GRC AC 10: Emergency Access Management, Logon button is disabled (GRAC_SPM)

Similar Messages

• Reason Codes not displaying when performing emergency access management(SPM

  Hello guru,
  I am experiencing a little problem when using superuser privilege management (emergency access) functionality in AC 10.0.
  My problem is that the reason codes created in the AC system via the reason code link in the workcenter does not appear as drop down for me when I click on the logon button in the initial screen displayed in transaction SPM_GRAC.
  Suffice to say that i do not have any reason code to pick from in the drop down for superuser privilege management in the AC system when i logon with the firefighter user to perform SPM.
  Please help me out with your suggestions.
  Thanks

  Hello guru,
  I am experiencing a little problem when using superuser privilege management (emergency access) functionality in AC 10.0.
  My problem is that the reason codes created in the AC system via the reason code link in the workcenter does not appear as drop down for me when I click on the logon button in the initial screen displayed in transaction GRAC_SPM.
  Suffice to say that i do not have any reason code to pick from in the drop down for superuser privilege management in the AC system when i logon with the firefighter user to perform SPM.
  Please help me out with your suggestions.
  Thanks

• GRC AC Emergency Access Management (EAM) and STAD report data

  Dear Community,
  we use EAM (ID based fire fighting) and the Log synchronization jobs are scheduled every half hour in order to get the fire fighter logs from the back-ends for review by the controller. Due to a technical issue the synchronization jobs are not working correctly over several days. We experienced missing session details (executed transactions, programs, changes, etc.) for many Fire fighter sessions. As one the source of of the fire fighter log is STAD on the back end and these data are only buffered 48 hours per default, I expect that I can't recover the logs and they are irreversible lost if GRC is down or the sync-jobs are not running for more that time. That can happen over a weekend....
  I ask you:
  can you confirm my expectation?
  does it make sense to extend the STAD buffer up to e. g. 96 hours for all GRC production back ends?
  have you controls in place to check if the sync-jobs are running and the logs are synchronized correct and complete?
  I would appreciate, if you can share some thoughts with me about this.
  Thanks in advance,
  Andreas Langer

  Hi Andreas,
  - Please check the below note, for missed log entries
  1934127 - GRC10 EAM: EAM recovery program to retrieve missing log and to generate the missing workflows
  - The maximum value is 99, and it is the number of stat files that  are generated. So, you can get records upto 4 days.
  - Periodic Monitoring activity activity can be set, which is done manually. I am not aware if Process Control, can take care of this monitoring.
  regards

• Simple MSMP workflow for Emergency Access Management

  Hi,
  I am not able to get the EAM to work in Access Control 10. The user is able to successfully place a access request for FFid but there is a error in the workflow logs. I have not done any customization of the MSMP for GRAC_DEFAULT_PATH and other similar stages, as I am not aware of the the specific values that need to be maintained.
  I want to avoid customizing as much as possible and use what SAP offers by default. The workflow steps I am looking for is : user places a request for FFid and the request is received by the FFid Owner (Manager) and approved by him, Once approved, the FFID is provisioned automatically and the user can login to tcode GRAC_SPM and use his FFid, and the Controller gets alerted about the log.

  Hi Veera,
  Did you define a condition in your initiator decision table in BRF+ to route your EAM requests to firefighter path.
  Do you have stage called FF Owner?
  Did you create a Firefighter path in MSMP configuration with FF Owner stage in it?
  Did you maintained route mapping in your MSMP workflow configuration?
  Please share your BRF+ initiator decision table and MSMP workflow config screenshots to help you further.
  If you are new to MSMP and BRF+ config, please check this link for understanding the concept.
  MSMP - Multi Step Multi Process – GRC&#82... | SCN
  Regards,
  Madhu.

