Evaluate user policies

Hi All
I am facing an issue which should obviously have a solution and is very important a.Please post immediatly any solutions,workarounds or referneces to it if you are aware.
1. I have a group A which is goverened by an Access Policy
2. This Access Policy is provisioning Resources RA,RB,RC.
3. A user UserA is added to the group. The resource profile of the use now has three resources RA,RB,RC.
4. I now added another( new )resource RD to he Access Policy . Now the Access policy must provision RA,RB,RC,RD.
Now my question is , what do i perform for the existing users in the group to get the new resource RD?
Work arounds tried:
1. I have Retrofit Access Policy checked.(when the access policy is created)
2. I saw somewhere in the forum , that we have to run a scheduled task called Set User provisioned date. Which didn´t workout.
Please give me some clean solution on this. Is this really not an OIM OOTB feature? Does it need any configuration which is not published?
Thank you
Regards
Shashidhar

"I am currently using Evaluate user policies only.when there arfe more number of users this is being a very costly operation.
this is really making the system slow. is this the only way?can we not limit this task only to changed policies?"
As far as I can tell you only have two options:
For a small number of users, manually query up the users in OIM and click the "Edit" button on the User Details screen and then click "Save" (no other changes). This should evaluate the current access policy against the User and provision any missing resources.
Otherwise, for a large number of users, schedule the "Evaluate User Policies" out of your normall business hours (I wouldn't expect that you would normally be doing lots of changes to your access policies during the course of a normal business day unless you have an unusual arrangement with your access policies).

Similar Messages

OIM 11 - Error while running scheduled job "Evaluate User Policies"

