no success so far.
Thanking you in advanced.In rev.6 we did that simply by disabling Delete action on the resource definition.
-
Disabled GL account but still allows postings
I have disabled Oracle financials account segment values with immediate effect. However, users have reported balances being posted to these accounts via an automatic upload. How can I stop this?
Presumably the account combinations are still enabled but what is the process for disabling accounts that are not in use?
IS there a checklist that I need to follow?
e.g disable all combinations using that account
then disable the account?
Please help
Thanks
JS
Edited by: 966017 on 17-Oct-2012 09:44Once you have disabled flex values, you can run the "Program - Inherit Segment Value Attributes". This program will propogate the changes that you have made to the segment to all account combinations that contain that segment value.
-
How to find out if a user has no more resource accounts?
I want to check to see if a user has no more resource accounts tied to it. The only resource account left is Lighthouse and nothing else.
Do you know how I do this?
ThanksI was able to find disabled users using the below code. Does anyone know how I can find users who have only Lighthouse account and nothing else? I want to add this to the search criteria.
<Action id='0' application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='queryObjectNames'/>
<Argument name='type' value='User'/>
<Argument name='single' value='false'/>
<Argument name='attributes'>
<map>
<s>lhdis</s>
<s>true</s>
</map>
</Argument>
</Action> -
OIM 11g r2 disabling multiple account provisioning
Hello all,
I have a question, in oim 10g and 11g, on resource object there was a "allow multiple" checkbox.
So you could configure your resource if you want to prevent it from multiple provisioning.
But in 11gr2 I cannot see that checkbox.
How can i configure my resource as it is going to disable multiple account provisioning?Is there anyone who can help?
-
I have a problem with disable my account in apple store
hi i got a problem with disable my account apple store... so what should i do?
You might be able to re-enable it via this page : http://appleid.apple.com, then 'reset your password'
You might then need to log out of your account on your phone by tapping on your id in Settings > iTunes & App Store and then log back in so as to 'refresh' the account on it.
If that doesn't fix it then you might need to contact iTunes Support : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page -
Changing a Parked Document via workflow
Hi again
Before we did the upgrade from 4.7 to ECC6.0, on 4.7 approvers were able to make changes to parked documents via their inbox i.e. they would be able to go to change wrong data or add missing account assignments. However after the ECC6.0 upgrade when approvers access documents via their inbox they can only display the documents with only the option to release or reject and without the option to change.
Could this be a result of changes between 4.7 and ECC6.0 and if so what can we do to allow for approvers to be able to change parked documents via their inbox.I found SAP Note 670910 explaining that this was actually a program error which allowed approvers to changed parked documents via workflow.
-
Turn "Delete Resource Account" for Active Directory into rename/move/unlink
My Windows sysad would like me to stop deleting Active Directory users; he's tired of cleaning up from dangling SIDs, and I don't particularly blame him. Instead, he would like the process of "deleting" an AD account to be more like:
1. disable
2. rename from cn=user to cn=user_999, where 999 is replaced with an incrementing number (jsmith_001, jsmith_002, etc.). (Or maybe he;d be Ok with jsmith_yyyymmddhhmmss...)
3. move (probably in the same "rename" above) from ou=Employees to ou=4Delete.
4. unlink account from user.
We are assigning AD accounts through roles, and so the Delete Resource User (or Delete Resource Person?) task is invoked. Does anyone have a customized version of this task that differentiates between resource account types and handles the "disable/rename/move/unlink" AD account paradigm my sysad would like? -LesHi,
did you ever resolve this? If so, how did you work it out as we would like to do the same.
Thanks.
Maybe you are looking for
-
PC Suite 7 - Messages Transfer problem
When I transfer messages from my phone to my computer the messages automatically change their time/date to the time I transferred the messages to the computer. This means I'll be losing all the times/dates of when the messages were Actually sent/reci
-
ITunes and iPhone playlists don't match...
So I have all the new updates for the 3GS and my iTunes. I noticed now after i download music and they show up in my recently added playlist, after syncing they don't show up the same way on my phone. This is annoying since it's a quick reference for
-
I know there are differece way of catogorizing the file structure in finder, but I use the colum view mostly. Now I want the files seperated from the folder, this works when you use "kind" but it just never gets in alpabetically order. when I do by n
-
My 2011 MacBook Pro seems to be running a lot slower.
My 2011 MacBook Pro seems to be running a lot slower then when i first bought it with OS X Lion and now it is running OS X Mountain Lion? So I had the express lane call me to try to go back to OS X Lion to see of that was the problem but the guy said
-
Convert presentation slides into Masters?
I've opened a PowerPoint presentation in Keynote. I now want to save all slides as Masters and re-save as a Theme – how do i do this? I've tried copying and pasting from one slide onto a Master slide but it doesn't paste, drag & drop also doesn't wor