Disable user thru IDM ...

I added the following code to the bottom of active sync form to disable a user from all resources without luck.
The side effect of the following code is to remove all resource names from waveset.resources list. What did I miss? Thanks in advance for any clue. <FieldLoop for='name' in='waveset.accounts[*].name'> <Field name='accounts[$(name)].disable'> <Expansion> true </Expansion> </Field> <Field name='update.accounts[$(name)].disable'> <Expansion> true </Expansion> </Field> </FieldLoop>

why are you updating the update object?
if you do accounts[Resname].disable = true it will disable the account as well. then use waveset.disable for lighthouse. I did this exact thing last week and it worked fine. IF you have problems, feel free to email me
-Dana Reed
AegisUSA
Denver, Colorado
[email protected]
"Now hiring best in breed IDM professionals..inquire via email"

Similar Messages

  • Find disabled user in idm side or AD resource?

    Any disabled user is moved to disabled accounts OU in AD in our enviroment.
    What is the best way to check for any disabled user in a workflow? is this on IDM side or in the disabled user's OU in AD?
    If so, what would be the correct attribute to use.
    Please suggest?
    Thanks for your help.
    Edited by: @waveset on Mar 3, 2008 1:10 PM
    Edited by: @waveset on Mar 3, 2008 1:14 PM

    i am trying to get this value at runtime in a form or rule
    i am getting the user object as follows:
    <defvar name='thisUserObj'/>
    <setvar name='thisUserObj'>
         <invoke name='getObject'>
              <new class='com.waveset.server.InternalSession'/>
              <invoke name='findType' class='com.waveset.object.Type'>
                   <s>User</s>
              </invoke>
              <ref>accountId</ref>
    </invoke>
    </setvar>
    i SHOULD be able to reference the disabled attribute in any of the following ways, but they all return null:
    <notnull>
         <select>
    <invoke name='getAttribute'>
         <ref>thisUserObj</ref>
         <s>disabled</s>
    </invoke>
    <ref>thisUserObj.accounts[Lighthouse].disabled</ref>
    <ref>thisUserObj.waveset.disabled</ref>
    </select>
    </notnull>
    What am i doing wrong? Any help is appreciated.
    Thanks

  • Unable to find disabled users

    I used the below to search for all disabled users in the system. I have a disabled user in IDM but the queryResult is null in the log file. Do you have any ideas?
    <Action id='0' application='com.waveset.session.WorkflowServices'>
    <Argument name='op' value='queryObjectNames'/>
    <Argument name='type' value='User'/>
    <Argument name='attributes'>
    <map>
    <s>dis</s>
    <s>true</s>
    </map>
    </Argument>
    </Action>
    dis is in the <QueryableAttrNames> list already. It's one of the predefined attributes in this list. I did not add it in.
    Thanks

    I found the answer. I found it in the WFs, Forms and Views documentation for 7.1. This will find all users who are either disabled or partially disabled.
    <Action id='0' application='com.waveset.session.WorkflowServices'>
    <Argument name='op' value='queryObjectNames'/>
    <Argument name='type' value='User'/>
    <Argument name='single' value='false'/>
    <Argument name='attributes'>
    <map>
    <s>lhdis</s>
    <s>true</s>
    </map>
    </Argument>
    </Action>
    What I don't understand is lhdis is not defined in the <QueryableAttrNames> list. Below is the <QueryableAttrNames> list out of the box. Only dis but not lhdis. Even though I got the result that I want but I want to know how we can use lhdis when it's not in the <QueryableAttrNames> list???? Anyone knows?
    <QueryableAttrNames>
    <List>
    <String>correlationKey</String>
    <String>role</String>
    <String>email</String>
    <String>name</String>
    <String>firstname</String>
    <String>lastname</String>
    <String>idmManager</String>
    <String>prov</String>
    <String>dis</String>
    <String>locked</String>
    <String>user_resources</String>
    </List>
    </QueryableAttrNames>

  • Disable the user in the resource thru IDM

    Hi I am doing active sync.while doing activesync I am creating the user in another resources also.while activesync I want to disable the user in IDM and also in the resources based on one user attribute. I am using "waveset.disabled=true" to disable the user.
    with this the user is getting disabled in lighthouse but not in resources like LDAP.How can I disable the user in resource also , which attribute need to be set to disable the user in resources also?. Any help will be great.

