Find disabled user in idm side or AD resource?

Similar Messages

• Unable to find disabled users

  I used the below to search for all disabled users in the system. I have a disabled user in IDM but the queryResult is null in the log file. Do you have any ideas?
  <Action id='0' application='com.waveset.session.WorkflowServices'>
  <Argument name='op' value='queryObjectNames'/>
  <Argument name='type' value='User'/>
  <Argument name='attributes'>
  <map>
  <s>dis</s>
  <s>true</s>
  </map>
  </Argument>
  </Action>
  dis is in the <QueryableAttrNames> list already. It's one of the predefined attributes in this list. I did not add it in.
  Thanks

  I found the answer. I found it in the WFs, Forms and Views documentation for 7.1. This will find all users who are either disabled or partially disabled.
  <Action id='0' application='com.waveset.session.WorkflowServices'>
  <Argument name='op' value='queryObjectNames'/>
  <Argument name='type' value='User'/>
  <Argument name='single' value='false'/>
  <Argument name='attributes'>
  <map>
  <s>lhdis</s>
  <s>true</s>
  </map>
  </Argument>
  </Action>
  What I don't understand is lhdis is not defined in the <QueryableAttrNames> list. Below is the <QueryableAttrNames> list out of the box. Only dis but not lhdis. Even though I got the result that I want but I want to know how we can use lhdis when it's not in the <QueryableAttrNames> list???? Anyone knows?
  <QueryableAttrNames>
  <List>
  <String>correlationKey</String>
  <String>role</String>
  <String>email</String>
  <String>name</String>
  <String>firstname</String>
  <String>lastname</String>
  <String>idmManager</String>
  <String>prov</String>
  <String>dis</String>
  <String>locked</String>
  <String>user_resources</String>
  </List>
  </QueryableAttrNames>

• Disable user thru IDM ...

  I added the following code to the bottom of active sync form to disable a user from all resources without luck.
  The side effect of the following code is to remove all resource names from waveset.resources list. What did I miss? Thanks in advance for any clue. <FieldLoop for='name' in='waveset.accounts[*].name'> <Field name='accounts[$(name)].disable'> <Expansion> true </Expansion> </Field> <Field name='update.accounts[$(name)].disable'> <Expansion> true </Expansion> </Field> </FieldLoop>

  why are you updating the update object?
  if you do accounts[Resname].disable = true it will disable the account as well. then use waveset.disable for lighthouse. I did this exact thing last week and it worked fine. IF you have problems, feel free to email me
  -Dana Reed
  AegisUSA
  Denver, Colorado
  [email protected]
  "Now hiring best in breed IDM professionals..inquire via email"

• How to disable a Entire row in a Matrix in Find Mode (User Form)

  Hi,
  How to disable a Entire row in a Matrix in Find Mode (User Form)
  Regards
  Jambu

  Hi,
     Iam using Bubble event = false in click event but the matrix row
  is allow to edit but we cant save the document in Find Mode That is fine.
  What is my actual requirement is In find mode matrix Row not allow to enter the data .
  For examble In ADD mode i enter the data in Three rows (Item Section - Matrix) and
  save the document. Whwn i open the document in find mode the three row is not allow
  to editable like the same functionality of PO, sales Order, etc ..
  Regards
  Jambu

• User disabled in LDAP triggers disable identity in IDM?

  IDM 7.0 on Sun JES Stack
  Authoritative Source is LDAP, Sun Directory Server 5.2
  This pertains to Termination e.g. Employee/Contractor gets terminated.
  1) When an employee is terminated, her user LDAP record is deleted from LDAP (authoritative source)
  2) When a contractor is terminated, her user obuseraccountcontrol = DISABLED in LDAP (authoritative source)
  Based on the above two criteria, how do I trigger the Disable User workflow in IDM so that the user's IDM Identity gets disabled?
  I've been exploring the LDAP Activation Method/Parameter?
  com.waveset.adapter.util.ActivationByAttributePullDisablePushEnable
  But am unsure on how to approach this. Has anyone successfully implemented this? Documentation is pretty unclear. Thanks in advance.

  Given the below scenarios:
  1) When an employee is terminated, her user LDAP record is deleted from LDAP (authoritative source)
  2) When a contractor is terminated, her user obuseraccountcontrol = DISABLED in LDAP (authoritative source)
  We've resolved #2 using MetaView and Rule. On the LDAP resource adapter itself, we used:
  LDAP Activation Method: nsaccountlock
  LDAP Activation Parameter: accountLockAttr
  (where this is your IDM system attrib specified in resource schema)
  In MetaView, for attrib "accountLockAttr", Source: Rule: Is obuseraccountcontrol disabled, Target: IDM, All Resources
  In MetaView > Identity Events, we set the Disable event,
  Based on that, we believe we can resolve #1 to trigger the Disable User Workflow. The problem is, how do you Re-Enable a user if the user's LDAP record is deleted from the authoritative source (LDAP)?

