Disable user in OIM

Similar Messages

• How to enable only one resource profile outof 3 while disabling user in OIM

  Hello,
  I have 3 resource profile for AD user with 3 diffrent IT resources.
  When i try to disable the user in OIM, then it disables all the resource profiles attached for that user.
  I would like NOT to disable one of AD User Resource profile out of 3 .
  How can I do that?
  Thanks

  This is the same post as one made about a week ago.
  I would suggest the following:
  1. Create an adapter that has an input of the domain, or some other identifying attribute. In this adapter, use logic to return a response of either DISABLE or DO_NOTHING.
  2. Create a new Process Task called something like "Disable Resource Determiner". Attach your adapter you just made, and on your response codes, for DISABLE, trigger the disable task, and on DO_NOTHING, then do nothing... Set this adapter to be triggered on disable.
  3. On your previous disable task, remove the disable trigger.
  Now when your disable is triggered, you have logic to determine which target resource is being used, and then whether or not to disable the resource or do nothing.
  -Kevin

• Disabling Users in OIM

  Hi,
  Could someone tell me why this may be happening. I'm trying to setup Diabling user in OIM to disable user in AD.. but before I even get that far, I cannot seem to be able to disable a user in OIM.
  I open a user's profile click Disabled, page updates but nothing changed. No errors in the log. Clicking disable just doesn't work.
  What's even stranger is I found a user who was already disabled, and that guy I can enable/disable as much as I want.
  Where can I look to see what may be causing this?
  Also, I noticed in some other posts I read about OIM->AD disabling, and this is something that should work OOTB... I see the Disable User tasks, but I can't figure out what would trigger it.
  Alex

  Figured it out. There was a Pre-Update entity adapter that set the status based off a user defined field. I guess clicking the Disable button was triggering this entity adapter and over-rulling my Disable action.

• Disabled users in OIM

  If a user is marked as disabled in OIM, can their entitlements, etc, be modified? The user llifecycle in the OIM documentation leads me to believe you can, but others have said you can't.

  You can use a query like this to get the usr_key and oiu_key:
  select usr.usr_key, oiu.oiu_key, usr.usr_login, obj.obj_name, ost.ost_status, orc.orc_tos_instance_key, oiu.orc_key
  from usr, oiu, obi, obj, ost, orc
  where oiu.usr_key=usr.usr_key
  and oiu.obi_key=obi.obi_key
  and obi.obj_key=obj.obj_key
  and oiu.ost_key=ost.ost_key
  and oiu.orc_key=orc.orc_key
  and usr.usr_login in ('<USER_LOGIN>')
  order by usr.usr_key, obj.obj_name
  Then take the usr.usr_key and oiu.oiu_key and comma seperate them, and o
  public void revokeResource(){
  try {
  long userKey = ....;
  long oiuKey = .....;
  userIntf.revokeObject(userKey , oiuKey);
  } catch (Exception e) {
  System.out.println(e.getMessage());
  -Kevin

• Disable User on updating an User attribute in OIM

  Hi,
  I have OIM 11g R2 with LDAP SYNC enabled with OID through OVD.
  I want to trigger Disable user on modifying an UDF attribute of user.
  Like if attribute1 of user is set to true then disabke user operation should be triggered for the user.
  So first in my adapter i will check whether attribute is true and then trigger disable user.
  In 11g R2 as mapping adapters attached to Users form in dataobject manager is not supported i am not able to map to the userdefinition and hence not able to check if attribute1 is true or false.
  Please help and let me know if this can be achieved in any other way.
  Edited by: 988070 on Mar 20, 2013 3:55 AM

  You can write a post process event handler:
  It will update the user status to disable when UDF attrtibute is set to true.
  For this, you need to set the condition as:
  Get the value of user defined attribute and store it in a variable "flag".
  disable UserManagerResult disable(java.lang.String attributeName, java.lang.Object attributeValue) //attributeName will be user defined fieldm value will be "true"
  throws ValidationFailedException,
  oracle.iam.platform.authz.exception.AccessDeniedException,
  UserDisableException,
  NoSuchUserException,
  SearchKeyNotUniqueException
  Disables the user account matching the search criteria.
  Parameters:
  attributeName - - The attribute name for the search criteria.
  attributeValue - - The attribute value for the search criteria.
  Returns:
  UserManagerResult containing the entity id of the disabled user.
  Cheers,
  Vamsi.