    I added the following code to the bottom of active sync form to disable a user from all resources without luck. </br>
    The side effect of the following code is to remove all resource names from waveset.resources list. What did I miss?
    Thanks in advance for any clue.
    <FieldLoop for='name' in='waveset.accounts[*].name'>
    <Field name='accounts[$(name)].disable'>
    <Expansion>
    <s>true</s>
    </Expansion>
    </Field>
    <Field name='update.accounts[$(name)].disable'>
    <Expansion>
    <s>true</s>
    </Expansion>
    </Field>
    </FieldLoop>

  • HI I am facing problem to disable user in LDAP thru SIM

    Hi,I have configured LDAP directory server in sun IDM.
    after creating the user in IDM & LDAP I am trying to disable the user both in SIM as well as LDAP,in the IDM repository it is showing as the user in LDAP got disabled but actually in LDAP the user account is in active state.
    I am not understanding why this problem is coming.Earlier when I tried to diable the user in LDAP thru IDM it was working fine but it is not working now.It is very urgent for me.Can anyone tell the reason.?Any advices will be helpfule.

    There are two ways of disabling ANY account on ANY resource through resourc adapter.
    1) use native method, if it exists.
    2) change password to some value which matches password policy AND completely forget this password.
    The first method is used for some adapters, Oracle for example.
    The second method is used more widely, for Solaris, Redhat Linux, LDAP... and many other resource.
    I believe that they made LDAPResourceAdapter using DisableUser this way so that it can be used for comunicating with non-sun directory servers as well.
    So, disabling user from Identity Manager does not disable the user through setting any native flag on JES Directory Server, but by changing and forgetting password AND marking that account as "disabled" in the Identity Manager instead.
    The user cannot log on anymore, so the "disable" is ok. Although you cannot see that the user is disabled using common ldaptools.

  • User disabled in LDAP triggers disable identity in IDM?

    IDM 7.0 on Sun JES Stack
    Authoritative Source is LDAP, Sun Directory Server 5.2
    This pertains to Termination e.g. Employee/Contractor gets terminated.
    1) When an employee is terminated, her user LDAP record is deleted from LDAP (authoritative source)
    2) When a contractor is terminated, her user obuseraccountcontrol = DISABLED in LDAP (authoritative source)
    Based on the above two criteria, how do I trigger the Disable User workflow in IDM so that the user's IDM Identity gets disabled?
    I've been exploring the LDAP Activation Method/Parameter?
    com.waveset.adapter.util.ActivationByAttributePullDisablePushEnable
    But am unsure on how to approach this. Has anyone successfully implemented this? Documentation is pretty unclear. Thanks in advance.

    Given the below scenarios:
    1) When an employee is terminated, her user LDAP record is deleted from LDAP (authoritative source)
    2) When a contractor is terminated, her user obuseraccountcontrol = DISABLED in LDAP (authoritative source)
    We've resolved #2 using MetaView and Rule. On the LDAP resource adapter itself, we used:
    LDAP Activation Method: nsaccountlock
    LDAP Activation Parameter: accountLockAttr
    (where this is your IDM system attrib specified in resource schema)
    In MetaView, for attrib "accountLockAttr", Source: Rule: Is obuseraccountcontrol disabled, Target: IDM, All Resources
    In MetaView > Identity Events, we set the Disable event,
    Based on that, we believe we can resolve #1 to trigger the Disable User Workflow. The problem is, how do you Re-Enable a user if the user's LDAP record is deleted from the authoritative source (LDAP)?

  • Customizing the "DISABLE USER"  Function

    Hi.
    I am trying to customize the *"Disable User"* Function in IDM.
    I have created a small User Form, which contains a simple Checkbox. When this Checkbox is checked, I would like to DISABLE a given User.
    Basically, I know that this can be done from the Main IDM User Interface (User-----Disable), etc, etc. But, I actually want to Disable this particular function completely.
    What I mean is : I want to disable it for certain Admin Users.
    So, I guess I have two questions :
    (a) If I disable this function for a particular Administrator (meaning, this administrator would NOT have the capability to disable users), then would this same administrator still have the capability to DISABLE users via the user form which I created?
    (b) How exactly can I invoke/execute the "DISABLE USER" function from my user form? When the "Checkbox" there is checked...........*what then?*
    Thanks.