• Session holding lock..need to find the apps user holding that SID

  Hello
  in v$lock
  a session is blocking another session..Sid is displayed there
  now i can kill that session if it is holding a lock for too long and i do so too
  But i want to know which apps user was it..there more than 500 users that connect from EBS r12..how would i know whichh user that sid belongs to
  so basically i need to know the apps user holding that SID which is blocking the other session
  Please advice
  Thanks

  Refer to the following links/notes:
  [Which FND_USER is locking that table |http://oracle.anilpassi.com/which-fnd-user-is-locking-that-table-2.html]
  Note: 180683.1 - What is the Supported Method for Releasing a Oracle Application User's Lock on a Table?
  https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=180683.1
  Note: 109061.1 - How to Check Whether an AOL Table is Locked
  https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=109061.1
  Note: 185762.1 - Script: How To Identify The apps User Using The O/S PID For Forms Users In 11i
  https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=185762.1

• SQL Query to Find out User has what all resources provisioned !

  Hi Guys ,
  Does any one have a SQL query to find out what resources are provisioned to a particular user ?
  Thanks
  Suren

  Hi,
  Hope this will help you.
  SELECT distinct usr_login as "IdM User ID",
  usr_employeeID as "Employee ID",
  usr.USR_FIRST_NAME as "First Name",
  usr.USR_LAST_NAME as "Last Name",
  usr_status
  as "User Status",
  USR_EMP_TYPE as "Employee Type",
  obj.obj_name as "Application Resource",
  ost_status as "Application Resource Status",
  FROM ost,oiu,obj,usr,obi
  WHERE oiu.ost_key = ost.ost_key AND obj.obj_key = obi.obj_key AND oiu.usr_key = usr.usr_key
  AND ost_status in ('Provisioned','Revoked','Disabled', 'Provisioning')
  AND oiu.obi_key=obi.obi_key
  AND usr_EmployeeID like '11111'
  This query will provide all the resources to which the user is linked with and the resource status is in 'Provisioned','Revoked','Disabled', 'Provisioning' status for a particular employeed ID, I am not completely sure whether I have given the Employee ID column from USR table as correct or not. Verify once and query the DB

• How to find the user who created record on PA_TRANSACTION_INTERFACE_ALL ?

  We are trying to develop a custom workflow to send Project WebADI transactions through workflow approval. My problem is, from the PA_TRANSACTION_INTERFACE_ALL table where the interface records are populated, I cant find the user responsibile. (Notification will be sent to the creator's manager)
  What we planned for the design is:
  Disable the import program being run from WebADI Screen. This ensures data stays in PA_TRANSACTION_INTERFACE_ALL  and does not go to PA_EXPENDITURES_ALL Etc.
  Looking at the data, send notifications. When the approval is given, run the import program to send the data to PA_EXPENDITURES_ALL Etc.
  We were also going to remove the import program from the custom responsibilities so that users dont run it.
  First, we had to disable the Import program being run from the WebADI screen. We did this by editing the integrator. Now when the data is imported into this table ,we can see many columns do not have data. CREATED_BY etc are populated only if the import program runs. But if it runs then already transactions have gone in and approval process is meaning less.
  Only thing that looks like it could be useful is TXN_INTERFACE_ID but I cannot find another place where it will link to. 
  Could you help us find a way to find the creator of the data in PA_TRANSACTION_INTERFACE.

  Hi
  I don't know the answer to your question, but thought of suggesting another approach.
  Leave the original import program in the integrator of the WebAdi.
  Develop a logic into Transaction Import Client Extension. There you can find the data that Oracle has already populated for the created by column, and you may trigger the notification submission for approval. Use the extension to alter the transaction status so it will not be actually interfaced, until you get the approval response.
  Dina

• How to find the User who changed the connection settings

  Hi Gurus,
  I am basically a BW guy but i am looking at your precious Guidance in this issue.
  We have a situation in our BW production system. The job loads are working fine till now but seems like someone has meddled with RFC connection with R/3 prod.
  The connection between R/3 and BW is broken. I would like to know if there is any way to find the User or some Log to find who might have medelled with the RFC's .
  Help is greatly appreciated.
  Regards
  satish M