• OIM-DBAT ...ERROR during Disabling user

  Hi,
  I am using database app tables connector with OIM, wherein the user is being provisioned to a database table. When user is Disabled, the assosciated database resource does not gets Disabled, Disable User is rejected and It gives following error:
  GCPROV.ProvTransportProvider.DBProvisioningTransport.DB_STATUS_FIELD_LOOKUP_ERROR" does not correspond to a known Response Code. Using "UNKNOWN
  The table has some attributes viz. Username, user id, fname, lname, Status(can be 0 or 1), email.
  The requirement is: when user id terminated in OIM, the respective database resource should get Disabled, that is the status should be updated to 0.

  Hi Sunny,
  When I disable OIM user , Disable User process of the database account is invoked but it gets rejected giving the above stated error. And the status field in process form is not updated. In the GTC configuration, I have mentioned the table column name(ENABLED,which can take values 0 or 1) that will be acting as status ,and also provided the Lookup code name that contains the status mappings as follows:
  Code Decode
  Active 0
  Disabled 1

• Disabling user only on OIM

  Hi OIM Experts,
  When we disable a user in OIM, the user would get disabled on the resources that the user is provisioned to. Is there a way in which we can disable the user only on OIM without the same getting propagated to the resources?
  Also can a set of users b disabled through bulk load or any other means?
  Thanks in advance

  The disable event occurs because of the trigger on the process tasks identified with disable. You can remove the disable and it won't get propagated. However, you don't get to pick and choose when the event runs and when it doesn't if you do need it some of the time, you woud have to code for that.
  And yes, there is bulk disable:
  UserManagerResult disable(java.util.ArrayList userIDs, boolean isUserLogin) throws ValidationFailedException, oracle.iam.platform.authz.exception.AccessDeniedException, UserDisableException, NoSuchUserException
  Bulk disable operation. Disables accounts of all specified users.
  -Kevin

• Getting users disabled/deleted with disabled resources in OIM

  Hi,
  Consider following use case related to OIM:
  To get the Users deleted or disabled on a particular date with their 'AD User' resources which are in disabled state.
  By means of built in reports i can get the users disabled or deleted for particular date.... how do i get the disabled AD User resource for each user....
  i can go for scheduler task but how to proceed on that?

  the exact requirement here is to get the users/deleted a day before along with their 'AD User' resources which are disabled
  getObjectsByTypeStatus(long plUserKey, java.lang.String psObjectType, java.lang.String psStatus)
  Gets a list of all the objects of the specified type that have been provisioned for a user and are in the specified status.
  What i can make out here is that:
  i need to write some logic that would give users disabled/deleted say yesterday... after this i would loop in these user keys into getObjectsByTypeStatus that would give resources disabled for each user.
  Am i correct?
  Now how do i get the users disabled/deleted yesterday. This is realised by default Users Disabled/Users deleted report.
  But how do i use it in my scheduler
  Edited by: Chhavi Saluja on Jun 30, 2010 1:20 AM

• OIM: Disable User and Move to New OU

  Hey guys,
  I'm trying to figure out how to add an additional event when I disable a user. I want to be able to do as the title says. When I disable a user through OIM, move them to a specific OU within Active Directory. Has anyone done this before?
  TIA,
  Matt

  There is a number of ways to trigger tasks based on an OIM USER disable event.
  Kiran's suggestion should work fine as long as you include logic that checks that the user actually has an AD resource object that can be moved.
  Another option is to use the "application effect disable" on the task (you find it on the general tab of the task) for triggering. In that case the task will only fire if the specific AD resource object is present in the resource profile of the user.
  One thing to look out for is that MS has implemented move in AD as a copy and delete. If the AD system owners doesn't want to give your service account delete rights you will not be able to implement moving functionality.
  I recommend making sure that the system owners tells you everything they want you to do to the AD account. It is very easy to miss a small but important details. Also make sure that you know if you need to support re enablement of the AD account.
  We actually built this specific functionality for a customer earlier this year.
  Best regards
  /M

