Disable User in Postprocess Handler?

Similar Messages

• OAM11g Authentication - Disabled User

  Hi,
  In OAM 11g, i am able to successfully authenticate using disabled user account. How to prevent this in OAM11g.
  I have configured OAM to authenticate against Active Directory. The user account is disabled in Active Directory. Even then if the protected application is given the disabled account credentials, OAM is allowing him the access.
  How to disabled that?
  Thanks in Advance,
  Sandeep D.

  Hi Nishith,
  You mean to say, we need to capture the disabled user account and handle in the Custom Authentication Module using the Error Codes? As per the link provided by you, they are handling using BaseUserSession class.
  What is the attribute in case of Active Directory.
  If so, can you throw some light on the BaseUserSession class. And some samples on the same.
  Thanks,
  Sandeep D.

• Disable User on updating an User attribute in OIM

  Hi,
  I have OIM 11g R2 with LDAP SYNC enabled with OID through OVD.
  I want to trigger Disable user on modifying an UDF attribute of user.
  Like if attribute1 of user is set to true then disabke user operation should be triggered for the user.
  So first in my adapter i will check whether attribute is true and then trigger disable user.
  In 11g R2 as mapping adapters attached to Users form in dataobject manager is not supported i am not able to map to the userdefinition and hence not able to check if attribute1 is true or false.
  Please help and let me know if this can be achieved in any other way.
  Edited by: 988070 on Mar 20, 2013 3:55 AM

  You can write a post process event handler:
  It will update the user status to disable when UDF attrtibute is set to true.
  For this, you need to set the condition as:
  Get the value of user defined attribute and store it in a variable "flag".
  disable UserManagerResult disable(java.lang.String attributeName, java.lang.Object attributeValue) //attributeName will be user defined fieldm value will be "true"
  throws ValidationFailedException,
  oracle.iam.platform.authz.exception.AccessDeniedException,
  UserDisableException,
  NoSuchUserException,
  SearchKeyNotUniqueException
  Disables the user account matching the search criteria.
  Parameters:
  attributeName - - The attribute name for the search criteria.
  attributeValue - - The attribute value for the search criteria.
  Returns:
  UserManagerResult containing the entity id of the disabled user.
  Cheers,
  Vamsi.

• Disabling user through API call -process task-followed by an Enable User...

  Hi,
  I am running on OIM 9.1 BP11. I implemented a process task to disable the user based on a URS form field change.
  I can confirm from the log file and the resource that the Disable user (xellerate user) happened. But the user got enabled back right away. The log file showed that a scheduled task named "Enable User After Start Date" ran and enable the user. So, I disabled that scheduled task.
  Then I repeated the test again. I observed the same behavior of user being disabled and enabled again but this time, OIM called an adapter. This is what I observed in the log file:
  20988 INFO,20 Oct 2010 12:21:56,519,[XELLERATE.DATABASE],DB read: select evt.ev t_key, evt.evt_name, evt.evt_package, mil.mil_name from mil mil, evt evt w here evt.evt_key = mil.evt_key and mil.mil_key=10
  20989 DEBUG,20 Oct 2010 12:21:56,519,[XELLERATE.DATABASE],select evt.evt_key, ev t.evt_name, evt.evt_package, mil.mil_name from mil mil, evt evt where evt. evt_key = mil.evt_key and mil.mil_key=10
  20990 INFO,20 Oct 2010 12:21:56,519,[XELLERATE.PERFORMANCE],Query: DB: 0, LOAD: 0, TOTAL: 0
  20991 DEBUG,20 Oct 2010 12:21:56,519,[XELLERATE.SERVER],Class/Method: tcBusiness Obj/getSqlOperationFromMembers entered.
  20992 DEBUG,20 Oct 2010 12:21:56,519,[XELLERATE.SERVER],Class/Method: tcBusiness Obj/getSqlOperationFromMembers left.
  20993 DEBUG,20 Oct 2010 12:21:56,519,[XELLERATE.ADAPTERS],Class/Method: tcADPCla ssLoader/getClassLoader entered.
  20994 DEBUG,20 Oct 2010 12:21:56,519,[XELLERATE.ADAPTERS],Class/Method: tcADPCla ssLoader/getClassLoader left.
  20995 DEBUG,20 Oct 2010 12:21:56,520,[XELLERATE.ADAPTERS],Class/Method: tcADPCla ssLoader/findClass entered.
  20996 INFO,20 Oct 2010 12:21:56,530,[XELLERATE.ADAPTERS],Adapter: Enabling the User was initiated for the task: Enable User.
  20997 INFO,20 Oct 2010 12:21:56,531,[XELLERATE.JAVACLIENT],System Event Handler : Enabling the User
  I did exactly the same disabling user process at another client and it worked fine. I don't understand what causes OIM to call this system Event handler to re-enable the user.
  Please help.
  Thanks
  Khanh