  Hello Satish,
  Which release are you on?
  Option 1: Take a look in SM59 selecting the destination and there is a "last changed" information displayed.
  Option 2: the table for these connections are often not logged for table change logging, but if they are... then try transaction SCU3 on the backend tables (table RFCDES is a good start).
  (search for rec/client and recclient etc as search terms).
  Option 3: Why would someone change a connection? Try to analyze what happened during the time period after the change, or even immediately before the change (audit logs, system events, server statistics etc). A simple check would be via SM20 to see who started SM59 immediately prior to this. A more complex check would be analyzing the RFC profiles in ST03N.
  Option 4: On the R/3 side, you might be able to find the same auditable information as well (perhaps even the IP address of the caller?) Tip: The person might have created a dump... => transaction ST22.
  Option 5: There are some other additional logging, tracing and control possibilities at a deeper technical level, if used or active at that point in time.
  Cheers,
  Julius

• Could any one tell me that How can i create the service User ie j2ee SID

  hi all,
  In the implementation of SPNego Authentication schem in my portal system.
  i want to create the service user ie .j2ee-<SID>.
  <b>could any one tell me that How can i create the service User ie j2ee-<SID> in my visual administrator??</b>.
  any help will be highly Appretiated .
  thanks and regards.
  vinit soni.

  Vineet,
  the user management tab opens in Read Only mode - thats why the button is coming as disabled. There is a button for switching into Edit mode - it looks like a pen / pencil on the top bar. Click on that - your "Create User" button would be enabled.
  Also regarding creation of Service User via code level you can see <a href="https://www.sdn.sap.com/irj/sdn/thread?messageID=1057074">THIS</a> thread. And <a href="http://HERE">http://help.sap.com/saphelp_nw04/helpdata/en/f9/e3162ec55f4df6922d161f3785012a/frameset.htm</a>HERE[/url] is the SAP Help documentation on required permission settings.
  Regards,
  Shubhadip
  Message was edited by:
          Shubhadip Ghosh
  Message was edited by:
          Shubhadip Ghosh

• Remove GrantSendOnBehalfTo disabled user accounts - A novice at scripting

  Hello.  Can anyone help please
  In our exchange 2010 environment we have users who are granted send on behalf to access.  Obviously some users leave and I m finding that there are ghosts left behind which are causing issues with our team who add users into the grantsendonbehalfto
  option using the EMC.  Using the log view we coy out the command and then remove the disabled user from the command and then paste this into an Exchange Powershell command line.  This wrks because it is doing what Exchange EMC does which is rewrites
  the -GrantSendOnBehalfTo option in it new entirety.  
  The problem occurs because I need to remove these en-mass from approx 700 plus accounts.  
  I have tried to modify one user in order to get the script to work but it doesn't.
  This is the error message that happens when I run the script below against a known account with at least 2 disabled users in:-
  Couldn't find object "xxxxxxxx.xx.xxxxxxx.xxx.xx/DisabledUsers/2013-08/Gaynor Collins-Punter". Please make sure that i
   was spelled correctly or specify a different object. Reason: The recipient xxxxxxxx.xx.xxxxxxx.xxx.xx/DisabledUsers/2
  13-08/Gaynor Collins-Punter isn't the expected type.
      + CategoryInfo          : NotSpecified: (:) [], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : F6498844
      + PSComputerName        : ex02-0029.xx.xxxxxxx.xxx.xx
  Am running the script from my local PC
  This is the script I have used.
  # Gather info use get-mailbox -resultsize unlimited$mailboxes = Get-Mailbox zplew1
  Foreach($mailbox in $mailboxes)
  for($i = ($mailbox.GrantSendOnBehalfTo.count)-1; $i -ge 0; $i--)
  $address=$mailbox.GrantSendOnBehalfTo[$i]
  $addressString=$address.addressString
  If($addressString -like "*disabled*")
  $mailbox.GrantSendOnBehalfTo.removeat($i)
  $info >> "C:\Scripts\grantsendonbehalfto.csv"
  $mailbox |set-mailbox -GrantSendOnBehalfTo $mailbox.grantsendonbehalfto
  }If you requiere any more info please let me know.

  #1 - I recommend posting in xchange forum fo rhow to do this
  #2 - Wen an account is disabled most on the information in the object is hidden.  YOu would need to undelete to use the object.
  #3 - Get list as text and validaye al values are not deleted accounts.  Remove deleted and save back.
  ¯\_(ツ)_/¯

• How to catch rollback in Disable user process task in Xellerat User Process

  hi ...
  I want to send an email to manager group of the user, once the user is disabled from the OIM (when end date is reached). I created an adapter and attached it to the ‘Changed User Disabled’ process task in the ‘xellerate user provisioning’ process and add a new row in the “Lookup.USR_PROCESS_TRIGGERS” Lookup definition. (code key: USR_DISABLED and Decode: Change User Disabled ). This adapter executes only when the user status is equal to “disabled”.
  This works correctly when the OIM user disabling process execute without any errors. But sometimes while disabling the user it gives an error (“resource is not configured properly”) and rolls back everything and make the user active. But at the same time my adapter runs and sends the mail informing user is disabled but yet user is active.
  My problem is how can I find or catch rolls back transaction in the “Disable User” process task (which is in “Xellerate User” process”) ??? If I can get to know that a roll back is occurred then I can send a mail to OIM administrator, informing that user disable process is failed.
  Can someone please help me to find this..
  Thanks in advance :)
  Regards,
  i.k.

