GRC 10.0 - Auto Approve default roles

Similar Messages

• Creation of auto approval process for assigning role for a user in oim11g

  currently i'm doing a scenario like a user must be automatically assigned to a role by using approval policy where the user is already there in oim and then we use csv file in that we take 2 columns like userlogin and role name so by running this scheduled task user must be automatically approved to that role.But i have to use the default auto approve policy in oim without creating any bpel process for that so can any one suggest me how to proceed with this scenario.
  Thanks in Advance for quick response.

  If I understand correctly, You have users and their respective roles in csv file. Users are present in OIM. You want to assign those roles in csv file to respective users?
  If this is the scenario, you need to write a custom code for schedule task which will read data from your csv file, create roles and assign them to respective users.
  to create custom schedule task in OIM 11g, you may refer to:
  http://docs.oracle.com/cd/E21764_01/doc.1111/e14308/scheduler.htm
  regards,
  GP

• Defaults Roles Doubt - GRC 10.0

  Hi All,
  I have a query regarding default roles in GRC. In the role search screen when the user selects a role, there will be a defaults roles column which shows all existing defaults roles for different systems maintained in GRC.
  Actually our client requirement is that when a user selects role for ECC only defaults roles defined for ECC should show up. But currently default roles column shows all defaults roles defined in GRC.
  Is it possible to achieve our scenario? Anyone came across same issue?
  Regards,
  Sai.

  Dear Sai,
  the behaviour is standard as you have defined parameter 2011 as ROLE. To change the output you might need help of an ABAPler.
  Alternatively you can change parameter 2012 to REQUEST and then the requestor won't see the default roles as they are added to the request after submission. Only the approvers can see the added default roles.
  Best regards,
  Alessandro

• ARQ: Default Role Provisioning Problem in Access Request???

  Hi,
  This Business Scenario is very common to have default role(s) assigned to a User at the back end system. So I have the same requirement. In achieving this, I followed below thread here:
  MSMP Issue - GRC 10
  I have also followed the note#1616092  for configuring the Default Roles.
  I have performed below activities:
  1. Param#2009 = YES
  2. Param#2010 = 001
  3. Param#2011 = REQUEST
  4. Param#2013 = SYSTEM
  5. Param#2038 = YES
  6. Imported a test role and NO ROLE OWNER is maintained.
  7.In NWBC->-AM->RM, I maintained a test role as a default.
  Now when I raise a request, application is successfully adding the default role to the request. However, the problem I am facing is that, one Manager approves the request, it is getting failed.
  The Audit Log says that, the STAGE is "Completed" but I could also see "No Agent Found, Cancelling path XYZ (in stage no. 002- GRAC_ROLEOWNER)
  May I know what I am missing here? Why I am getting error and how can I resolve it?
  Please advise.
  Regards,
  Faisal

  Hi Faisal,
  sorry for late resposne I was away traveling.
  default roles are being added by default to access request
  Yes, these roles are added to the access request.
  FN: OK
  and this roles are following your normal paths which I guess assumes manager and role owner.
  How such roles (not having role owner) will follow the normal path Manager->Role Owner if we are enabling routing (Rule ID: GRAC_MSMP_ROUTE_NO_ROLEOWNER) at manager stage level? Can you please help me understand this?
  FN: OK If you enable routing it will go to routing path. I have understood your post as you put in question the behavior of default roles and my point was - they act exacly the same like regular roles.
  - request is going to detour path
  Does it answer my question?
  FN: My point was default roles like all other will go to detur path (assuming you setup it globaly)
  Deafault roles can have separate path (in my case) where only supervisor is approving it.
  Instead of "GRAC_MSMP_ROUTE_NO_ROLEOWNER"  I believe we can have our own rule to have a separate path for such default roles based upon business requirement. Correct me, if required.
  FN; correct
  It was design in way that initiator rule based on role crtivality is sending this rule to separate path without role owner.
  Again, I believe you have enabled your custom rule here to achieve your business requirement instead standard rule id.
  correct
  If you do not have separate path - this role like any other will follow standard path you have.
  Here, I had used a stage called "ZNO_STAGE_PATH" for routing the system line item, which does not have any owner. I used the same path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER"Rule ID and it is working fine as of now.
  FN: good
  My question is that, do you think if I don't use "ZNO_STAGE_PATH" as Path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, should it follow the standard Manager->Role Owner path and these default roles get approved and assigned automatically?
  FN: You should use the path ZNO_STAGE_PATH as path ID for routing rule.
  If the role does not have role owner it will not allow you the even get to Role Onwer stage - request will be detured.
  My point from the begining was - instead of using the routing rule - in our case we used separate path for default roles without role owner:) only consisted with manager stage. Again your approach is different but also will work.
  Then which Path ID should I use for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, as it is mandatory?
  Should I use my current path for New/Change Account where at Manager level this was routed due to non availability of role owner?
  Are you asking for default roles?
  Please advise.
  Regards,
  Faisal