Hello,
We are trying to run the OOTB scheduled job " EValuate User Policies" with the default parameters. Job history shows the execution status success but diagnostic logs throw the following error. And the users donot get provisioned to their resources based on the access policies.
We are on OIM 11 BP05.
[2013-01-30T10:11:47.072-05:00] [oim_server1] [NOTIFICATION] [IAM-0080006] [oracle.iam.platform.kernel.impl] [tid: Thread-1033] [userId: oiminternal] [ecid: 3f3dc64898fb7625:-13c8cd5d:13c88a6943c:-8000-0000000000000002,1:26684] [APP: oim#11.1.1.3.0] Orchestration process moved to failed stage, and the corresponding error is - {0}[[
oracle.iam.platform.kernel.EventFailedException: Operation - EVALUATE_POLICIES that is submitted as part of the orchestration is not supported.
at oracle.iam.platform.kernel.impl.EntityDefaultActionHandler.execute(EntityDefaultActionHandler.java:53)
at oracle.iam.platform.kernel.impl.DefaultActionHandler.execute(DefaultActionHandler.java:41)
at sun.reflect.GeneratedMethodAccessor5717.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at oracle.iam.platform.kernel.impl.EventHandlerDynamicProxy.invoke(EventHandlerDynamicProxy.java:30)
at $Proxy254.execute(Unknown Source)
at oracle.iam.platform.kernel.impl.OrchProcessData.runActionEvents(OrchProcessData.java:1036)
at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:644)
at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:764)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.process(OrchestrationEngineImpl.java:519)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.orchestrate(OrchestrationEngineImpl.java:459)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.orchestrate(OrchestrationEngineImpl.java:378)
at oracle.iam.accesspolicy.impl.AccessPolicyServiceInternalImpl.evaluatePoliciesForUser(AccessPolicyServiceInternalImpl.java:78)
at oracle.iam.accesspolicy.api.AccessPolicyServiceInternalEJB.evaluatePoliciesForUserx(Unknown Source)
at sun.reflect.GeneratedMethodAccessor5730.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy574.evaluatePoliciesForUserx(Unknown Source)
at oracle.iam.accesspolicy.api.AccessPolicyServiceInternalEJB_bgsblp_AccessPolicyServiceInternalRemoteImpl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
at oracle.iam.accesspolicy.api.AccessPolicyServiceInternalEJB_bgsblp_AccessPolicyServiceInternalRemoteImpl.evaluatePoliciesForUserx(Unknown Source)
at sun.reflect.GeneratedMethodAccessor5727.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
at $Proxy164.evaluatePoliciesForUserx(Unknown Source)
at sun.reflect.GeneratedMethodAccessor5726.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
at $Proxy421.evaluatePoliciesForUserx(Unknown Source)
at oracle.iam.accesspolicy.api.AccessPolicyServiceInternalDelegate.evaluatePoliciesForUser(Unknown Source)
at com.thortech.xl.schedule.tasks.tcTskUsrEvaluatePolicies$PolicyEvalWorker.run(tcTskUsrEvaluatePolicies.java:319)
at java.lang.Thread.run(Thread.java:662)
at com.thortech.xl.scheduler.tasks.SchedulerBaseTask$XLSchedulerThread.run(SchedulerBaseTask.java:157)
[2013-01-30T10:11:47.081-05:00] [oim_server1] [NOTIFICATION] [IAM-0080046] [oracle.iam.platform.kernel.impl] [tid: Thread-1030] [userId: oiminternal] [ecid: 3f3dc64898fb7625:-13c8cd5d:13c88a6943c:-8al.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
        at oracle.iam.accesspolicy.api.AccessPolicyServiceInternalEJB_bgsblp_AccessPolicyServiceInternalRemoteImpl.evaluatePoliciesForUserx(Unknown Source)
        at sun.reflect.GeneratedMethodAccessor5727.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
        at $Proxy164.evaluatePoliciesForUserx(Unknown Source)
        at sun.reflect.GeneratedMethodAccessor5726.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
        at $Proxy421.evaluatePoliciesForUserx(Unknown Source)
        at oracle.iam.accesspolicy.api.AccessPolicyServiceInternalDelegate.evaluatePoliciesForUser(Unknown Source)
        at com.thortech.xl.schedule.tasks.tcTskUsrEvaluatePolicies$PolicyEvalWorker.run(tcTskUsrEvaluatePolicies.java:319)
        at java.lang.Thread.run(Thread.java:662)
        at com.thortech.xl.scheduler.tasks.SchedulerBaseTask$XLSchedulerThread.run(SchedulerBaseTask.java:157)
Any answer is highly appreciated.
Thanks,
MBiswal

Ok, did you reimported the /metadata/iam-features-accesspolicy/event-definition/EventHandlers.xml from the BundlePatch folder?
Have you followed Addendum to OIM 11.1.1.5.6 Bundle Patch 06 Readme (Doc ID 1543504.1)?

How to prevent Evaluate User Policies to run for Bulk loaded users?

Hi,
I have an OIM 11G R2 environment, where i did a bulk load of abount 200,000+ users, and all the users' accounts were created using target recon.
How do I prevent the evaluate user policies scheduler from running for these users?
Any ideas are welcome.
Thanks,
Aravind Suresh

Hi,
I do have roles and access policies.
But i do not want them to applied to them at this stage as they already got everything through target recon.
Only for new users or these users on update i want the evaluate user policies to run.
Otherwise running evaluate user policies for these many users could be a very time and resource consuming task.
Thanks,
Aravind Suresh

Problem with"Evaluate User Policies"sch task after the upgrade OIM R1 to R2

Problem with "Evaluate User Policies" scheduled task after the upgrade from OIMg R1 to OIM 11g R2
After the upgrade process is completed we are having issue with Access policy not triggering if rule is set to custom attribute
- We had a Rule with custom attribute (Policy='Full-Time') the value gets populated by event handler which triggers the access policy in OIM 11g R1.. which worked fine in OIM R1
After the upgrade the value is getting populated but even after running "Evaluate User Policy" the Access Policy is not getting triggered.
We tested creating a rule with other custom attribute,policy does not trigger even after running Evaluate User Policy schedule Task in this case too
but if we try creating rule with OOTB attributes(Country='US') it works fine the access policy got triggered after running Evalute User Policy
One more issue we observed is
- Evaluate User Policy value usr_policy_update is not updated still set to '1' even after the Access policy got triggered (as it worked when rule is set to OOTB attribute)
I believe after the evaluate user policy gets triggered for a user it should update the value from '1' to '0')
Please let me know if you have any idea..Thanks!