• GRC 10: Centralized Emergency Access  - SPM Questions

  Can Firefighter logon using the Netweaver Business Client to launch Firefighter ID?
  Is that mandate to use GRC system to launch Firefighter ID using GRAC_SPM transaction code? or can the user logon to local system as well?
  What about Portal based system Firefighting functionality? Can we have Firefighter IDs on Netweaver Java system?  
  Will I be able to grant a Firefighter ID to a Firefighter User  on hourly basis?
  For initial setup , how the initial data load of Firefighter Ids Owners, Controllers and Firefighter Users can be done? Are there options like load from Excel or CSV available as part of setup toolset?
  Edited by: sarath govindarajual on Mar 16, 2011 4:53 PM

  Can Firefighter logon using the Netweaver Business Client to launch Firefighter ID?
  - No, GRAC_SPM is the way to go.
  Is that mandate to use GRC system to launch Firefighter ID using GRAC_SPM transaction code? or can the user logon to local system as well?
  - Yes. However, the option would be nice to have a workaround in case GRC is down
  What about Portal based system Firefighting functionality? Can we have Firefighter IDs on Netweaver Java system?
  - As far as I know only for transactional SAP systems.
  Will I be able to grant a Firefighter ID to a Firefighter User on hourly basis?
  - Same as answered already  - no. 
  For initial setup , how the initial data load of Firefighter Ids Owners, Controllers and Firefighter Users can be done? Are there options like load from Excel or CSV available as part of setup toolset?
  - Same as answered already  - no.

• Emergency Access Management & SPM 5.3 - add default text!

  Hi, is there a way to initialize the text fields, which pop up when you logon as a firefighter, with default values (such as Enter Ticket Number here: #)?
  Would be interesting for 5.3 as well as 10.0.
  Thank you

  HI Andreas,
  There is no such possibility, You can only configure the reason codes, but I dont think there is any way to configure predfeined texts as such, since this is ABAP, you might find  a user exit that might allow you to write your own custom code. I have never explored the option.
  Regards,
  Chinmaya

• Emergency access procedure - non GRC

  Hi guys,
  Just wondering if you have a written Emergency Access Procedure (FireFighter), which is not based on GRC.
  My client has unfortunately no GRC installed at all.
  Also wondering if Solman can be utilized as currently they use it for change management..
  Thanks a lot
  Cheers
  Greg

  Greg,
  I have experience with two different non-GRC Firefighter procedures, both role-based.
  In one solution, the user submitted a Firefighter request for either the HR or the non HR Firefighter role to be assigned; the form was a custom Outlook form. A custom ABAP program monitored the assignment of these roles, logged the tcode usage of the IDs with the role assigned, sent an audit report to the user's manager which included tcode usage and if the tcodes used were in the user's regular roles or in the FF role, and the manager had to return the report to SAP security as confirmation that it had been reviewed.
  In the other solution, the request logged into the IdM solution to request firecall authority. The requester must be pre-approved to request elevated SAP access. IdM provisioned the extra access to the users account and notifiedboth the user's manager and SAP Security. IdM deprovisioned the extra access at the specified time in the request. SAP Security was responsible for auditing the use and documenting the tcodes used in a report sent to the user's manager and all of this was documented in an IT incident ticket.
  The second solution required a lot more manual effort from the SAP Security team, butit was not invoked often. The first solution, while much more automated, presented its own challenges, as the buffer for the tcode usage statistics  frequently overflowed, and a designated resource would have to work to resolve.
  So from my experience, I would say that there is a good reason why customers choose to implement a GRC firefighter solution.
  Cheers,
  Gretchen

• GRC 10.0 - Centralized Emergency Access

  Hi experts,
  Have a question lets see if someone else have faced this same concern.
  We are facing an implementation of the new GRC - AC 10.0 and when configuring the component Emergency Access (former SPM) we realized that in order to assign and end user to a FF ID, the end user account must be created in the GRC AC server.
  This concept changes from the last AC 5.3 version where end users only needed to be created in the SAP ERP and have the role /VIRSA/Z_VFAT_FIREFIGHTER assigned in order to access transaction code /n/VIRSA/VFAT.
  So if what Iam saying is correct, that means that we have to create one user in GRC for each user that we have in the SAP ERP, is that correct? And, if that is correct, that means that we need to buy as many licenses for GRC 10.0 as the one that we have for the SAP ERP?
  Thanks very much for your support
  Best regards,

  Hi,
  only user who shall be able to use FFIDs (EAM) need a user on the GRC box! I guess these are not all users in your SAP ERP system?!
  Regards

• Login onto Oracle Access Manager HELP PLEASE!!!