• Default role Issue

  Can anyone help us in configuring the default role in GRC 10?
  We are on SP15.
  Default role attribute is Company.Default role gets added to the request but the role needs an approver.If there is no approver, the request goes to the escape route.
  Regards,
  Vinayalaxmi

  Hi Vijaylaxmi,
  As stated by other people, you need to configure MSMP workflow path for approvals. You can configure agent to read the approver from a BRF+ table or a function module also. It depends on your business environment. If approvers don't change often, you can use BRF+ decision table also else you can put your logic inside the function module to find the approver.
  Regards,
  Ravi

• UAM auto approval

  Hello,
  does anyone already has experience with auto approval.
  We would like to test such a function.
  Optioal idea is:
  user select high level attributes and UAM get some default "uncritical/compliant" roles.
  once the request is submitted the request is auto approved and user can start working.
  More critical roles needs to follow the standard process.
  Thanks for any idea and help.
  Regards Nguyen

  Hi,
  This is easily doable by implementing a custom initiator and having the "Compliant" path set up with no stages. It is this path that will have the "Compliant" roles pass through for Auto Approval.
  Another path will be set up with a stage to assess/approve the critical roles.
  If you want all compliant roles assigned with immediate affect (irrespective of if the critical roles have been approved or awaiting approval), then ensure your provisioning setting is set to "Auto-Provision at end of Path".
  All the best

• Auto Approval of Self User Registration Fails OIM 11g R2

  Use Case : Auto Approval of Self User Registration
  Steps followed
  1. A New Approval Policy created with Auto Approval flag set as True for Request Level Approval.
  2. A New Approval Policy created with Auto Approval flag set as True for Operation Level Approval.
  3. The field Organization was pre populated using the Pre Population Adapter, as mentioned below.
  +<AttributeReference name="Organization" attr-ref="act_key" type="Long" widget="ENTITY" length="256" required="false" available-in-bulk="false" entity-type="ORGANIZATION">+
  +<PrePopulationAdapter name="OrgPrepopulateAdapter" classname="com.plugin.OrgPrepopulateAdapter"/>+
  +</AttributeReference>+
  4. A new user was created using the "Register New user" Link.
  5. Log in as System Adminstration and under Track requests, found that the New request has failed.
  6. On click of Request link, the request details shows the Organization field has populated with the expected value.
  7. The Logs suggests that the Request failed due to Organization field going Null.
  LOG
  [2013-02-12T15:50:39.138+05:30] [oim_server1] [ERROR] [] [oracle.iam.request.impl] [tid: [ACTIVE].ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: e171ff3c1743d36a:6c2e4f90:13ccdc4a231:-8000-00000000000006f8,0] [APP: oim#11.1.2.0.0] Exception thrown java.lang.IndexOutOfBoundsException: Index: 0, Size: 0     
  [2013-02-12T15:50:39.138+05:30] [oim_server1] [ERROR] [] [oracle.iam.request.impl] [tid: [ACTIVE].ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: e171ff3c1743d36a:6c2e4f90:13ccdc4a231:-8000-00000000000006f8,0] [APP: oim#11.1.2.0.0] Exception thrown Index: 0, Size: 0[[     
  java.lang.IndexOutOfBoundsException: Index: 0, Size: 0     
       at java.util.ArrayList.RangeCheck(ArrayList.java:547)
       at java.util.ArrayList.get(ArrayList.java:322)
       at oracle.iam.requestactions.approval.operationlevel.OrgBasedMethodology.getOrgDetails(OrgBasedMethodology.java:215)
  -------------

