Hirarchy Structure implementation in Sun IDM

Similar Messages

• Sun IdM and ajax?

  I'm a developer new to Sun IdM. In looking at our existing IdM pages they are painful to say the least. Every single action on them requires the whole page to re-load. I have used ajax in a LAMP sort of setup before and I know there are ways you can implement it on Java/JSP but what I'm wondering is if anyone on this forum has tried this and if it has made a difference at all.
  Thanks Much

  Hi,
  I did this for a little demo before. The challenge is to make the data available for the ajax client in the browser to pick up dynamically.
  What I did in my demo was that the form put the valid choices into a static variable of a custom class. The user could then type in a textbox and as soon as the number of matched items was less than 5 they where displayed for choice. The scenario was to show a way to pick from a big amount of choices without sending out megabytes of checkboxes and having the user scrolling through thausands of lines to find what he is looking for. Of course in a clustered environment the static variable may not be the right sollution.
  Regards,
  Patrick

• OpenSSO-Sun IDM integration

  Hi All,
  I have implemented the OpenSSO-Sun IDM integration based on the "OpenSSO Integration Guide.pdf". Now, if the users are created in Sun-IDM are provisioned to OpenSSO. Can anyone suggest me, can the users created in OpenSSO be provisioned to Sun IDM?
  Also, is there any way to have a password sync between OpenSSO and Sun IDM users? That is, if the user's password is changed in OpenSSO can it also be changed in Sun-IDM?
  Best Wishes,
  Aruna

  Hi Frank,
  Thanks for the response,
  1. This is user/pw from the AC system you need to send with the web service call from SUN to AC
  So, we create and provide user credentials to IDM team and they need to incorporate the user credentials when ever they are calling the web services in AC5.3 ?
  For this initial communication happening, what need to be done. Setting up SAP Jco is required in this case? Do we get involved with the configuration/development activity at IDM end?
  I could not find proper documentation on this, this leaves me in what amount of involvement I have to do as a SAP GRC AC5.3 consultant.
  Regards......

• Patch 5 of sun iDM

  Hello,
  i have this error when i do the init.xml command. I try various method to patch sun idm 8.1 with this patch but it's the same error
  Idea ?
  [java] Updated AdminGroup:UI_ADMINGROUP_AUDITOR_ACCESS_SCAN_ADMINISTRATOR
  [java] Updated AdminGroup:UI_ADMINGROUP_AUDITOR_PERIODIC_ACCESS_REVIEW_ADMINISTRATOR
  [java] Updated AdminGroup:UI_ADMINGROUP_AUDITOR_ADMINISTRATOR
  [java] Updated AdminGroup:UI_ADMINGROUP_DATA_WAREHOUSE_ADMIN
  [java] Updated AdminGroup:UI_ADMINGROUP_DATA_WAREHOUSE_QUERY
  [java] Updated AdminGroup:UI_ADMINGROUP_IDM_SCHEMA_CONFIGURATION
  [java] Updated AdminGroup:UI_ADMINGROUP_PRODUCT_REGISTRATION
  [java] Updated AdminGroup:UI_ADMINGROUP_DEBUG
  [java] Including file 'sample/adminroles.xml'.
  [java] Updated AdminRole:UI_ADMINROLE_USER
  [java] Including file 'sample/admins.xml'.
  [java] java.lang.NoSuchMethodError: com.waveset.object.WSUserUtil.getAllControlledObjectGroups(Lcom/waveset/object/Principal;Lcom/waveset/object/LighthouseContext;Ljava/util/Map;)Ljava/util/List;
  [java] java.lang.NoSuchMethodError: com.waveset.object.WSUserUtil.getAllControlledObjectGroups(Lcom/waveset/object/Principal;Lcom/waveset/object/LighthouseContext;Ljava/util/Map;)Ljava/util/List;
  [java]      at com.waveset.server.AuthCache.invalidateUserIfAuthzChanged(AuthCache.java:613)
  [java]      at com.waveset.server.AuthCache.instanceChanged(AuthCache.java:564)
  [java]      at com.waveset.server.ChangeNotifier$NotificationEntry.handleChange(ChangeNotifier.java:571)
  [java]      at com.waveset.server.ChangeNotifier$TypeInfo.handleChange(ChangeNotifier.java:715)
  [java]      at com.waveset.server.ChangeNotifier.updatePersistentObjectInfo(ChangeNotifier.java:851)
  [java]      at com.waveset.server.ChangeNotifier.objectChangeDetected(ChangeNotifier.java:981)
  [java]      at com.waveset.repository.ObjectChangeManager$ListenerRegistry.dispatchToListener(ObjectChangeManager.java:216)
  [java]      at com.waveset.repository.ObjectChangeManager$ListenerRegistry.dispatchChange(ObjectChangeManager.java:264)
  [java]      at com.waveset.repository.ObjectChangeManager.dispatchChange(ObjectChangeManager.java:761)
  [java]      at com.waveset.repository.ObjectChangeManager.dispatchChange(ObjectChangeManager.java:741)
  [java]      at com.waveset.repository.ServerRepository.set(ServerRepository.java:3334)
  [java]      at com.waveset.session.Importer.importObject(Importer.java:2706)
  [java]      at com.waveset.session.Importer.importElement(Importer.java:457)
  [java]      at com.waveset.session.Importer.access$000(Importer.java:116)