  Hi All,
  I have a major problem, all of a sudden I am unable to log on to my Access Manager via the Web Console.
  My OAM is using OVD for User Directory and AD as the configuration Directory.
  When I try and logon using any user (LDAP mainly) it says "invalid credentials", I hit "Lost PW" button and returns the same message.
  Has any one got any ideas, OVD seems ok, I can browse both my Active directories with it, my AD are avaliable (telnet port 389 ok)
  I have enabled loggin on the OVD. It give me the following on the main server log. below is also the server exception log, sections are separated by a -------------.
  Thanks inadvance
  [2008-03-19 18:05:37,635] WARN - DoSManager: Found unbound connection from active ip addresses.[Session: cn=admin/192.168.200.75] [DoSManager]
  [2008-03-19 18:05:37,635] WARN - DoSManager: Found unbound connection from active ip addresses.[Session: cn=admin/192.168.200.75] [DoSManager]
  [2008-03-19 18:05:37,635] WARN - DoSManager: Found unbound connection from active users.[Session: cn=admin/192.168.200.75] [DoSManager]
  [2008-03-19 18:05:37,635] WARN - DoSManager: Found unbound connection from active users.[Session: cn=admin/192.168.200.75] [DoSManager]
  [2008-03-19 18:05:37,635] WARN - DoSManager: Found unbound connection from active users.[Session: cn=admin/192.168.200.75] [DoSManager]
  [2008-03-19 18:05:37,635] WARN - DoSManager: Found unbound connection from active users.[Session: cn=admin/192.168.200.75] [DoSManager]
  [2008-03-19 18:05:44,322] INFO - DumpTransactions: SEARCH Operation: (Transaction#OC-AD.Dump Before.32)
  BindDN: cn=admin
  Base: dc=MyCompany,dc=ovd
  Scope: 2
  Filter: (&(objectclass=inetorgperson)(&(uid=dpapadopoulos)(|(obUserAccountControl=ACTIVATED)(!(obUserAccountControl=*)))))
  TypesOnly: FALSE
  Attrs: [cn] [WorkThread# 7]
  [2008-03-19 18:05:44,322] INFO - DumpTransactions: SEARCH Operation: (Transaction#OC-AD.Dump After.32)
  BindDN: cn=admin
  Base: dc=MyCompany,dc=ovd
  Scope: 2
  Filter: (&(objectclass=user)(&(samaccountname=dpapadopoulos)(|(obUserAccountControl=ACTIVATED)(!(obUserAccountControl=*)))))
  TypesOnly: FALSE
  Attrs: [cn] [WorkThread# 7]
  [2008-03-19 18:05:44,322] WARN - ConnectionHandle: Remote Server Failure:connection closed [WorkThread# 7]
  [2008-03-19 18:05:44,322] INFO - DumpTransactions: SEARCH Results: (Transaction#OC-AD.Dump After.32) NULL [WorkThread# 7]
  [2008-03-19 18:05:44,322] INFO - DumpTransactions: SEARCH Results: (Transaction#OC-AD.Dump Before.32) NULL [WorkThread# 7]
  [2008-03-19 18:05:44,322] INFO - exceptionlog: SEARCH Results: (Transaction#OC-AD.Dump After.32) NULL [WorkThread# 7]
  com.octetstring.vde.util.DirectoryException: LDAP Error 2 : No Remote Servers Available at com.octetstring.vde.backend.jndi.BackendJNDI.flushConnections(BackendJNDI.java:1820) at com.octetstring.vde.backend.jndi.ConnectionManager.flushConnections(ConnectionManager.java:64) at com.octetstring.vde.backend.jndi.ConnectionHandle.search(ConnectionHandle.java:367) at com.octetstring.vde.backend.jndi.BackendJNDI.get(BackendJNDI.java:1108) at com.octetstring.vde.chain.Chain.nextGet(Chain.java:289) at com.octetstring.vde.chain.plugins.DumpTransactions.DumpTransactions.get(DumpTransactions.java:267) at com.octetstring.vde.chain.Chain.nextGet(Chain.java:298) at com.octetstring.vde.chain.BasePlugin.get(BasePlugin.java:86) at com.octetstring.vde.chain.Chain.nextGet(Chain.java:298) at com.octetstring.vde.chain.plugins.objectClass.ObjectClassMapper.get(ObjectClassMapper.java:267) at com.octetstring.vde.chain.Chain.nextGet(Chain.java:298) at com.octetstring.vde.chain.BasePlugin.get(BasePlugin.java:86) at com.octetstring.vde.chain.Chain.nextGet(Chain.java:298) at com.octetstring.vde.chain.plugins.DumpTransactions.DumpTransactions.get(DumpTransactions.java:267) at