  Use Case : Auto Approval of Self User Registration
  Steps followed
  1. A New Approval Policy created with Auto Approval flag set as True for Request Level Approval.
  2. A New Approval Policy created with Auto Approval flag set as True for Operation Level Approval.
  3. The field Organization was pre populated using the Pre Population Adapter, as mentioned below.
  +<AttributeReference name="Organization" attr-ref="act_key" type="Long" widget="ENTITY" length="256" required="false" available-in-bulk="false" entity-type="ORGANIZATION">+
  +<PrePopulationAdapter name="OrgPrepopulateAdapter" classname="com.plugin.OrgPrepopulateAdapter"/>+
  +</AttributeReference>+
  4. A new user was created using the "Register New user" Link.
  5. Log in as System Adminstration and under Track requests, found that the New request has failed.
  6. On click of Request link, the request details shows the Organization field has populated with the expected value.
  7. The Logs suggests that the Request failed due to Organization field going Null.
  LOG
  [2013-02-12T15:50:39.138+05:30] [oim_server1] [ERROR] [] [oracle.iam.request.impl] [tid: [ACTIVE].ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: e171ff3c1743d36a:6c2e4f90:13ccdc4a231:-8000-00000000000006f8,0] [APP: oim#11.1.2.0.0] Exception thrown java.lang.IndexOutOfBoundsException: Index: 0, Size: 0     
  [2013-02-12T15:50:39.138+05:30] [oim_server1] [ERROR] [] [oracle.iam.request.impl] [tid: [ACTIVE].ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: e171ff3c1743d36a:6c2e4f90:13ccdc4a231:-8000-00000000000006f8,0] [APP: oim#11.1.2.0.0] Exception thrown Index: 0, Size: 0[[     
  java.lang.IndexOutOfBoundsException: Index: 0, Size: 0     
       at java.util.ArrayList.RangeCheck(ArrayList.java:547)
       at java.util.ArrayList.get(ArrayList.java:322)
       at oracle.iam.requestactions.approval.operationlevel.OrgBasedMethodology.getOrgDetails(OrgBasedMethodology.java:215)
  -------------

• RE: Default role config in CUP

  Dear Experts,
  I got a problem with default role configuration. Please help me in resolving the issue.
  I want to configure defaults for all request types like new account and change account as well. Also I what the option "Create if user does not exist" to YES.
  This means when ever change account workflow is executed for the existing users, default roles are getting assigned redundantly. is there any way to fix this problem.
  My solution is to schedule "PRGN_COMPRESS_TIMES" job so that system will delete all redundant roles. Please advise if there  is any other alternative. Client is insisting to have the option "Create if user does not exist"in Auto provisioning enabled.
  I appreciate your help.
  Thanks,
  Raj

  Hi
  Set the below parameters it never assign the role for change request.
  it is working in our system.
  CUP---->Configuration->Roles>Default Roles-->Request type = New Hire

• Self Register User Auto Approval Scenario in OIM 11g

  Hello,
  I was working on scenario of suppressing approval while Self-Registrating user, following steps were performed
  1) Export SelfCreateUserDataSet.xml using weblogicExportMetadata.sh
  2) Modified SelfCreateUserDataSet.xml [removed approver-only tag from organization attribuite]
  3) Imported SelfCreateUserDataSet.xml using weblogicImportMetadata.sh
  4) Restarted OIM & SOA server.
  5) Created approval policies i.e. Request Level & Operational Level bote with Auto Approve condition.
  6) Made a clone of Self-Register User template & added organization restriction & added Self Operator role.
  7) When tested above scenario then xelsysadm had to approve for request & operational level,organization was already selected ,so shouldnt it get approved
  automatically as i have mentioned Auto-Approve in approval policy ?
  Tested using following link:
  http://hostname:port/oim/faces/pages/USelf.jspx?E_TYPE=USELF&OP_TYPE=SELF_REGISTRATION&T_ID=Clone of Self-Register User
  Thanks,
  Rahul