  Sure this is achievable : just use apache with mod_auth_ldap as the SVN frontend, and provision the LDAP directory with the standard IDM ldap adapter.
  Although if you want per repository access control (authz file) you will have to either use the scripted gateway adapter or implement a dedicated adapter.

• SUN idM integrate with GRC AC

  There are documents available for best practice on provisioning using CUP by integrating SUN idM with GRC AC...I have not found any document on best practice for deprovisioning when some one leaves organization...
  Is there any one who has worked on the same or are there any best practice guide on how it can be implemented...What should be architecture or data flow?
  Regards,
  Milan

  Hi Milan,
  here is the document you need:
  http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/e0b2e5c5-fa62-2c10-9687-ff98bc0b99f8
  Best,
  Frank

• SUN IDM

  Is it possible to install the Sun IDM apache tomcat web server in a different zone than the JBOSS web app container. If so can anyone provide documentation on how to do this

  Hi Arjun,
  Thanks for responding to my post.
  The search is working as expected in all 3 environments DEV,VAL and PROD.
  The search and alignment performed by the Rule where as DB connection and Saving to XLS performed by the custom JSP file.
  Since search is working fine I don't think any permissions issue with AD or LDAP.
  Couple of things I noticed from server.log from all environments
  SEVERE|sun-appserver2.1.1|javax.enterprise.system.container.web|_
  ThreadID=297;_ThreadName=httpSSLWorkerThread-9084-102;_RequestID=5efa3ecb-0ec9-4695-ab51-8049257b
  9d57;|StandardWrapperValve[jsp]: PWC1406: Servlet.service() for servlet jsp threw exception
  java.lang.IllegalStateException: PWC3991: getOutputStream() has already been called for this resp
  onse
  and
  WARNING|sun-appserver2.1.1|javax.enterprise.system.stream.err|_ThreadID=78;_ThreadName=Provisioner;_RequestID=531d32b0-6d9a-4
  3e-bd74-0bc9478ffdae;|org.xml.sax.SAXParseException: XML document structures must start and end within the same entity.
  at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
  This is logging when the custom jsp is executing.
  getOutputStream() has already been called for this response.
  I am not sure if this is the root cause, since it is logging in DEV and VAL also.
  Other things I noticed are.
  Yester day I conducted 10 tests and all are taking 6 min 18 sec or 6 min 19 sec or 6 min 22 sec.
  Also I noticed that the number of user records exported to xls depends on the transfer rate.
  For example,
  if the file download transfer rate is 1.50 KB then the user records are between 1200 to 1800 where as the search user records are 16590.
  if the file download transfer rate is 800 B then the user records are between 200 to 600 where as the search user records are 16590.
  Not sure where to check this time value(attribute) 6 min 18 sec..
  Please provide me some info where else I need to check.
  Thanks,
  Ravi.