  Do you have any Entity Adapter or Event Handler or Trigger which enables user for some condition ?
  Check your environment. If you have please remove that and try.
  Does this user has and provisioned resource ? If yes, try for some other user which doesn't have resource provisioned.

• OIM 11g - Approval workflows for disabled user accounts

  Hi,
  We have a scenario wherein a user will be created in OIM with a future start date resulting in a Disabled Untill Start Date user status. Once the user is created, we should let anyone submit a New Hire form for the user and the submitted form needs to be approved by the Manager. Once the Manager approves the form, the target accounts should get created with disabled status. These accounts should get enabled on the start date.
  As submission of New Hire Form is not a straightforward process, we came up with the following design.
  A dummy resource object corresponding to the New Hire Form will be created and can be requested for a newly hired person by anyone who has OIM access. An approval workflow will be configured for the New Hire Form Resource object and provisioning of target accounts will be based on Manager's approval for this resource object.
  However the challenge that we see with this design is, it wasn't possible to place a request for New Hire Form dummy resource object for a disabled user. But the requirement is to complete the New Hire Form submission process befor the user becomes active.
  How can these workflows be invoked for a disbaled user? Is there any other way to implement this requirement?
  Any kind of help/guidance is greatly appreciated.
  Thanks and Regards
  Deepa

  911709 wrote:
  If I create a dummy resource, called "Group Membership" for example, and use this to show the groups that are available in AD, how can I have the request be routed to different approvers? For example, group cn=HR Users,cn=Users,dc=company,dc=com needs to be routed to HR for approval. Group cn=IT,cn=Users,dc=company,dc=com needs to be routed to IT for approval. How can I change the approvers dynamically?
  Re: Spawning multiple approval tasks in parallel in OIM11g SOA Composite
  You can have dynamic task assignment in BPEL; where you defne a variable in the task assignment and update the variable with the approver group name before triggering the task assignment task. Check BPEL docs for same.
  If every group needs a different approver, and there are 5000 groups, can I make 5000 resources and use the built-in routing of approvals? Or, use the dummy resource approach and handle the management of the approvals in some other way.Just make one resource with one field attached to it which takes in the group name and handle approval in SOA by reading a lookup which has AD group to Approval Group mapping.
  >
  Thank you.-Bikash
  Edited by: Bikash Bagaria on Feb 18, 2012 1:00 AM

• Getting error "1013009 Administrator Has Temporarily Disabled User Commands

  Hi All,
  I am getting the error"1013009 Administrator Has Temporarily Disabled User Commands" while executing a report script in Essbase 11.1.1.3
  Appreciate any help..
  Thanks
  Mahesh

  Mahesh wrote:
  Hi All,
  I am getting the error"1013009 Administrator Has Temporarily Disabled User Commands" while executing a report script in Essbase 11.1.1.3
  Appreciate any help..
  Thanks
  Mahesh
  Possible Cause
  When a database is being restructured or any application/database on the server is being copied, you can get this message.
  or
  When a cube is being restructured, commands are restricted because the integrity of the cube has to be stable and no one is allowed to access it.
  or
  Copying an application requires that the Essbase security file be in read/write mode and therefore other applications are not accessible until the process is completed.
  Possible Solution
  In Application Settings, verify that the Allow Commands or Allow Updates options are not selected.
  If not selected select those..and try
  Regards,
  Prabhas
  Edited by: P on Apr 7, 2011 3:36 PM
  Edited by: P on Apr 7, 2011 3:38 PM