well, I overcame the issue by 'fooling' the installer: on second node, change the scan ip address to point to something else (ie, different ip address to the scan in the first node, cleanup then rerun root.sh, it went past the trouble stage, then I still have problem later at the time database creation. I think scan ip address has to be setup correctly (round robin thingy)
This is how i did the cleanup before rerun root.sh
/u01/app/11.2.0/grid/crs/install/rootcrs.pl -verbose -deconfig -force

Script or Command to flush/renew User policies

Dear Mac Pro's
I'am looking for a command to refresh/flush the user policies on the clients. Some policies won't work. In windows there is a command "gpupdate /force" is there also a command for Unx or a script?
Regards!
Roderik

I tried this script but i think its not going to catch loop..
I mean, testac6 is not a part of Test Group 3 so when i execute this scipt its still showing me
" Removing testac6 from the Test Group 3"
and not the catch loop part.
Shaktisinh Vaghela
Worked fine for me:
Removing testac6 from Test Group 1
Removing testac6 from Test Group 2
testac6 is not a member of Test Group 3
Suppose the user is in another domain. Another forest...
¯\_(ツ)_/¯
I guess we'll cross that bridge if we get there.
Don't retire TechNet! -
(Don't give up yet - 13,085+ strong and growing)

11.2.3a - Unable to edit exsisting xp user policies

Maybe I could get some help here. I am currently unable to edit XP group user policies from my zenworks 11.2.3a zone. All policies were "minted" uner the 11.2.2 version. I was able to edit policies no problem before the 11.2.3a Update. All machines have the 11.2.3a Group Policy helper activeX control installed on them (Fresh images not upgrades). Here are the problems I am having
1. When the group policy editor opens, all my policies are set to "Not Configured", even though these are active working policies with many items configured
2. Once in a ten or so tries, the group policy editor opens the ADM's correctly. I am able to configure the needed settings. The group Policy editor closes and echoes back theat the "Settings were successfully imported". The problem here is that the "upload button" stays dimmed out and I am unable to uplaed the configured policy.
Not really to sure what is going on.

mdymes wrote:
>
> Maybe I could get some help here. I am currently unable to edit XP
> group user policies from my zenworks 11.2.3a zone. All policies were
> "minted" uner the 11.2.2 version. I was able to edit policies no
> problem before the 11.2.3a Update. All machines have the 11.2.3a
> Group Policy helper activeX control installed on them (Fresh images
> not upgrades). Here are the problems I am having
>
> 1. When the group policy editor opens, all my policies are set to
> "Not Configured", even though these are active working policies with
> many items configured
>
> 2. Once in a ten or so tries, the group policy editor opens the ADM's
> correctly. I am able to configure the needed settings. The group
> Policy editor closes and echoes back theat the "Settings were
> successfully imported". The problem here is that the "upload button"
> stays dimmed out and I am unable to uplaed the configured policy.
>
> Not really to sure what is going on.
I've seen something like this in earlier versions as well - in my case
it was the version of the browser I used and the security settings of
this. What browser do you use?
Do you see the same if you use the ZCC from antoher server?
Niels
A true red devil...