• AD Trusted Recon - Disabling user deletes him in OIM

  Hello,
  I'm having trouble changing a user state to 'Disabled' in OIM when I disable him in the Active Directory.
  Has anyone ever encountered this problem and know how to solve it?
  Thanks in advance

  The problem with disabled users in AD has been discussed numerous times over the years and there has been a number of different "solutions" to the problem.
  Our standard solution to this has been to have our own AD connector so that we could change the behavior to what the specific customer wanted.
  The 9.1 AD connectors have been delayed and is now ETA between "July and December 2008".
  Best regards
  -M

• OIM 11g - Approval workflows for disabled user accounts

  Hi,
  We have a scenario wherein a user will be created in OIM with a future start date resulting in a Disabled Untill Start Date user status. Once the user is created, we should let anyone submit a New Hire form for the user and the submitted form needs to be approved by the Manager. Once the Manager approves the form, the target accounts should get created with disabled status. These accounts should get enabled on the start date.
  As submission of New Hire Form is not a straightforward process, we came up with the following design.
  A dummy resource object corresponding to the New Hire Form will be created and can be requested for a newly hired person by anyone who has OIM access. An approval workflow will be configured for the New Hire Form Resource object and provisioning of target accounts will be based on Manager's approval for this resource object.
  However the challenge that we see with this design is, it wasn't possible to place a request for New Hire Form dummy resource object for a disabled user. But the requirement is to complete the New Hire Form submission process befor the user becomes active.
  How can these workflows be invoked for a disbaled user? Is there any other way to implement this requirement?
  Any kind of help/guidance is greatly appreciated.
  Thanks and Regards
  Deepa

  911709 wrote:
  If I create a dummy resource, called "Group Membership" for example, and use this to show the groups that are available in AD, how can I have the request be routed to different approvers? For example, group cn=HR Users,cn=Users,dc=company,dc=com needs to be routed to HR for approval. Group cn=IT,cn=Users,dc=company,dc=com needs to be routed to IT for approval. How can I change the approvers dynamically?
  Re: Spawning multiple approval tasks in parallel in OIM11g SOA Composite
  You can have dynamic task assignment in BPEL; where you defne a variable in the task assignment and update the variable with the approver group name before triggering the task assignment task. Check BPEL docs for same.
  If every group needs a different approver, and there are 5000 groups, can I make 5000 resources and use the built-in routing of approvals? Or, use the dummy resource approach and handle the management of the approvals in some other way.Just make one resource with one field attached to it which takes in the group name and handle approval in SOA by reading a lookup which has AD group to Approval Group mapping.
  >
  Thank you.-Bikash
  Edited by: Bikash Bagaria on Feb 18, 2012 1:00 AM

• Error while Enabling a user in OIM

  Hi,
  I have a requirement where i need to disable and enable OIM users based on a UDF . If the UDF says Active user should be enabled and if it says "deleted" user should be disabled. I'm able to "Disable" a user present in "Active" state but not vice versa. My entity adapter is as follows
  statusUpdate(String userKey,String Status){
            OIMConnectionManagerImpl oimConn = new OIMConnectionManagerImpl();
            tcUserOperationsIntf tcUser = oimConn.getUserAPI();
            tcResultSet tcres = null;
                 HashMap map = new HashMap();
                 map.put("Users.Key",userKey);                    
                 tcres = tcUser.findUsers(map);
                 String s1=tcres.getStringValue("Users.Status");
                 if(Status.equalsIgnoreCase("Active") )
                      if(s1.equalsIgnoreCase("Disabled")){
                           tcUser.enableUser(Long.parseLong(userKey));
                 if(Status.equalsIgnoreCase("Deleted") )
                      if(s1.equalsIgnoreCase("Active")){
                           tcUser.disableUser(Long.parseLong(userKey));
  My error is as follows
  [com.oim.util.OIMConnectionManagerImpl] Unable to create factory instance
  java.lang.NullPointerException
  Edited by: user10665408 on Jul 1, 2009 3:14 PM