    Oops! Slight problem.
    The code you gave me doesn't seem to work. I keep getting the error "Unknown op value"
    (I think it's referring to the part where : *"<Argument name='op' value='disableUser'/>"*
    However, I might have a solution : perhaps the problem stems from the fact that I am using a CHECKBOX, to activate "Disable User";
    perhaps, I ought to be using something else *(like, a BUTTON).*
    Logically, this might make sense (and it might explain why I am getting that error).
    Let's say that I disable a user by "checking" that checkbox; but, what if I want to RE-ENABLE that User? Of course, I could simply insert another "Action", which enables user by "Un-checking". But, perhaps, the workflow would prefer if I simply had two separate Buttons : one for ENABLE, another for  DISABLE.
    What do you think about this?
    Thanks, Sec_Tk
    P. S. Sorry, but you didnt mention what I asked about initially : if a certain Administrator does not have the "DISABLE USER"  capability, can he still effectively perform this "Disable" task from the User Form?

  • Comm Suite auto disable users

    Hi,
    We are running Communications Suite 5: Messaging 6.3, Cal 6.3, UWC 6.3
    We are trying to figure out a way to auto disable a user through our provisioning system. We understand that you can disable users using attributes like inetuserstatus and mailuserstatus, however would like to tell comms suite to disable a user on some specific day in the future.
    Does anyone have any way of doing this? Can a particular LDAP attribute be changed?
    -Matt

    Hi,
    mattrobert wrote:
    We are running Communications Suite 5: Messaging 6.3, Cal 6.3, UWC 6.3
    We are trying to figure out a way to auto disable a user through our provisioning system. We understand that you can disable users using attributes like inetuserstatus and mailuserstatus, however would like to tell comms suite to disable a user on some specific day in the future.
    Does anyone have any way of doing this? Can a particular LDAP attribute be changed?There is no in-built mechanism to auto-expire accounts at a give time/date. If you wanted to achieve this you would need to use your provisioning system; something like IDM (http://www.sun.com/software/products/identity_mgr/index.jsp) is able to schedule such expiration as part of the provisioning/de-provisioning process.
    If all you wanted to achieve was to stop users from accessing their account, the other option may be to expire the users password using the passwordexpirationtime: user attribute. This would not stop other users from accessing the account (e.g. shared folders, shared calendar etc.), or new emails from being received by the account.
    Regards,
    Shane,

  • Disable activities in IDM

    Hello,
    I must disable activities in idm, someone knows like making?
    thanks

    You can generally select what a user can and can't do by selecting and de-selecting what Capabilities they have - either directly or through an administrator role. Is that what you're trying to do? If that doesn't get you want you want, let us know as there are some other things to do to provide customized permissions.

  • Getting error "1013009 Administrator Has Temporarily Disabled User Commands

    Hi All,
    I am getting the error"1013009 Administrator Has Temporarily Disabled User Commands" while executing a report script in Essbase 11.1.1.3
    Appreciate any help..
    Thanks
    Mahesh

    Mahesh wrote:
    Hi All,
    I am getting the error"1013009 Administrator Has Temporarily Disabled User Commands" while executing a report script in Essbase 11.1.1.3
    Appreciate any help..
    Thanks
    Mahesh
    Possible Cause
    When a database is being restructured or any application/database on the server is being copied, you can get this message.
    or
    When a cube is being restructured, commands are restricted because the integrity of the cube has to be stable and no one is allowed to access it.
    or
    Copying an application requires that the Essbase security file be in read/write mode and therefore other applications are not accessible until the process is completed.
    Possible Solution
    In Application Settings, verify that the Allow Commands or Allow Updates options are not selected.
    If not selected select those..and try
    Regards,
    Prabhas
    Edited by: P on Apr 7, 2011 3:36 PM
    Edited by: P on Apr 7, 2011 3:38 PM