• Outlook Contact Card - Organization Tab disabled users

  In Outlook there is a Contact Card showing detailed information about that person. the Organization tab shows the contact's "Manager", "Shares Same Manager" (other contacts with the same manager), and "Direct Reports" (people
  that report to that contact).
  The problem i am seeing is that Users disabled in Active Directory (people that have left the company) are showing up in the Organization Tab.
  How can i filter out disabled users from this list for anyone using Outlook?
  I cannot permanently delete users from Active Directory until after a disabled account reaches a certain age. Also i would prefer not modifying the disabled Active Directory user accounts.
  We mostly run Outlook 2010 with a few people running Outlook 2013

  Hi,
  Outlook has no control over this, it just displays what it got from the server end. And to my knowledge, there is no such a feature to filter out those users from that list, at least on Outlook client.
  Regards,
  Ethan Hua
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs.

• How to do Archiving of deleted & disabled users in OIM11g

  Hi All,
  As per the requirement we have to do archive of deleted & disabled users in OIM11g(11.1.1.2) after 75days. Can i know how can i achieve this?
  Regards,
  user7609

  Just to recap:
  Your client requirement is to archive users out of OIM after 75 days. This means in addition to actually disabling and/or deleting them, fully removing any traces of them from the system.
  As Kevin & GP said, OIM is just not built to do this. API alone is not going to accomplish this task... you'll also need to include SQL to actually drop data out of tables.
  All that being said, your post said the reason for this was because of a "license for limited users". Oracle Identity Manager is licensed on an active user basis. You really should talk with your Oracle rep to confirm, but I've never had licensing contracts include deleted/disabled users.

• Disabling User in Solaris

  Is there anyway to change the way the resource adapter for Solaris and Linux disables users so that it uses the native lock provided through passwd rather than setting a random password?
  Scott

  Is there anyway to change the way the resource
  adapter for Solaris and Linux disables users so that
  it uses the native lock provided through passwd
  rather than setting a random password?No there is no way to do that.
  The usage of passwd -d and or -l is limited to certain installations. If you read the man page for passwd you will see that it only works for files as the repository not for any of the other possibilities (NIS or NIS+ or ldap). It also depends on PAM modules to implement this and they do not have to be configured on the system.
  WilfredS

• Disabled User Password should not be changed

  Hi,
  We have a requirement that only if the user's status is active, then only administartor must be able to change the user password. Admin should not be able to change the password if the user is in disabled state/locked state.How can we achieve this?please sugest...
  Regards
  Vinoth

  Hi,
  We have made an entity adapter which is taking usr login value from User[in Data object manager] and calling our java method which is making connection to OIM database and getting us the status of user.
  Now if the status of user is disabled method is returning true and on true we have associated our error code to it.
  We are executing our entity adapter in pre-update execution.
  Now when we are changing password of any disabled user we are able to see our error code. But what ever update [either first name update, enable] we are running on that user same error code is appearing.
  Plesae suggest/reply.
  thanks

• OIM-DBAT ...ERROR during Disabling user

  Hi,
  I am using database app tables connector with OIM, wherein the user is being provisioned to a database table. When user is Disabled, the assosciated database resource does not gets Disabled, Disable User is rejected and It gives following error:
  GCPROV.ProvTransportProvider.DBProvisioningTransport.DB_STATUS_FIELD_LOOKUP_ERROR" does not correspond to a known Response Code. Using "UNKNOWN
  The table has some attributes viz. Username, user id, fname, lname, Status(can be 0 or 1), email.
  The requirement is: when user id terminated in OIM, the respective database resource should get Disabled, that is the status should be updated to 0.