  I have done sm changes now:
  Try this.
  If some import is missing or some spelling mistakes are there just correct those. It's just for reference.
  Put import for map also.
  package com.Tst.oim;
  import Thor.API.Operations.tcUserOperationsIntf;
  import Thor.API.tcResultSet;
  import Thor.API.tcUtilityFactory;
  import com.thortech.xl.crypto.tcCryptoUtil;
  import com.thortech.xl.crypto.tcSignatureMessage;
  import com.thortech.xl.util.config.ConfigurationClient;
  import java.util.Hashtable;
  public class CreateFile {
  tcUtilityFactory utilFactory = null;
  tcSignatureMessage moSignature = null;
  tcUserOperationsIntf moUserUtility = null;
  tcResultSet userResultSet = null;
  ConfigurationClient.ComplexSetting myConfig =
  ConfigurationClient.getComplexSettingByPath("Discovery.CoreServer");
  final Hashtable env = myConfig.getAllSettings();
  public void Enable(String userid) {
  try {
  System.out.println("TRY");
  moSignature = tcCryptoUtil.sign("xelsysadm", "PrivateKey");
  utilFactory = new tcUtilityFactory(env, moSignature);
  moUserUtility = (tcuserOperations)utilfactory.getutility("Thor.API.Operations.tcUserOperations");
  Map a = new HashMap();
  a.put("Users.User ID", userid);
  tcResultSet userset = moUserUtility.findAllUsers(a);
  long ukey = userset.getLongValue("Users.Key");
  moUserUtility.enableuser(ukey);
  } catch (Exception e) {
  e.printStackTrace();
  Edited by: Dost

• Enabling a User through OIM API

  Hi I am trying to enable a user through OIM API, However the end date is already passed for that user, I am setting up a new end date through the Program (showm below). However the update user is not working (i am not sure).
  Map usermap = new HashMap();
  usermap.put("Users.User ID", User_id );
  Map grpmap = new HashMap();
  grpmap.put("Groups.Group Name", Group_Name);
  tcResultSet ts = userClient.findUsers(usermap); //find all users
  String existing_end_date = ts.getStringValue("Users.End Date");
  tcResultSet tg = groupClient.findGroups(grpmap); //find requireq group
  long ukey = ts.getLongValue("Users.Key");
  long gkey = tg.getLongValue("Groups.Key"); //find group key
  // ENABLE THE USER
  java.util.Date new_end_date = new java.util.Date(111,1,1);
  Calendar cal = Calendar.getInstance();
  cal.setTime(new_end_date);
  DateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd hh:mm:ss");
  String Str1 = dateFormat.format(cal.getTime());
  String Str2 = existing_end_date + " 12:00:00";
  System.out.println(User_id+" OLD End Date:" + Str2 + " New End Date: " + Str1);
  Map usermap2 = new HashMap();
  usermap2.put("Users.User ID", User_id );
  usermap2.put("Users.End Date", Str1);
  userClient.updateUser(ts,usermap2);
  userClient.enableUser(ukey);
  I am getting the following error:
  U0000018 OLD End Date:2009-09-30 12:00:00 New End Date: 2011-02-01 12:00:00
  2/12/2010 15:02:53 oracle.j2ee.rmi.RMIMessages EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
  WARNING: Exception returned by remote server: {0}
  Thor.API.Exceptions.tcAPIException: The user cannot be enabled because the end date is passed.
  Not sure why it is happening. It looks like the Updateuser is not working, or something else?
  Please advise. Thanks in advance.