  • Getting error while re-setting password of user in IDM 7.1

    Hi All,
    We are getting below error in job log while resetting password of users through IDM UI in IDM 7.1.
    Please note that user has been created in backend through IDM only and we are putting 7 character long password only.
    Also, password reset task has been maintained in Password Policy Tab.
    The attribute values maintained in Pass for password reset are:
    logonuid %MSKEYVALUE%
    password $FUNCTION.sap_getPassword(%MX_ENCRYPTED_PASSWORD%)$$
    changetype modify
    Also, scripts maintained are: sap_encryptPassword and sap_getPassword
    Could you please help!!!
    Job log:
    putNextEntry failed storing90000004
    Exception from Modify operation:com.sap.idm.ic.ToPassException: User 90000004 does not exist Password is not long enough (minimum length: 7 characters) Internal error: FM SUSR_USER_READ, exception: 1 Inconsistency with address
    Thanks
    Aditi

    Hi Steffi,
    Yes, we have tried with 7, 8, 9 and 10 character long passwords, but no one worked.
    Yes, the user existed, however we tried with another user and this time the error is:
    putNextEntry failed storing9PATHAKR
    Exception from Modify operation:com.sap.idm.ic.ToPassException: Password is not long enough (minimum length: 7 characters).
    Attached is screen shot of password policy tab.
    Thanks
    Aditi

  • Outlook Contact Card - Organization Tab disabled users

    In Outlook there is a Contact Card showing detailed information about that person. the Organization tab shows the contact's "Manager", "Shares Same Manager" (other contacts with the same manager), and "Direct Reports" (people
    that report to that contact).
    The problem i am seeing is that Users disabled in Active Directory (people that have left the company) are showing up in the Organization Tab.
    How can i filter out disabled users from this list for anyone using Outlook?
    I cannot permanently delete users from Active Directory until after a disabled account reaches a certain age. Also i would prefer not modifying the disabled Active Directory user accounts.
    We mostly run Outlook 2010 with a few people running Outlook 2013

    Hi,
    Outlook has no control over this, it just displays what it got from the server end. And to my knowledge, there is no such a feature to filter out those users from that list, at least on Outlook client.
    Regards,
    Ethan Hua
    TechNet Community Support
    It's recommended to download and install
    Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
    programs.

  • How to do Archiving of deleted & disabled users in OIM11g

    Hi All,
    As per the requirement we have to do archive of deleted & disabled users in OIM11g(11.1.1.2) after 75days. Can i know how can i achieve this?
    Regards,
    user7609

    Just to recap:
    Your client requirement is to archive users out of OIM after 75 days. This means in addition to actually disabling and/or deleting them, fully removing any traces of them from the system.
    As Kevin & GP said, OIM is just not built to do this. API alone is not going to accomplish this task... you'll also need to include SQL to actually drop data out of tables.
    All that being said, your post said the reason for this was because of a "license for limited users". Oracle Identity Manager is licensed on an active user basis. You really should talk with your Oracle rep to confirm, but I've never had licensing contracts include deleted/disabled users.

  • Disabling User in Solaris

    Is there anyway to change the way the resource adapter for Solaris and Linux disables users so that it uses the native lock provided through passwd rather than setting a random password?
    Scott

    Is there anyway to change the way the resource
    adapter for Solaris and Linux disables users so that
    it uses the native lock provided through passwd
    rather than setting a random password?No there is no way to do that.
    The usage of passwd -d and or -l is limited to certain installations. If you read the man page for passwd you will see that it only works for files as the repository not for any of the other possibilities (NIS or NIS+ or ldap). It also depends on PAM modules to implement this and they do not have to be configured on the system.
    WilfredS

  • Disabled User Password should not be changed

    Hi,
    We have a requirement that only if the user's status is active, then only administartor must be able to change the user password. Admin should not be able to change the password if the user is in disabled state/locked state.How can we achieve this?please sugest...
    Regards
    Vinoth

    Hi,
    We have made an entity adapter which is taking usr login value from User[in Data object manager] and calling our java method which is making connection to OIM database and getting us the status of user.
    Now if the status of user is disabled method is returning true and on true we have associated our error code to it.
    We are executing our entity adapter in pre-update execution.
    Now when we are changing password of any disabled user we are able to see our error code. But what ever update [either first name update, enable] we are running on that user same error code is appearing.
    Plesae suggest/reply.
    thanks

Maybe you are looking for