com.octetstring.vde.chain.Chain.nextGet(Chain.java:298) at com.octetstring.vde.chain.PluginChain.runGet(PluginChain.java:188) at com.octetstring.vde.chain.PluginManager.runGet(PluginManager.java:425) at com.octetstring.vde.chain.PluginManager.runGet(PluginManager.java:380) at com.octetstring.vde.backend.AdapterServiceInterface.get(AdapterServiceInterface.java:560) at com.octetstring.vde.backend.BackendHandler.get(BackendHandler.java:707) at com.octetstring.vde.chain.Chain.nextGet(Chain.java:282) at com.octetstring.vde.chain.plugins.AclCheckerPlugin.get(AclCheckerPlugin.java:322) at com.octetstring.vde.chain.Chain.nextGet(Chain.java:298) at com.octetstring.vde.chain.PluginChain.runGet(PluginChain.java:188) at com.octetstring.vde.chain.PluginManager.runGet(PluginManager.java:425) at com.octetstring.vde.chain.PluginManager.runGet(PluginManager.java:380) at com.octetstring.vde.chain.GlobalServicesInterface.runGet(GlobalServicesInterface.java:205) at com.octetstring.vde.operation.SearchOperation.perform(SearchOperation.java:401) at com.octetstring.vde.MessageHandler.doSearch(MessageHandler.java:517) at com.octetstring.vde.MessageHandler.answerRequest(MessageHandler.java:136) at com.octetstring.vde.WorkThread.run(WorkThread.java:89) [2008-03-19 18:05:44,322] INFO - exceptionlog: SEARCH Results: (Transaction#OC-AD.Dump Before.32) NULL [WorkThread# 7]
  com.octetstring.vde.util.DirectoryException: LDAP Error 2 : No Remote Servers Available at com.octetstring.vde.backend.jndi.BackendJNDI.flushConnections(BackendJNDI.java:1820) at com.octetstring.vde.backend.jndi.ConnectionManager.flushConnections(ConnectionManager.java:64) at com.octetstring.vde.backend.jndi.ConnectionHandle.search(ConnectionHandle.java:367) at com.octetstring.vde.backend.jndi.BackendJNDI.get(BackendJNDI.java:1108) at com.octetstring.vde.chain.Chain.nextGet(Chain.java:289) at com.octetstring.vde.chain.plugins.DumpTransactions.DumpTransactions.get(DumpTransactions.java:267) at com.octetstring.vde.chain.Chain.nextGet(Chain.java:298) at com.octetstring.vde.chain.BasePlugin.get(BasePlugin.java:86) at com.octetstring.vde.chain.Chain.nextGet(Chain.java:298) at com.octetstring.vde.chain.plugins.objectClass.ObjectClassMapper.get(ObjectClassMapper.java:267) at com.octetstring.vde.chain.Chain.nextGet(Chain.java:298) at com.octetstring.vde.chain.BasePlugin.get(BasePlugin.java:86) at com.octetstring.vde.chain.Chain.nextGet(Chain.java:298) at com.octetstring.vde.chain.plugins.DumpTransactions.DumpTransactions.get(DumpTransactions.java:267) at com.octetstring.vde.chain.Chain.nextGet(Chain.java:298) at com.octetstring.vde.chain.PluginChain.runGet(PluginChain.java:188) at com.octetstring.vde.chain.PluginManager.runGet(PluginManager.java:425) at com.octetstring.vde.chain.PluginManager.runGet(PluginManager.java:380) at com.octetstring.vde.backend.AdapterServiceInterface.get(AdapterServiceInterface.java:560) at com.octetstring.vde.backend.BackendHandler.get(BackendHandler.java:707) at com.octetstring.vde.chain.Chain.nextGet(Chain.java:282) at com.octetstring.vde.chain.plugins.AclCheckerPlugin.get(AclCheckerPlugin.java:322) at com.octetstring.vde.chain.Chain.nextGet(Chain.java:298) at com.octetstring.vde.chain.PluginChain.runGet(PluginChain.java:188) at com.octetstring.vde.chain.PluginManager.runGet(PluginManager.java:425) at com.octetstring.vde.chain.PluginManager.runGet(PluginManager.java:380) at com.octetstring.vde.chain.GlobalServicesInterface.runGet(GlobalServicesInterface.java:205) at com.octetstring.vde.operation.SearchOperation.perform(SearchOperation.java:401) at com.octetstring.vde.MessageHandler.doSearch(MessageHandler.java:517) at com.octetstring.vde.MessageHandler.answerRequest(MessageHandler.java:136) at com.octetstring.vde.WorkThread.run(WorkThread.java:89)
  If you have got this far then thanks for reading ;)