• How to delete the recon Taskresults in Sun IdM 7.1 thru automation

  How to delete the recon Taskresults in Sun IdM 7.1 thru automation either thru workflows or using java programs...
  We need to delete only recon Taskresults.

  Hi Dinesh,
  Try using waveset.adminRoles
  Thanks

• I would like some help in determining the proper structure/implementation

  I would like some help in determining the proper structure/implementation for the following scenario:
  I have ~10 steel rods that have been equipped with a strain gauge.  The most I would have is ~30 steel rods.
  Each setup has had a 10 point calibration done.
  These steel rod/strain gauge setups are assigned a calibration number.
  The data would be grouped for each steel rod and identified by the calibration number. 
  I would like to use that calibration data to determine the Young’s Modulus for each steel rod and store that within the specific rod’s information.
  I want the user to be able to add new steel rods dynamically and the Young’s Modulus calculated and stored with it.
  There are two different types of rods.
  The cross-sectional area of the rod needs to be stored and that value is constant based on the rod type (so there are two different area values).
  After a rod’s calibration data is entered the first time, the data should be static so it doesn’t need to be re-entered.
  The user would enter the cal#, the 10 point calibration data, and the rod type.
  The user will only see the steel rod cal# on the FP.
  I am using a queue-based producer/consumer with event structure for the front panel interface.  So I’m thinking whenever a rod cal# was added I would call a subvi where the calibration data can be entered and then the Young’s Modulus could be calculated and stored.  An option to edit/review existing cal data should be available.
  LabVIEW 2010, Win 7.
  My initial idea was:
  Rod Arr – array of clusters:
  Rod Info - cluster:
  Calibration number – string
  Rod Scale cluster:
  mV/V – double array
  force – double array
  Young’s Modulus – double
  Rod type – enum
  Cross-sectional area – double
  I have not implemented this because I’m not sure how to implement that AND keep the data after it’s been entered.  And all of the bundling/unbundling anytime I want to access/edit any rod information can be BD consuming.  I thought a lookup table might work.  When I looked on the forums for a lookup table I was pointed in the direction of arrays/clusters.
  So I have two questions:
  What would be the best structure for the steel rod data?
  What would be the best data type for the calibration# that the user can edit (enum, ring, ?)?

  I would make a couple of small change to your proposed data layout (highlighted in blue):
  Rod Arr – array of clusters:
  Rod Info - cluster:
  Calibration number – string
  Array of Rod Scale cluster:
  mV/V – double
  force – double
  Young’s Modulus – double
  Rod type – enum
  Cross-sectional area – double
  For the calibration data, I would have an array of clusters rather than a cluster of arrays.  IMHO, this makes it easier to index through the calibration points, and makes it less likely you will ever have a situation where you don't have the same number of mV/V and force points.  I'd also move the Young's modulus, type, and area info into the Rod Info cluster.
  I prefer to store this type of configuration in the system registry, but that is more complicated and far from universal in the LabVIEW world.  A simpler way would be to simply pass the entire array to the "write to binary file" function.  If you do this, however, you might want to add a version number, otherwise it will be very difficult to maintain backwards compatibility if you ever need to change the data structure.
  As far as the control type, it depends on what the user is entering.  If the user is mostly entering calibration numbers already in the system, I would use a (system) combo box.  This allows the user to select an existing calibration number from the menu, but also to enter a new calibration number if they need to.  If the user will almost always enter new calibration numbers, then I would use a standard string control.  Either way, you'll probably want to validate the format of the number the user enters.
  Mark Moss
  Electrical Validation Engineer
  GHSP

• Error while Reading Idocs from ECC 6.0 to Sun IDM .

