Disabling user only on OIM

Similar Messages

• Disables AD User account in OIM 9.1 still user can access its account

  The following issue is happing on OIM Version: 9.1.0.1866.25
  When disabling a single AD resource, it will appear on IdM in status as Disabled, even though it remains accessible by the user. No change of password occurs.
  Where should I check and how can I fix that.
  Kind Regards,
  Silviu

  What task is attached to Disable of user? Ideally we have an adapter attached to disable user who disables user in target AD system when fired. Login to design console, open you process definition and open disable user task to see what adapter is attached.
  regards,
  GP
  Edited by: Gyanprakash Pandey on Feb 2, 2012 4:33 AM

• Disable User on updating an User attribute in OIM

  Hi,
  I have OIM 11g R2 with LDAP SYNC enabled with OID through OVD.
  I want to trigger Disable user on modifying an UDF attribute of user.
  Like if attribute1 of user is set to true then disabke user operation should be triggered for the user.
  So first in my adapter i will check whether attribute is true and then trigger disable user.
  In 11g R2 as mapping adapters attached to Users form in dataobject manager is not supported i am not able to map to the userdefinition and hence not able to check if attribute1 is true or false.
  Please help and let me know if this can be achieved in any other way.
  Edited by: 988070 on Mar 20, 2013 3:55 AM

  You can write a post process event handler:
  It will update the user status to disable when UDF attrtibute is set to true.
  For this, you need to set the condition as:
  Get the value of user defined attribute and store it in a variable "flag".
  disable UserManagerResult disable(java.lang.String attributeName, java.lang.Object attributeValue) //attributeName will be user defined fieldm value will be "true"
  throws ValidationFailedException,
  oracle.iam.platform.authz.exception.AccessDeniedException,
  UserDisableException,
  NoSuchUserException,
  SearchKeyNotUniqueException
  Disables the user account matching the search criteria.
  Parameters:
  attributeName - - The attribute name for the search criteria.
  attributeValue - - The attribute value for the search criteria.
  Returns:
  UserManagerResult containing the entity id of the disabled user.
  Cheers,
  Vamsi.

• OIM-DBAT ...ERROR during Disabling user

  Hi,
  I am using database app tables connector with OIM, wherein the user is being provisioned to a database table. When user is Disabled, the assosciated database resource does not gets Disabled, Disable User is rejected and It gives following error:
  GCPROV.ProvTransportProvider.DBProvisioningTransport.DB_STATUS_FIELD_LOOKUP_ERROR" does not correspond to a known Response Code. Using "UNKNOWN
  The table has some attributes viz. Username, user id, fname, lname, Status(can be 0 or 1), email.
  The requirement is: when user id terminated in OIM, the respective database resource should get Disabled, that is the status should be updated to 0.

  Hi Sunny,
  When I disable OIM user , Disable User process of the database account is invoked but it gets rejected giving the above stated error. And the status field in process form is not updated. In the GTC configuration, I have mentioned the table column name(ENABLED,which can take values 0 or 1) that will be acting as status ,and also provided the Lookup code name that contains the status mappings as follows:
  Code Decode
  Active 0
  Disabled 1

• Disable user in OIM

  Hi *
  when i disable a user, it should not disable the user access to particular resource in which he is already provisioned.
  this req. looks pretty simple. but i could not find how to implement this functionality in design console.
  pls help me in this regard.
  thanks in advance.

  @OIM Learner.
  If i update AD User ---> Disable User to 'No Effect'
  Than while trying to disable user from Admin console it gives error:
  User Detail >> Resource Profile >> Ad User -> Dsiable
  Thor.API.Exceptions.tcAPIException: Resource is not configured properly.
  Class/Method: ResourceProfileProvisioningTasksAction/dispatchConfirmation encounter some problems: Cannot Disable
  Later i revert back to AD User ---> Disable User to 'Disable Process or Access To Application'
  Admin Console:
  User Detail >> Resource Profile >> Ad User -> Dsiable
  It disables user from AD.
  Is there a way to stop Automatic trigger on OIM User disable. As for our environment user might need to have access to resources even after it being Disable from OIM.
  Thanks a lot.