"certain user policies are enabled that can only run during logon"

I have created a GPP for mapping a drive. Is there any way to NOT prompt for a logoff on first logon?
"certain user policies are enabled that can only run during logon"
OK to logoff?. (Y/N)

I have created a GPP for mapping a drive. Is there any way to NOT prompt for a logoff on first logon?
"certain user policies are enabled that can only run during logon"
OK to logoff?. (Y/N)

User policies not applied hence dlu not working

We have 6 pc's that for some reason don't get user policies. Here's the
line from zmd-message.log of the workstation agent:
[1296] [ZenworksWindowsService] [56] [] [PolicyManager] []
[ApplyPolicies: Either user session is null or Device-only mode is
enabled or Zen logon module is not present; not applying user policies.]
The zone is 10.3.3, we use a user source connected to edir and the user
is getting user policies on other computers. What's this Device-only mode?
regards,
Limor

Found the problem. Our people disabled Zenworks User Authentication in
the registry.
On 13/09/2011 09:13, Limor wrote:
> We have 6 pc's that for some reason don't get user policies. Here's the
> line from zmd-message.log of the workstation agent:
> [1296] [ZenworksWindowsService] [56] [] [PolicyManager] []
> [ApplyPolicies: Either user session is null or Device-only mode is
> enabled or Zen logon module is not present; not applying user policies.]
>
> The zone is 10.3.3, we use a user source connected to edir and the user
> is getting user policies on other computers. What's this Device-only mode?
>
> regards,
> Limor

Different user policies for same container possible?

hi all,
I have two policies (DLU (user rights) and User group policy , very strict)
applied to a user container where they login on workstations, which works
fine
Now these same users use also laptops, and i want to apply DLU (Power user
rights) and a less stricter user policy when they are using these laptops.
How can I do this ??
Thanks

fbrenn,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/

Making user policies stay in effect after logout

We enforce highly restrictive Windows group policies on our student users. Sometimes, a student is able to login offline, so they don't get the restrictive policy. In ZDM 7, we had the ability to make a user policy stay in effect after logout, which would keep the restrictions turned on until a user with less restrictions logged in. Is there a way to do this in ZCM 11? I looked in ZCC, and I can't see any option for this. FYI, we are using ZCM 11.2.2 MU 2.
Rick P.
Walla Walla Public Schools

Originally Posted by craig_wilson
Kevin,
Whoever told you that was clueless about GPOs.
User GPOs are removed at Logout.
Device GPOs are removed at Shutdown.
They are removed by Re-Applying the "Blank" GPOs located in
%zenworks_home%\bin\cachefiles\Orginal_GPO
(Or something like that w/o looking.)
These will only exist if a GPO is in place.
It would be possible to replace those GPO files with your locked down
files so when User/Machine GPOs are replaced with the "Blank" one, they
are actually using a Strong GPO.
On 2/15/2013 7:06 PM, RPummel wrote:
>
> kjhurni;2247277 Wrote:
>> I was told the policies were cached and would remain in effect unless a
>> new user with a DIFF policy logged in.
>>
>> I'll have to dig up my old emails as this was like over a year ago.
>
> This may be the theory, but it is not what we have observed in
> practice.
>
> Rick
>
>
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner
Novell does not officially monitor these forums.
Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
Thanks Craig. Too bad it doesn't remain in effect on logout. Seems like a glaring security hole, IMO compared to how MS does it. OR how ZFD used to do it.
Guess an RMS is in order?

OSX Server - Advanced FTP users policies

Hi, I need to ask a pretty simple thing, that for servers should be quite straight forward.
On OSX Server (ver.2.2.2) I can't find any advanced ftp management console. What I mean is that i have let's say three users:
User "A": Administrator
User "B": Project Manager 1
User "C": Project Manager 2
User "D": End User
Folder 1, Folder 2, Folder 3 and Folder 4
User A should see and manage all of them (read+write)
User B should see and manage F1 ("F" stands for folder) and F2 (let's say he's in charge of those two projects)
User C should manage F3 and F4 (but no access to F1 and F2)
User D should only read F4.
I thought this was a reasonably obvious thing to have in the app, although I couldn't find any of these things. Maybe that's just me, but seriously I was thinking as this was an obvious feature for an app called "Server" that has FTP-server features.
Is there any way I can do that?