  Hi Gurus,
  We have a scenerio where we have to update the Sun IDM Server with all the changes in HR Data happening in ECC.
  For that... we have
  1. Created a Logical System for Sun IDM server, Port, RFC Connection (TCP/IP).
  2. Assigned Partner Profiles, Distribution Model etc. for msg. type HRMD_A ;
  3. We have created a Communications User used by the IDM server to connect to ECC.
  Idocs are created daily and are in status 03 - Data passed to Port OK !
  and on the In Sun Identity manager 8.0 we have created SAP resource adapter for ECC 6.0,
  after giving resource parameters our test connection is successful.
  We also changed edit synchronisation policy for the same but when we start synchronisation in IDM, it is unable to read any idocs although Idocs are generated in SAP .
  Log file gives the message as "Incoming IDoc list request containing 0 documents"
  We also have one more error ;
  some times while doing a connection test : JCO.Server could not find server function '剆䍟偉乇'
  while most of the times the connection is successful.
  Please suggest .

  Hi Gurus,
  The error got resolved .
  The changes in the settings i did :
  SAP SIDE : Made the RFC Connection Unicode.
  IDM SIDE : Checked on the "SAP Server Unicode" checkbox; while doing the HR Activ Synch Settings.
  This Resolved the error.
  regards
  Vaibhav

• SUN IDM with Windows Vista

  Hello,
  Has anybody tried installing SUN IDM with windows vista
  I tried IDM 7.1 with vista home premium and doesnt seem to work. Curious to know if any body has success with vista
  Awaiting replies
  Thanks,

  What error message are you getting?
  Have you installed Java and an apllication servers as requested?
  1) Set Up a Java Virtual Machine Software Development Kit and Java Compiler
  The application requires a Java compiler and a Java Virtual Machine (JVM) to run the Java classes that perform actions within Identity Manager. Both of these can be found in a Java SDK. Download from or http://java.sun.com/javase/downloads/index_jdk5.jsp *** You should add JAVA_HOME to your list of system environment variables and to your system path. To do this, add JAVA_HOME to your system environment and JAVA_HOME\bin to your path, making sure to list it before any other Java environment variables.
  2) Install Tomcat application server from official http://tomcat.apache.org/ to local hard drive. Configure Tomcat memory requirements and restart. Min: 256k

• Looking for some one who can help me in SUN IDM

  Hi Friends,
  I am looking for some one who can help me to learn sun IDM. Off couse I will pay for your time.
  I can be reached at [email protected]
  Please let me know if you have some time
  Thx

  Hi Zebra,
  I really appreciate your reply. I would like to discuss out of this forum so that no one here annoyed with our newbie questions. Please send me email as I listed earlier to discuss best ways. I send email to Andy to join us.

• Movement of accounts in AD natively; How Sun IDM identity is affected

  Dear Reader,
  We are planning to integrate Windows Active Directory with Sun IDM 6.0 SP1. Even after integrating AD with Sun IDM there will be lots of changes to the native account like especially moving the account from one OU to another etc
  Since Sun IDM identity has the distinguished name of AD account for its reference; if someone moves the AD Account natively how will that affect IDM identity.
  I heard from couple of my friends that Sun IDM uses objectGUID to refer account in AD so even if the account is moved from one OU to another there will be no issue, is that right?
  Will Sun IDM 6.0 SP1 work that way or this fix was introduced in the later release?
  Is there any other factor involved in this which will affect the way Sun IDM works when the account is moved natively?
  Any help is appreciated
  Thanks in advance

  We use IdM 7.1.1.11 and AD.
  Sun does use the GUID once it has it. And, if the dn changes and the GUID stays the same, IdM won't care. Although in examining logs I saw that Sun asks AD first based on the GUID, then if it can't find it, reverts to the dn. We manage what OU our accounts are in via IdM. So we don't allow AD admins to move accounts around. During our initial migration, we are syncing up GUIDs, and correcting any bad OU values. Don't know if that helps, but I have some experience looking at some of this and can offer my oberservations.