• AD Trusted Recon - Disabling user deletes him in OIM

  Hello,
  I'm having trouble changing a user state to 'Disabled' in OIM when I disable him in the Active Directory.
  Has anyone ever encountered this problem and know how to solve it?
  Thanks in advance

  The problem with disabled users in AD has been discussed numerous times over the years and there has been a number of different "solutions" to the problem.
  Our standard solution to this has been to have our own AD connector so that we could change the behavior to what the specific customer wanted.
  The 9.1 AD connectors have been delayed and is now ETA between "July and December 2008".
  Best regards
  -M

• OIM 11g - Approval workflows for disabled user accounts

  Hi,
  We have a scenario wherein a user will be created in OIM with a future start date resulting in a Disabled Untill Start Date user status. Once the user is created, we should let anyone submit a New Hire form for the user and the submitted form needs to be approved by the Manager. Once the Manager approves the form, the target accounts should get created with disabled status. These accounts should get enabled on the start date.
  As submission of New Hire Form is not a straightforward process, we came up with the following design.
  A dummy resource object corresponding to the New Hire Form will be created and can be requested for a newly hired person by anyone who has OIM access. An approval workflow will be configured for the New Hire Form Resource object and provisioning of target accounts will be based on Manager's approval for this resource object.
  However the challenge that we see with this design is, it wasn't possible to place a request for New Hire Form dummy resource object for a disabled user. But the requirement is to complete the New Hire Form submission process befor the user becomes active.
  How can these workflows be invoked for a disbaled user? Is there any other way to implement this requirement?
  Any kind of help/guidance is greatly appreciated.
  Thanks and Regards
  Deepa

  911709 wrote:
  If I create a dummy resource, called "Group Membership" for example, and use this to show the groups that are available in AD, how can I have the request be routed to different approvers? For example, group cn=HR Users,cn=Users,dc=company,dc=com needs to be routed to HR for approval. Group cn=IT,cn=Users,dc=company,dc=com needs to be routed to IT for approval. How can I change the approvers dynamically?
  Re: Spawning multiple approval tasks in parallel in OIM11g SOA Composite
  You can have dynamic task assignment in BPEL; where you defne a variable in the task assignment and update the variable with the approver group name before triggering the task assignment task. Check BPEL docs for same.
  If every group needs a different approver, and there are 5000 groups, can I make 5000 resources and use the built-in routing of approvals? Or, use the dummy resource approach and handle the management of the approvals in some other way.Just make one resource with one field attached to it which takes in the group name and handle approval in SOA by reading a lookup which has AD group to Approval Group mapping.
  >
  Thank you.-Bikash
  Edited by: Bikash Bagaria on Feb 18, 2012 1:00 AM

• Disabling Users in OIM

  Hi,
  Could someone tell me why this may be happening. I'm trying to setup Diabling user in OIM to disable user in AD.. but before I even get that far, I cannot seem to be able to disable a user in OIM.
  I open a user's profile click Disabled, page updates but nothing changed. No errors in the log. Clicking disable just doesn't work.
  What's even stranger is I found a user who was already disabled, and that guy I can enable/disable as much as I want.
  Where can I look to see what may be causing this?
  Also, I noticed in some other posts I read about OIM->AD disabling, and this is something that should work OOTB... I see the Disable User tasks, but I can't figure out what would trigger it.
  Alex

  Figured it out. There was a Pre-Update entity adapter that set the status based off a user defined field. I guess clicking the Disable button was triggering this entity adapter and over-rulling my Disable action.

• Disabled User Password should not be changed

  Hi,
  We have a requirement that only if the user's status is active, then only administartor must be able to change the user password. Admin should not be able to change the password if the user is in disabled state/locked state.How can we achieve this?please sugest...
  Regards
  Vinoth

  Hi,
  We have made an entity adapter which is taking usr login value from User[in Data object manager] and calling our java method which is making connection to OIM database and getting us the status of user.
  Now if the status of user is disabled method is returning true and on true we have associated our error code to it.
  We are executing our entity adapter in pre-update execution.
  Now when we are changing password of any disabled user we are able to see our error code. But what ever update [either first name update, enable] we are running on that user same error code is appearing.
  Plesae suggest/reply.
  thanks

• How to catch rollback in Disable user process task in Xellerat User Process

  hi ...
  I want to send an email to manager group of the user, once the user is disabled from the OIM (when end date is reached). I created an adapter and attached it to the ‘Changed User Disabled’ process task in the ‘xellerate user provisioning’ process and add a new row in the “Lookup.USR_PROCESS_TRIGGERS” Lookup definition. (code key: USR_DISABLED and Decode: Change User Disabled ). This adapter executes only when the user status is equal to “disabled”.
  This works correctly when the OIM user disabling process execute without any errors. But sometimes while disabling the user it gives an error (“resource is not configured properly”) and rolls back everything and make the user active. But at the same time my adapter runs and sends the mail informing user is disabled but yet user is active.
  My problem is how can I find or catch rolls back transaction in the “Disable User” process task (which is in “Xellerate User” process”) ??? If I can get to know that a roll back is occurred then I can send a mail to OIM administrator, informing that user disable process is failed.
  Can someone please help me to find this..
  Thanks in advance :)
  Regards,
  i.k.