  Finally managed to solve the problem.
  While creating the Join view adapter, we had to specify the binding adapter as OID instead of the database as we had done.
  Changed the binding adapter to OID and can login to OAM console now!
  :)

• Create a New Tree in Query Access Manager

  Folks,
  Hello. In PeopleTools Query Access Manager, click on button "Create a New Tree" to create a new Query Access Tree, the system always comes up this message:
  "You are not authorized to update definition QUERY_TREE_OLAP. You are not authorized to update the specific definition. Contact your security administrator for access to the specified definition."
  Do any folks understand how to solve this problem ?
  Thanks.

  I figured it was that simple.
  I haven't seen you on here in awhile.

• There is no manage account button on my firefox sync tab on windows 7 or xp or ipod

  I set up a Firefox sync account on my windows 7 machine, with user name, password and code (which I still have).
  Then I set it up on my Windows XP machine.
  The two synced.
  Then I set it up on my iPod. The device picked up the then current sync.
  Now, if I try to get to my Sync acct via Firefox>Options>Options>Sync there is no "Manage Account" button.
  None of my units will sync, and I cannot even follow the instructions to rest the code -- because there is no "Manage Account" button.
  This has been going on for at least a week or more.
  Can someone advise on what is happening and how to make sync -- sync? Or work?
  Thank you.

  When I go to the Firefox button>Options>Options>
  I see the Sync Tab which asks me to set up Firefox Sync (which I've already done). The image depicting this is "opening_screen_sync.jpg"
  If I click on "Set Up firefox Sync" I see "second_screen_sync.jpg"
  If I click on "I already have a Firefox Sync account" Connect button then I see the code it gives with the third screen (I've left the code part out).
  Nowhere do I see the screen in the FireFox dialogues that lets me access the Manage my account so I can ask for a reset of the code (if that's necessary).
  These pictures are from my windows 7 machine.
  Do you also want to see the images from my XP? Essentially it's the same thing.
  From my iPod Touch 4 using Firefox Home, when I hit the refresh button the tabs, bookmarks and history remain the same even though my Windows 7 Firefox has changed significantly.
  No unit picks up changes from any other unit. Even though originally synced.
  Is this the information you where asking for? If not, please feel free to guide me into directly what info you are seeking.
  Thank you for your time and patience.