  Hello,
  No i cannot see organization field as i have restricted organization to 'xyz' .
  My Issue is resolved & problem was that i had changed password of OIM,weblogic also updated boot.properties file in oim & soa,but for some reason my SOA was not working although SOA server was running,so changed password of SOAADMIN from EM,restarted all 3 servers & now my scenario of Self Register Auto Approve works.
  Now only thing i am curious is that when i self register user,it shows Request failed,but when checked in OIM user is created .
  Thank-You
  Rahul

• Default Role configuration  in CUP

  Hi Experts,
  We are on GRC 5.3 SP9 and I am trying to assign  default roles based on the request type
  I want default roles to be assigned only for certain request type
  these are the parameters I have configured
  Consider default roles: YES
  Request Type: NEW Hire
  Default roles level: request
  user attributes: Company
  So I am forced to choose default role user Attribute Company.
  I was expecting that whenever a request is created for a new hire I wanted such and such role to be assigned by default!
  but now whenever  a company( for which i mapped the default roles) is selected its putting default roles in all the request types
  I would expect its only puts default roles for my request type NEW HIRE
  for the respective company !
  Any thought? I am missing something?
  Regards
  MK

  Hello Alpesh,
  SAP has come  back saying that the application is designed that way always works with the comibation of  user attributes
  to me its clearly user attributes are taking over the request type ( clearly ingorning ) i dont see a point why they have field in default role configuration  for request type ( Request type  might as well be simply CUP)
  they have asked me try with user attribute  as system  instead of company , looks like it works !
  I will give you more info
  Best Regards
  MK

• OIM11g auto approval

  Hi,
  We are following the below link for Auto-Approval for self registration
  http://identityandaccessmanager.blogspot.com/2011/03/suppress-approval-self-registration.html
  here what it says:
  1. Export "SelfCreateUserDataset.xml".
  2. Remove Approver-Only tag from Organization Field
  3. Import it back into MDS
  4. Restart the Server
  5. Create an Approval Policy "Request Level Approval" & select Auto Approve check box with some basic Approval Rule
  6. Create one more Approval Policy with "Operation Level Approval" as Auto Approve with some simple Approval Rule
  we are not sure how to perform the step NO 3.(import back to MDS).
  for this we followed the following link
  http://download.oracle.com/docs/cd/E14571_01/doc.1111/e14309/request.htm#OMDEV2869
  when we ran weblogicImportMetadata.bat we are getting the following error
  Problem invoking WLST - Traceback (innermost last):
  File "C:\Oracle\Middleware\Oracle_IDM1\server\bin\weblogicImportMetadata.py", line 21, in ?
  File "C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\mdsWLSTCommands.py", line 268, in importMetadata
  File "C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\mdsWLSTCommands.py", line 733, in executeAppRuntimeMBeanOperation
  File "C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\mdsWLSTCommands.py", line 996, in saveStackAndRaiseException
  WLSTException: java.lang.SecurityException: MBean operation access denied.
  MBean: oracle.mds.lcm:name=MDSAppRuntime,type=MDSAppRuntime,Application=OIMMetadata,ApplicationVersion=11.1.1.3.0
  *Operation: importMetadata(java.lang.String, [Ljava.lang.String;, [Ljava.lang.String;, boolean, boolean, boolean, boolean, boolean)*
    *Detail: Access denied. Required roles: Admin, executing subject: principals=[SYSTEM ADMINISTRATORS, oimusers, xelsysadm]*
  MDS-91009: Operation "importMetadata" failure. Use dumpStack() to view the full stacktrace.
  can anybody please let us know where we are making mistake???
  Thank you.

  http://download.oracle.com/docs/cd/E14571_01/doc.1111/e14309/utils.htm#BEIHDGCD
  Run weblogicImportMetaData.sh
  It will ask for username and password ... provide weblogic and password for user weblogic (Example)
  It will ask for URL: give URL for admin console: t3://domainname:7001 (Example)
  Done !!!
  Either restart the server or run PurgeCache.sh All

• Timecard submitted from OTL Timekeeper screen is auto approved.