  Hi Sunny,
  When I disable OIM user , Disable User process of the database account is invoked but it gets rejected giving the above stated error. And the status field in process form is not updated. In the GTC configuration, I have mentioned the table column name(ENABLED,which can take values 0 or 1) that will be acting as status ,and also provided the Lookup code name that contains the status mappings as follows:
  Code Decode
  Active 0
  Disabled 1

• Remove GrantSendOnBehalfTo disabled user accounts - A novice at scripting

  Hello.  Can anyone help please
  In our exchange 2010 environment we have users who are granted send on behalf to access.  Obviously some users leave and I m finding that there are ghosts left behind which are causing issues with our team who add users into the grantsendonbehalfto
  option using the EMC.  Using the log view we coy out the command and then remove the disabled user from the command and then paste this into an Exchange Powershell command line.  This wrks because it is doing what Exchange EMC does which is rewrites
  the -GrantSendOnBehalfTo option in it new entirety.  
  The problem occurs because I need to remove these en-mass from approx 700 plus accounts.  
  I have tried to modify one user in order to get the script to work but it doesn't.
  This is the error message that happens when I run the script below against a known account with at least 2 disabled users in:-
  Couldn't find object "xxxxxxxx.xx.xxxxxxx.xxx.xx/DisabledUsers/2013-08/Gaynor Collins-Punter". Please make sure that i
   was spelled correctly or specify a different object. Reason: The recipient xxxxxxxx.xx.xxxxxxx.xxx.xx/DisabledUsers/2
  13-08/Gaynor Collins-Punter isn't the expected type.
      + CategoryInfo          : NotSpecified: (:) [], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : F6498844
      + PSComputerName        : ex02-0029.xx.xxxxxxx.xxx.xx
  Am running the script from my local PC
  This is the script I have used.
  # Gather info use get-mailbox -resultsize unlimited$mailboxes = Get-Mailbox zplew1
  Foreach($mailbox in $mailboxes)
  for($i = ($mailbox.GrantSendOnBehalfTo.count)-1; $i -ge 0; $i--)
  $address=$mailbox.GrantSendOnBehalfTo[$i]
  $addressString=$address.addressString
  If($addressString -like "*disabled*")
  $mailbox.GrantSendOnBehalfTo.removeat($i)
  $info >> "C:\Scripts\grantsendonbehalfto.csv"
  $mailbox |set-mailbox -GrantSendOnBehalfTo $mailbox.grantsendonbehalfto
  }If you requiere any more info please let me know.

  #1 - I recommend posting in xchange forum fo rhow to do this
  #2 - Wen an account is disabled most on the information in the object is hidden.  YOu would need to undelete to use the object.
  #3 - Get list as text and validaye al values are not deleted accounts.  Remove deleted and save back.
  ¯\_(ツ)_/¯

• How to catch rollback in Disable user process task in Xellerat User Process

  hi ...
  I want to send an email to manager group of the user, once the user is disabled from the OIM (when end date is reached). I created an adapter and attached it to the ‘Changed User Disabled’ process task in the ‘xellerate user provisioning’ process and add a new row in the “Lookup.USR_PROCESS_TRIGGERS” Lookup definition. (code key: USR_DISABLED and Decode: Change User Disabled ). This adapter executes only when the user status is equal to “disabled”.
  This works correctly when the OIM user disabling process execute without any errors. But sometimes while disabling the user it gives an error (“resource is not configured properly”) and rolls back everything and make the user active. But at the same time my adapter runs and sends the mail informing user is disabled but yet user is active.
  My problem is how can I find or catch rolls back transaction in the “Disable User” process task (which is in “Xellerate User” process”) ??? If I can get to know that a roll back is occurred then I can send a mail to OIM administrator, informing that user disable process is failed.
  Can someone please help me to find this..
  Thanks in advance :)
  Regards,
  i.k.