• Remote Access Management Console - configuration issue with Network Location Server

  2012 Std R2
  The remote Access management console operation status shows  all green except for network location server .
  Error: There is no response from the network location server URL. DirectAccess connectivity might not work as expected, and DirectAccess clients located inside the corporate network might not be able to reach internal resources.
  Resolution listed as:
  1. Configure the network location server on a server that is highly available to clients on the internal network.
  2. If the network location server is running on the Remote Access server, ensure that IIS is running, and that the URL is available.
  The remote access server is located on this server. IIS is running. What URL: show I be looking at?
  Any other thoughts so I can get remote access working.
  l also am getting a remote access error for IPV6, could this be a cause:
  RoutingDomainID- {00000000-0000-0000-0000-000000000000}: Unable to add the interface {D37062B2-A3E0-4496-A459-9E0BBCE5423C} with the Router Manager for the IPV6 protocol. The following error occurred: Cannot complete this function.
  John Lenz

  Hi John,
  please follow the steps to reinstall TCP/IP stack.
  1.Restart your PC into Safe Mode with Networking.
  2.
  Edit your registry. Delete the following keys:
  HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Winsock
  HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Winsock2
  3.
  Open the nettcpip.inf file in your %winroot%/inf folder
  (%winroot% is usually c:/windows).
  Find the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics value from 0xA0 to 0x80.
  Open the properties of the network connection you want to fix. In the General tab, click on the Install button. Click on the Have Disk button, and point the location to %winroot%/inf. After that select TCP/IP (not version 6).
  4.
  Now you would notice that you can uninstall TCP/IP!
  Do that, then restart the PC.
  Go back to your network connection, and install TCP/IP again as per the above. After another reboot, you should be up and running.
  I also noted that the XP network repair tool may yank out the ISA 2004 firewall client stuff. Just run the firewall clinet repair or install it again to fix that problem after you did your reboot. Before you do this kind of crazy stuff.
  5.
  This along with a TCP/IP reset using the netsh command:
  netsh int ip reset resetlog.txt
  wish you have a nice thanksgiving too
  Regards,
  Mike
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Integrating Oracle EBS R12 with Oracle Access Manager 11g

  Hi Everyone ,
  Oracle Access Manager version 11.1.1.5
  Oracle Identity Management 11.1.1.6.0
  Oracle Access Manager WebGate 11.1.1.5
  Oracle E-Business Suite AccessGate patch p12796012
  Apps Version : 12.1.1
  DB Version 11.2.0.3
  PLatform : OEL 5.8
  We are trying to Integrating Oracle E-Business Suite Release 12 with Oracle Access Manager 11g using Oracle E-Business Suite AccessGate.We followed metalink id's
  1309013.1 and 1543803.1 and some other documents.We have performed every step as documented , and everything seems to work fine untill user tries to log out from Oracle Applications i.e User
  is able to login to Oracle Applications through access gate and everything is working fine. But as user click logout button an error messsage is diplayed like "*500*
  *Internal Server Error Servlet error: An exception occured* " (The url at the time of this message is http://hostname:port/OA_HTML/AppsLogout ).
  Apps Tier (oacore) Application log:-
  +13/05/15 19:04:20.229 html: Servlet error+
  java.lang.NoSuchMethodError: oracle.apps.fnd.sso.SSOManager.getAuthAgentLogoutUrl(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;
  at oracle.apps.fnd.sso.AppsLogoutRedirect.doGet(AppsLogoutRedirect.java:193)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
  +at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64)+
  at oracle.apps.jtf.base.session.ReleaseResFilter.doFilter(ReleaseResFilter.java:26)
  +at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:15)+
  at oracle.apps.fnd.security.AppsServletFilter.doFilter(AppsServletFilter.java:318)
  +at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:621)+
  +at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:370)+
  +at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:871)+
  +at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:453)+
  Apps Tier Apache Error log :-
  +[Wed May 15 18:50:52 2013] [error] [client 192.168.0.2] [ecid: 1368624052:192.168.0.61:10798:0:44,0] File does not exist: /u01/eBiZR12/apps/apps_st/comn/java/classes//+
  WE have set all required profile in Oracle Application as directed in documents , and users are able to login just fine , but they are not able to logout.
  IS there something that we are missing , any help is highly appreciated.
  Regards
  Edited by: TheKop88 on May 16, 2013 11:39 AM