  Hi Rajiv,
  Error occurs while disabling the user due to resource configuration problems. ( error message is : DOBJ.RESOURCE_NOTCONFIGURED_PROPERLY -- One or more provisioned resource is not configured properly) In this case i know the problem and how to solve it. But what I want to know is in any case if disable process get fail and if things get roll back again, then how can I track that situation and send a mail to OIM Admin(informing the failure) instead of sending a mail to user managers saying that user account has been disabled.
  I think now my problem is clear…. Can u please help me to find this.
  Regards,
  i.k.

• Disabling User Account Control - CUBAC

  Installing Cisco Unified Business Attendant Console.  Documentation says that on server 2003 / sever 2008 installations, disabling of the user account control is required.  It gives a procedure to do this on Server 2008.
  The install I'm working on is on Server 2003.  I cannot find anything like this.  Googling on the subject has led me to believe that this is likely a documentation bug, as I can find no reference to Server 2003 having this feature.
  Has anyone else run into this?  The documentation appears to have been written by someone who speaks english as a second language, and not thoroughly vetted for correctness.

  Hi Clifford,
  This would just be for Windows server 2008
  CSCtc77367            Bug Details
  CUBAC 3.1.1.5 docs need to say "disable User Account  Contol" in win2008w.
  It appears UAC (user account Control) a new feature found in   Windows Server 2008 will block license files from being properly applied  in CUBAC 3.1.1.5.
  The installation and requirement docs should  reflect that UAC needs to be disabled before installing CUBAC on Windows  Server 2008.
  Observations:
  Go to webadmin, licensing
  When  you look at that page, you will not see any licensing info; no eval.
  It  says, no licensing info.
  When we turned off UAC, the licensing  page showed the eval info for 5 days.
  At which point we were able  to add the license
  Status
  Fixed             
  Severity
  2 - severe
  Last Modified
  In Last Year        
  Product
  Cisco Unified Attendant Consoles         
  Technology
  1st Found-In
  3.1(1.5)       
  Fixed-In
  Release-Pending
  Cheers!
  Rob

• Disabled users still in address book

  We are running Exchange 2000 on a Windows 2003 / AD platform. Disabled users are still appearing in the Outlook 2003 address book. Shouldn't they be automatically hidden? Users are accessing these addresses and creating emails, but of course can't get to the users.
  Firstly, how do I make a list of all users that were disable but are still in the address list. Secondly, what's the best method to hide them (without having to access each one separately) ?
  Thanks.

  Well, just disabling user account doesn't remove the user name from address book. You need select an option "Hide from Exchange address lists" available in Exchange Advance tab of user properties.
  I used to get the list of disabled users which are not hidden in GAL with below custom LDAP query in Exchange 2003.
  Open ADU&C, Right click on Domain & click on Find, in Find select "custom search", select Advance tab and in "Enter LDAP Query" paste below ldap query and click on Fiind Now.
  (mailNickname=*)(userAccountControl=66050)(!msExchHideFromAddressLists=True)
  You may need to verify the value of an attribute "userAccountControl" of any disabled user with ADSIEdit.msc and give that value instead of 66050 because that one I used in Exchange 2003 and Windows 2003 environment.
  Amit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com

• Disable user in OIM

  Hi *
  when i disable a user, it should not disable the user access to particular resource in which he is already provisioned.
  this req. looks pretty simple. but i could not find how to implement this functionality in design console.
  pls help me in this regard.
  thanks in advance.

  @OIM Learner.
  If i update AD User ---> Disable User to 'No Effect'
  Than while trying to disable user from Admin console it gives error:
  User Detail >> Resource Profile >> Ad User -> Dsiable
  Thor.API.Exceptions.tcAPIException: Resource is not configured properly.
  Class/Method: ResourceProfileProvisioningTasksAction/dispatchConfirmation encounter some problems: Cannot Disable
  Later i revert back to AD User ---> Disable User to 'Disable Process or Access To Application'
  Admin Console:
  User Detail >> Resource Profile >> Ad User -> Dsiable
  It disables user from AD.
  Is there a way to stop Automatic trigger on OIM User disable. As for our environment user might need to have access to resources even after it being Disable from OIM.
  Thanks a lot.