  Hi Suren,
  thanks for the note.
  I found that as soon as I enable the user, I am getting the followimg messages in the opmn logs:
  INFO,06 Dec 2010 10:55:41,841,[XELLERATE.JAVACLIENT],System Event Handler: Validating Organization for an User.
  INFO,06 Dec 2010 10:55:41,944,[XELLERATE.JAVACLIENT],System Event Handler: Triggering Processes related to User.
  INFO,06 Dec 2010 10:55:42,402,[XELLERATE.JAVACLIENT],System Event Handler: Enabling the User
  INFO,06 Dec 2010 10:55:42,421,[XELLERATE.JAVACLIENT],System Event Handler: Validating Organization for an User.
  INFO,06 Dec 2010 10:55:42,427,[XELLERATE.JAVACLIENT],System Event Handler: Triggering Processes related to User.
  INFO,06 Dec 2010 10:55:42,439,[XELLERATE.JAVACLIENT],System Event Handler: Changing application data based on Organization change.
  INFO,06 Dec 2010 10:55:42,442,[XELLERATE.JAVACLIENT],System Event Handler: Auto-Group Membership Event.
  INFO,06 Dec 2010 10:55:43,715,[XELLERATE.JAVACLIENT],System Event Handler: Evaluating User Policies
  So, the access policies are getting evaluated, triggering provisioning processes.
  What I am planning to do is, to disable the access policies and try to run the Program.
  Because of this issue, my Program is throwing an error (until I looked into the opmn logs, it doesn't make sense).
  6/12/2010 10:55:50 oracle.j2ee.rmi.RMIMessages EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
  WARNING: Exception returned by remote server: {0}
  Thor.API.Exceptions.tcAPIException: Error occurred enabling Xellerate User instance.
  Regards
  Vijay Chinnasamy

• Need to know the sqluery to find the disabled date from OIM 9.1.0.1

  Hi Experts,
  Need very urgent inputs from you all for the preparation of our audit.
  We are using OIM9.1.0.1
  We need to know the sqlquery for finding the Disabled date in OIM given the user ids, as currently we are unable to get the exact data from Historical Reports Option in OIM.
  I need to give in this format:
  select usr_login, usr_disabled from schemaname.tablename where usr_login in
  ('aaa','bbb'..... etc)
  We have three attributes :USR_DISABLED_BY_PARENT,USR_DISABLED,USR_DEPROVISIONING_DATE,but none of them give the exact date,
  USR_DISABLED gives just a flag as 1 or 0.
  Also there are no other fields in the corresponding usr table.
  So how to fetch the exact Disabled date from OIM system when I input the user ids.
  Your immediate response is appreciated.
  Thanks
  SS

  In the entire thread many experts have given nice queries in different formats...
  The best approach would be to open up the SQL Developer, connect with the OIM Database and experiment with all sorts of SQL queries provided by all the experts..
  Learn some SQL techniques, like Inner Join etc...
  Then you yourself will be able to figure out what you need, in exactly which format, for which users and for whom you have to restrict
  Then not only this question, you would be able to solve dozens of similar such issues yourself...
  And trust me, nothing can match that...
  Just in case, you are not familiar with SQL Developer,
  http://www.oracle.com/technetwork/developer-tools/sql-developer/downloads/index.html
  Oracle SQL Developer 3.2.1 (3.2.10.09.57)
  September 24, 2012
  The Disabled DATE will be the creation date of that entry in the UPA_FIELDS table when Users.Status changed to Disabled.
  SELECT USR.USR_LOGIN, UPA_FIELDS.CREATE_DATE
  FROM UPA_FIELDS
  WHERE UPA_FIELDS.FIELD_NAME='Users.Status'
  AND UPA_FIELDS.FIELD_NEW_VALUE='Disabled'
  AND UPA_FIELDS.UPA_USR_KEY=USR.USR_KEY
  AND USR.USR_LOGIN NOT IN ('XELSYSADM', 'XELOPERATOR', 'WEBLOGIC');

• How to do Archiving of deleted & disabled users in OIM11g

  Hi All,
  As per the requirement we have to do archive of deleted & disabled users in OIM11g(11.1.1.2) after 75days. Can i know how can i achieve this?
  Regards,
  user7609

  Just to recap:
  Your client requirement is to archive users out of OIM after 75 days. This means in addition to actually disabling and/or deleting them, fully removing any traces of them from the system.
  As Kevin & GP said, OIM is just not built to do this. API alone is not going to accomplish this task... you'll also need to include SQL to actually drop data out of tables.
  All that being said, your post said the reason for this was because of a "license for limited users". Oracle Identity Manager is licensed on an active user basis. You really should talk with your Oracle rep to confirm, but I've never had licensing contracts include deleted/disabled users.