  Hi Rajiv,
  Error occurs while disabling the user due to resource configuration problems. ( error message is : DOBJ.RESOURCE_NOTCONFIGURED_PROPERLY -- One or more provisioned resource is not configured properly) In this case i know the problem and how to solve it. But what I want to know is in any case if disable process get fail and if things get roll back again, then how can I track that situation and send a mail to OIM Admin(informing the failure) instead of sending a mail to user managers saying that user account has been disabled.
  I think now my problem is clear…. Can u please help me to find this.
  Regards,
  i.k.

• User defined error handling in PLSQL procedure of portal form

  I need some help of building a user defined exception handling in PLSQL.
  I build a portal form based on a PLSQL procedure.
  In this procedure there are several SQL statements with exception handling.
  In case of exception I want to display my on error message and than raise the procedure, so that the user can read the message and than go back to form.
  I try this by calling a raise statement generating some HTML output over htp.p() but than the output look's like
  SQL:
  begin
  "ACHEMA2003"."P_LOGIN" ( P_STAMM_SEQ => 33491, P_ADRESSNR => 2009721, P_PASSWORD => '3333', P_PROJEKT_ID => 'ACHEMA2003', P_MESSENR => '00023', P_SPKZ => 'D');
  end;
  ORA-20000:
  Login ACHEMA 2003
  Ung|ltiges Passwort !!!
  Back to form
  I want to supress the standard Oracle messages.
  Now I read about the packages wwerr_api_error and wwerr_api_error_ui to make this, but it seems to be a little difficult.
  Is there anybody who have a solution for this problem, perhaps some example PLSQL code for this.
  Thanks Erwin.

  Jacob,
  Try following:
  declare
  v_sender VARCHAR2(1000);
  v_sender_id NUMBER;
  begin
  v_sender := p_session.get_value_as_VARCHAR2(
  p_block_name => 'DEFAULT',
  p_attribute_name => 'A_SENDER');
  v_sender_id := p_session.get_value_as_NUMBER(
  p_block_name => 'DEFAULT',
  p_attribute_name => 'A_SENDER_ID');
  insert into hd (number, text) values (hd_seq.nextval,
  'step 3 v_sender = ' || v_sender ||
  ' v_sender_id = ' || v_sender_id);
  if v_sender_id >= 100 then
  p_session.set_value(
  p_block_name => "_block",
  p_attribute_name => '_STATUS',
  p_value => 'Sender ID must be less than 100!');
  -- return to your form with status message set
  -- and all fields filled with recent values
  return;
  end if;
  end;
  -- This point is reached only if validation is OK
  doInsert;
  Regards,
  Henn

• Disabling User Account Control - CUBAC

  Installing Cisco Unified Business Attendant Console.  Documentation says that on server 2003 / sever 2008 installations, disabling of the user account control is required.  It gives a procedure to do this on Server 2008.
  The install I'm working on is on Server 2003.  I cannot find anything like this.  Googling on the subject has led me to believe that this is likely a documentation bug, as I can find no reference to Server 2003 having this feature.
  Has anyone else run into this?  The documentation appears to have been written by someone who speaks english as a second language, and not thoroughly vetted for correctness.

  Hi Clifford,
  This would just be for Windows server 2008
  CSCtc77367            Bug Details
  CUBAC 3.1.1.5 docs need to say "disable User Account  Contol" in win2008w.
  It appears UAC (user account Control) a new feature found in   Windows Server 2008 will block license files from being properly applied  in CUBAC 3.1.1.5.
  The installation and requirement docs should  reflect that UAC needs to be disabled before installing CUBAC on Windows  Server 2008.
  Observations:
  Go to webadmin, licensing
  When  you look at that page, you will not see any licensing info; no eval.
  It  says, no licensing info.
  When we turned off UAC, the licensing  page showed the eval info for 5 days.
  At which point we were able  to add the license
  Status
  Fixed             
  Severity
  2 - severe
  Last Modified
  In Last Year        
  Product
  Cisco Unified Attendant Consoles         
  Technology
  1st Found-In
  3.1(1.5)       
  Fixed-In
  Release-Pending
  Cheers!
  Rob