  Hi there ,
  Thanks for reply ,
  We had already gone through that document earlier. We noticed that when Apllication Profile "*Apllications SSO Type* " is set to SSWA then OA_HTML/AppsLogout is
  working fine , but when we set "*Applications SSO Type*" to SSWA w/SSO then OA_HTML/AppsLogout is not working(not redirecting) .Error thrown on web browser is "+500 Internal Server Error Servlet error: An exception occurred. The current application deployment descriptors do not allow for including it in this response+" . we believe that we might have missed some Profile settings that is causing this error.
  Regards
  Edited by: TheKop88 on May 16, 2013 12:03 PM
  Edited by: TheKop88 on May 16, 2013 12:07 PM

• Direct Access Management Servers, what are the entry good for?

  In the advanced Direct Access setup wizard you have the ability to enter your management servers. I haven't been able to find an explanation of why, what is it good for? If I understand everything correct DA gives full access to the subnet so why is it of
  interest to list some servers as "management servers"?

  Hi,
  Management servers are servers that you are able to access from the da client Before logged on as a user.
  Your domain controllers are by default infrastructure servers, but in many cases you want to add for example SCCM, NAP and other servers to be accessable prior logon.
  If you are using the manage-out functionality in DirectAccess, and want to access a client prior anyone is logged on, the management server is also needed there.
  http://technet.microsoft.com/en-us/library/jj574200.aspx
  Microsoft Certified Trainer
  MCSE: Desktop, Server, Private Cloud, Messaging
  Blog: http://365lab.net

• Integrate IdM roles with Sun Access Manager roles

  Hi all,
  I am currently working on a solution involving Sun Identity Manager 7.1 and Sun Access Manager 7.1 as well. We use AM for overall authentication and SSO across the application, and IdM for user provisioning.
  I need to create roles in Identity Manager, and I would like that when I assign a role to a user in Identity Manager, he gets the same role in my Access Manager repository (Sun LDAP). Identity Manager does provide a way to set attribute values in resources when a role is set. Access Manager on the other hand has both dynamic roles, based on an LDAP search, and static roles.
  What are the important differences between static and dynamic roles in AM?
  Does anybody know a good way to propagate roles from Identity Manager to Access Manager?
  Thanks.

  I found answers to my question. I succeeded in setting the Access Manager role from Identity Manager using the nsRoleDN attribute. Here are some references to begin with:
  About directory server roles:
  http://docs.sun.com/app/docs/doc/820-2493/fvbrn?a=view
  Forum thread reference:
  http://forums.sun.com/thread.jspa?threadID=5208694
  Here are roughly the steps I followed to get this working.
  Access Manager roles setup:
  1. In Access Manager, create a new static role named test_role under the identities realm (in Subjects > Role).
  Identity Manager roles setup:
  1. Create a new role in Identity Manager: tab Roles, click New....
  2. Assign the LDAP resource to synchronize the role with.
  3. On the Assigned Resources line, click the Set Attributes Values button. This shows up the attributes listing allowing you to bind your IdM role to your LDAP repository.
  4. Set the attribute nsRoleDN to the LDAP DN of the role that was created in AM (nsRoleDN must be added in the resource attributes mapping before).
  * In the column Value override, select Text.
  * In the column How to set, select Authoritative merge with value, clear existing. (* See IDM Admin guide about this setting, I am still not sure how it reacts with multi-value attributes)
  * In the text box, enter the role DN text (ex: cn=test_role,dc=com).
  5. Save the role. You can now add the role to a user.