  Hi Rajiv,
  Error occurs while disabling the user due to resource configuration problems. ( error message is : DOBJ.RESOURCE_NOTCONFIGURED_PROPERLY -- One or more provisioned resource is not configured properly) In this case i know the problem and how to solve it. But what I want to know is in any case if disable process get fail and if things get roll back again, then how can I track that situation and send a mail to OIM Admin(informing the failure) instead of sending a mail to user managers saying that user account has been disabled.
  I think now my problem is clear…. Can u please help me to find this.
  Regards,
  i.k.

• Populate enddate after change in user status in OIM 11g ?

  Hello experts,
  We have a requirement whenever a user is getting 'Disabled' end-date needs to be set to the current system date and When the user is enabled end-date need to be reset to some predefined date
  We are planning to go with custom adapter for this. Now in OIM 11g USR_STATUS is not working as expected. Then how do we trigger for disable or enable.
  Is event handler is the only option for this scenario ? Please advice.
  Thanks,
  Deepak

  there are two ways to handle this
  first is to use post update event handler
  get the user status and update end date and start date
  second, using custom adapter.
  no need to put trigger.
  just attach your code on the response of enable user and disable user task in AD,OID ...or so on work flow.
  try and let me know
  regards,
  nishith nayan

• How to do Archiving of deleted & disabled users in OIM11g

  Hi All,
  As per the requirement we have to do archive of deleted & disabled users in OIM11g(11.1.1.2) after 75days. Can i know how can i achieve this?
  Regards,
  user7609

  Just to recap:
  Your client requirement is to archive users out of OIM after 75 days. This means in addition to actually disabling and/or deleting them, fully removing any traces of them from the system.
  As Kevin & GP said, OIM is just not built to do this. API alone is not going to accomplish this task... you'll also need to include SQL to actually drop data out of tables.
  All that being said, your post said the reason for this was because of a "license for limited users". Oracle Identity Manager is licensed on an active user basis. You really should talk with your Oracle rep to confirm, but I've never had licensing contracts include deleted/disabled users.

• Disabling User in Solaris

  Is there anyway to change the way the resource adapter for Solaris and Linux disables users so that it uses the native lock provided through passwd rather than setting a random password?
  Scott

  Is there anyway to change the way the resource
  adapter for Solaris and Linux disables users so that
  it uses the native lock provided through passwd
  rather than setting a random password?No there is no way to do that.
  The usage of passwd -d and or -l is limited to certain installations. If you read the man page for passwd you will see that it only works for files as the repository not for any of the other possibilities (NIS or NIS+ or ldap). It also depends on PAM modules to implement this and they do not have to be configured on the system.
  WilfredS

• Disabling User instead of deleting

  I'm using OIM 9031.
  I've created a custom access policy which grants user a resource (OEBS) based on his group membership.
  When user is no longer a member of group, his account is deleted from assigned resource. How do I change the behavior of OIM so that user account in OEBS would be blocked instead of completely deleted?

  Yes, I want the account to be reanabled after the user is a member of a group again. No idea how to change the provisioning workflow...
  Maybe, I should add two new tasks, for enabling/disabling user, but then I must somehow incorporate 'enable user' task into my workflow. It may require 3rd task which checks if user account already exists (e.g. is user already provisioned the resource) and depending on response code, it may launch either create or enable task...

• Disabling User specific/Default Setting

  In the output of CV04n selection while 'Save Layout' how is it possible to enable/disable
  'User Specific' or 'Default setting'

  Hi,
  Did you mean Set or enable / disable? Anyways if you want to set, you can do it as follows:
  1. Global: I.e. Available for all
  Selection Variant: Global     do not toggle the User specific box
  Description: XYZ
  2. User Specific: Available only for the user
  Selection Variant: aaa   Toggle the user specific box.
  Description: uvw
  If this doesn't answer your query, please explain further.
  regards
  C