I thought the exact same thing but apparently not. I ended up having to install PureFTP to get this type of management. I was dissapointed in Apple on this as I was hoping for a GUI. You CAN do this through the command prompt if I'm not mistaken, but just need to google it.

User Policies don't apply to just ONE system

Hi
Can somb help me out here?
I have created a user policy for all users to disable control panel and "run...". But on just
one single system they don't apply nomather what account I'm using. When I log on to anonther system with the same account they do apply.
I'm using Windows Server 2008R2 and clients are XP sp3.

Dear PJ1337, what's up?
On the the computer that you're having this problem, please open an elevated command prompt and type:
gpupdate /force . After that reboot your system and verify if the problem is fixed. If it's not, open again the command prompt and execute:
gpresult /h . After that search for GPresult.html and verify the GP is there but not getting applied.
I suggest you to verify if RSOP on the server side too.
Kindly Regards,

User Policies in SA540

Under the "User Policy By Source IP Address" is there anyway to define an IP address range?
Example: Some of my remote users don't have static IP's from their ISP however their Dynamic IP's tend to stay pretty constant, so as an added level of security in my current setup I am able to restrict their access to the range of IP's they may receive from their ISP by using a range of lets say 225.80.1.1 to 225.80.255.255. Is their anyway to accomplish this in the SA540? I see the option to define a source IP address under the User Policy option but it only lets me put one address in there, not a range like I would like to.

Any chance you could go into more detail.
When I change the option to IP Network it still only has room for a single IP address but it also allows me to change the Mask Length. Sadly I'm not sure what Mask Length means.
Let's say I want to limit access to only IP addresses in the range of 5.5.1.1 to 5.5.255.255. What would I put in the Network Address/IP Address field and what value would the Mask Length be?

User policies prevent MMS from creating snapln-modules

I have uninstalled mcafee virus program and after that I'm not into fierwall or administrative tools due to user policy refuses MMC to create snap-in and ask me to
contact the administrator who is me.I can not get into something or do some things. error messages is:CLSID:FX(b05566ac-fe9c-4368-be02-7a4cbb7cbe11) and CLSID:(58221C67-EA27-11CF-ADCF-00AA00A80033) please help

Hi,
Please try following steps to check the issue:
1. Navigate to the following directory:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CONFIG
2. Copy the 'machine.config' file to desktop just in case before you go to 3rd step.
3. Rename machine.config to machine.config.old which is locating in the directory above.
Since this issue can be caused by corrupted system files, please run following command to scan system:
SFC /SCANNOW
Considering that the corrupted .net components will also cause this issue, please also try to remove and reinstall .net framework:
.NET Framework cleanup tool now supports .NET Framework 4.5 and Windows 8
http://blogs.msdn.com/b/astebner/archive/2012/08/04/10336934.aspx
If this issue still persists or any error message after SFC, please upload the saved event log, CBS*.log and full error message here for further research.
Kate Li
TechNet Community Support

Security batch job to evaluate users with SAP_ALL access:

Hello,
I need to run some kind of batch report or program that runs for users that have SAP_ALL access.
Basically we need to run a report or program that shows what these users that currently have SAP_ALL are executing on a daily basis.
Do you have or know of a report/program that we can schedule nightly to find this information out ?
Thanks,
Steve

Hi Steve,
I don't think any SAP standard report or query is available for this. You probably have to design your own Z report/query to achive this.
However since SAP_ALL is a restricted access and you will have very few users with this access, if you want to find it out programs/transation being executed by these users, it can be done manually from ST03, through "Memory Use Statistics", probably this may help to identify the tables using which you can design your own report.
Regards,
Sanujit
Edited by: Sanujit Purohit on Jul 20, 2010 2:25 AM

Evaluate user policies

Similar Messages

Maybe you are looking for