  Hi all
  Timecards submitted from OTL Timekeeper screen are auto approved even if I set the Time Store Approval Style preference to Supervisor Approval and link the preference to Timekeeper responsibility using Eligibility Criteria tab.
  I am expecting the timecard should go for an approval to supervisor since the approval style preference is set to Supervisor Approval but its auto approved as soon as the timecard is submitted. May I know the reason why the timecard is auto approved or am I missing any setup to send the approval notification to supervisor. Here the customer would like send the approval notification to supervisor if the timecard is submitted from timekeeper screen. Please advice.
  Please note that timecard submitted from self-service time is sending the approval notification to supervisor as expected.
  Thanks for your help.
  Regards
  Nag

  Hi
  Thanks for the response.
  As per my understading, prefereces linked to responsibility wouldn't be considered if the timecard is submitted for approval through timekeeper. In my case, i have three different users employee, admin & manager. If either employee or admin submit the timecard then it should be sent to approval for manager. If manager submits the timecard then the timecard should be autoapproved. Pls note that all three will be using three different responsibilities to submit the timecard. I have created 4 differents of preferences.
  The preferences are linked as follows:
  Default preferece (Auto Approval) linked to All People with precedence 10
  Employee preference (Supervisor Approval ) linked to Self-Service Time responsibility with precedence 20
  Admin preference (Supervisor) linked to OTL time-keeper responsibility with precedence 30.
  Manager preference(Auto Approval) linked to OTL Super Time-Keeper responsibility with precedece 40.
  With the above setup, approvals are working fine as expected but if the timecard is submitted by admin then it's getting auto-approved.
  To fix the issue, i have changed the setup slightly as below
  Default preferece (Supervisor Approval ) linked to All People with precedence 10
  Employee preference (Supervisor Approval ) linked to Self-Service Time responsibility with precedence 20
  Admin preference (Supervisor) linked to OTL time-keeper responsibility with precedence 30.
  Manager preference(Auto Approval) linked to OTL Super Time-Keeper responsibility with precedece 40.
  With this setup, timecard submitted by admin is going for an approval to manager (as desired) but if manager submits the timecard then the workflow sends a notification to the manager for approval which is not expected.
  Is there anyway to have different approval styles for both manager & admin. If admin submits then it should be sent for approval otherwise if manager submits then it should be auto approved.
  Please advice.
  Thank you so much for your help.
  Regards
  Nag

• Default Role Config in CUP

  Hello,
  I would like to configure CUP to add default roles for one specific system when Request Type is Create User but for another system when Request Type is Assign Role.  Is that possible?
  I am using GRC 5.3 SP 16.3.
  Vaner

  vcrilho,
  I´ll give you an option. Maybe someone figures out a different one.
  You can create two new request types under configuration->request configuration->request type:
  Change_account_system1
  Change_account_system2
  You´ll be able to configure default roles independent for each one of this request types.
  Regards,
  Diego.

• CUP - default roles

  Hi,
  We are on AC5.3, SP11. I have configured default roles in CUP. Configuration is as follows:
  u2022     Consider default roles: Yes
  u2022     Request Type: New Account
  u2022     Default role level: Request
  u2022     User attributes: System
  u2022     I have also linked the system to the role
  When I create a request (attributes: new account and relevant system) I would expect the role that I have configured to pull through to my request under u201Cselect rolesu201D. This does not seem to be the case.
  Any idea what I am doing wrong? Or how the system is expected to behave?
  Any help will be appreciated.
  Thanks
  Mo

  Hi Mo,
  The scenario can be achieved by
  --In the request form customization make  Role as non mandatory
  --In the Configuration ->stage -> additional configuration -> make Add Role =Yes
  --Create a custom Text field where the end user who doesnt not know the exact role name can enter some text description.
  Based on this description the 1st approver can add the required role to the request.
  And users who know the role can add the same during request creation also.
  Regards
  -Ranjiv

• How to stop auto approval  of requests by xelsysadm ?

  Hello OIM-SOA experts, when I submit role request using xelsysadm user, the operational level request is auto approved eventhough I have custom approval in place. But requests submitted by others will go for approval process. How to avoid auto approval of xelsysadm requests for opearational level ? Is it possible to configure this ?
  appreciate your suggestion
  Thanks

  How did you create Approval Policy ?
  Did you create Request Level and Operation Level Policies ?
  Did you select proper Request Type ?
  Did you create proper rule which satisfy your expected results ?