• Exploratory Programming of the Sun IDM API

  Exploratory Programming of the Sun IDM API using Rhino
  Sun IDM comes with a JavaScript interpreter (Rhino) that can be invoked from the command-line. This gives developers an easy way to explore the large number of classes that comprised the product.
  Let's say for example that you need the approvers of a role object in order to display them on a form. (The role view provides this information, but let's ignore this for the purpose of this example.) The role javadoc mentions two methods to get the approvers, getApproverRefs() and getApprovers(). Unfortunately they are not described clearly, and the difference between the two is not clear either.
  In order to understand what these methods do and what they return, you can use the interpreter to invoke each one directly.
  First start the interpreter with the 'lh.bat js' command:
  lh.bat jsYou will be greeted with the javascript prompt "js>"
  Then the first thing to do is to login to the application server. Copy-paste the following code into the shell interpreter.
  // Java packages are prepended with the word 'Packages'
  // and are imported using the 'importPackage' function
  importPackage(Packages.com.waveset.util);
  importPackage(Packages.com.waveset.object);
  importPackage(Packages.com.waveset.security.authn);
  importPackage(Packages.com.waveset.session);
  importPackage(Packages.com.waveset.ui);
  importPackage(Packages.java.util);
  // Use arguments[0] and arguments[1] if you want to pass credentials from the command line
  // Here we just use the built-in account "configurator"
  var epass = new EncryptedData("configurator");
  var session = SessionFactory.getSession("configurator", epass);
  print("Waveset session established");Alternatively save the above code to a text file called "idm-init.js" and load the file from the interpreter.
  js> load("idm-init.js")
  Waveset session establishedOnce a session has been established, objects can be loaded from the repository. Enter this line at the prompt to get the role object named "testrole3"
  js> var roleObject = session.getObject("Role", "testrole3");Enter the variable name at the prompt to cause the interpreter to invoke the object's 'toString' method.
  js> roleObject
  Role:testrole3Use a 'for' loop to print out all of the object's method and fields.
  js> for (i in roleObject) { print(i) }Enter a method's name to invoke it. Let's call getApproverRefs().
  js> var approvers1 = roleObject.getApproverRefs();
  js> approvers1
  [User:role1approver(id=#ID#1CC1759638D9AF96:182C132:10F3E8040B5:-7FBE), User:role2approver(id=#ID#1CC1759638D9AF96:182C132:10F3E8040B5:-7FB8)]
  js> approvers1.get(0).getClass();
  class com.waveset.object.ObjectRefNow let's check out getApprovers().
  js> var approvers2 = roleObject.getApprovers();
  js> approvers2
  [Lcom.waveset.object.WSUser;@d3c69c
  js> approvers2[0].getClass()
  class com.waveset.object.WSUserSo getApproverRefs() returns a list of ObjectRef objects, while getApprover() returns an array of WSUser objects.
  In summary the Sun IDM JavaScript interpreter can be used to explore the product's vast API. This article used the role class and its getApprovers() and getApproverRefs() methods as an example for exploratory programming. Other applications include automated testing and administrative scripts.
  [email protected]

  Yes you can customise IDM it is all available in courses and the manuals also provide some info.
  As long as you can write the code you need in java or javascript you can call it from IDM: that could be an interface to you naming app.
  Otherwise use the SPML interface if you want to use something else then the GUI. This is also described in the manuals.
  WilfredS

• Expert pls help: Sun IDM with ldap active sync

  Hi all,
  Currently i am configuring Sun IDM 6.0 SP1 to active sync with Sun directory server. I have enabled Retro Change Log but yet i cant find my changeNumber in directory server. Could anyone show me a way (search?) to get what changeNumber directory server currently running?

  Check the account used by IDM to access DS can search cn=changelog branch. If he is not Directory Manager, you probably need to set an ACI on that branch.
  HTH

• Managing LDAP groups and roles through SUN IDM

  Hi Guys,
  We have a requirement to build the following functionality in our Sun IDM tool.
  1.     Ability to create/manage Static LDAP group.
  2.     Ability to create/manage filtered LDAP group.
  3.     Ability to create/manage Static LDAP roles.
  4.     Ability to create/manage filtered LDAP roles.
  Can anyone let us know any pointers as to how to accomplish this or any ideas for the path to follow for this.
  Any reply will be appreciated.

  http://myidm.blogspot.com/2009/06/how-to-create-groups-in-ldap-or-active.html