How to Map OIA Provisioning policies to OIM Access Policies
Hi,
Access policies in OIM does not allow entitlements definition in it such as defining the AD Groups that needs to be attached to the account which would be provisioned on the target resource when the access policy gets triggered. These entitlements definition in OIM is taken care on the Process Form level, whereas in case of OIA the Provisioning polices allow entitlements definition according the resource type in the policy level. It would be of great help if you could help us in understanding how the import and export of access policy data between OIA and OIM would be feasible with these differences in place
Secondly the access policies defined in OIM can contain resources belonging to different resource types unlike the OIA where we can create access policies only pertaining to the selected resource type, Kindly let us know how the Import and Export process would workout in this scenarios as well
Appreciate your guidance and support
Thanks
Avinash
Hi,
Any helpful pointer on above mentioned scenario ?
Thanks,
RPB
Similar Messages
-
Self Service Requests for OIM Access Policies
In the absence of a Role Management product, is there a good way to enable OIM End User Self Service to process requests and approvals for OIM Access Policies or OIM Groups?
Any suggestions are appreciated!
KCUltimately the group membership will trigger an access policy. The access policy assignment is the goal, the group assignment is the typical method to assign the access policy to the user.
When creating a dummy resource, I assume that resource would have a lookup on the form to select the group name. Is this what you are suggesting?
KC -
Provisioning existing users through Access Policies in OIM
Hi
I need to evaluate access policies for existing users in OIM.
My understanding on "Set User Provisioned Date" is...this scheduler will sets the provisioned date for user in user profile which inturn call entity adapter evaluatePolicies and should trigger Access Policy. Correct me if i am wrong.
But for all existing users Provisioned Date is already set through trusted recon. Will this scheduler(Set User Provisioned Date) replace with new date?
Sounds like silly question. But to confirm before testing this in production :)
ThanksYep
Running this schedule task will not sufficient. You'll have to select RETROFIT check box while creating Access Policy. -
Role based provisioning - need help in access policies
Hello experts,
We have the following requirement
1. If corresponding Role is not there then resource should not be allowed to get provisioned
2. And whenever Role is present for the user then corresponding reource provisioning should get triggerred automatically ?
Please advise whether the above could be achieved OOTB in OIM 11g ?875142 wrote:
1. After configuring the access policy still we could able to provision the resource manually without the role. How do we restrict it ? What needs to be done for that ?As far as I know there's no way to stop the administrator to go to the resource profile and manually assign the resource. May be you can try some authorization policies for that. But I am not sure.
2. We have a scenario in which we are disabling a user. This will deprovsion a resource say Retail. Then we are enabling that user again. Then ideally it should provision a new resource of Retail. But thats not happpening.Check this for it: Re: Help required with Access policy trigger on Enable User in OIM 11.1.1.5
Also here we have selected 'Retrofit Access Policy' flag and ran the 'Evaluate user ploicy' scheduled task but we could n't see any changes because of that.Retrofit Flag- If it is set to true, then all the users who already had a Role (before access policy was created) will also get evaluated. If set to false, then only newly added users to the role will be evaluated for access policy. What is the status of the resource when you disable the user the first time?
-Bikash -
How to update a provisioned Apps without store access ?
Hello All,
Some explications of my issues :
Windows 8 Enteprise will be the next OS used in my firm.
Top management has decided to close the access to the microsoft Store - but want to have the weather, maps, music and video on the modern start menu.
My question is :
Is it possible to keep up to dat provisioned apps ( as Weather Bing) using SCCM 2012 or something else - without Store which is blocked by GPO ?
More information :
Client joined to the domain / DNS, AD, SCCM, MDT, etc... still is use.
I'm totally not a developper :(
Thanks in advance for your helpIn Windows 8 you have to update Apps from Store manually and if you disable Store, you won't get those updates. Once way to resolve this issue is instead of blocking Store, use Applocker and create a policy to block all Apps except the one that are using.
In Windows 8.1 Apps will updates automatically and I suggest use a testing PC and install Windows 8.1 Preview and try out your scenario with it and see if it works. -
Issue in OIM 11gR2Ps2 while provisioning using access policies
Hi,
we are provisioning resources using access policies, we are facing any issue while provisioning resource using two access policies. we are populating the main process form data using two access policies, according to the access policy priority we are seeing the first access policy form data value in the user process form, but the second access policy value is not showing in the user process form, for example we are populating processform fieldvalue1 using access policy1 and processform fieldvalue2 using access policy2.
Thank you,Hi,
we are facing issue in the following scenario
we are provisioning a resource based on the user position through access policies, for example a user position "contractor" is satisfies two rules based on the rules he will get two roles, these two roles trigger two access policies, and two access policies giving same resource for example "AD", in AD main process form there two lookups(lookup A,lookup B), we are giving looukp A value in acess policy1 and lookup B value in access ploicy2, when ever user gets AD resource through these roles, after provisioning when we see the user process form only lookup A value is there and lookup B is empty.But i want to get both lookup A,lookup B values, what i observed was based on the priority access policy values are comming to user resource form, the next access policy form values are not reflecting the user process form.
Thanks, -
How to get users provisioned / enabled with all OIM Resources.
Looking for help on java / sql query on how to get all the users in OIM (9102 BP 13) provisioned/enabled status only,
with all OIM Resources available in System.
Edited by: 907571 on Apr 18, 2012 4:12 AMselect usr.usr_login, usr.usr_status, obj.obj_name, ost.ost_status, act.act_name
from oiu, usr, ost, obj, usg, act
where oiu.usr_key=usr.usr_key
and oiu.ost_key=ost.ost_key
and ost.obj_key=obj.obj_key
and usr.act_key=act.act_key
--and obj.obj_name in ('Resource Name')
--and usr.usr_status = 'Active'
and ost.ost_status in ('Enabled','Provisioned')
-Kevin -
OIA 11.1.1.3 - Unable to import Access Policies, Resources from OIM 11g
Hi,
I have successfully integrated OIA on tomcat with OIM on weblogic. Also all the Roles and Users of OIM have been imported into OIA.
Can anyone of you suggest me what needs to configured on OIM to have the Access Policies, Resources and entitlements to be imported into OIA.
PS : I have noted some changes to be carried out with OIM Form designer in the Design Console as per the Preferred method. Unfortunately, I am unable to go ahead in configuring the following as the Properties described do not show up to me.
The user guide says -
For each Resource, the following properties need to be added to some identified feed for accounts, policies, and entitlements imports:
AccountName - Identifies the unique account in the target system
ITResource - Identifies the unique IT Resource field for the target system
Entitlement - Identifies the account attribute designated for privileges
Please help with this issue.
Thank you,
BhaskarThanks for the reply EvgeniyA, but this is a new environment which has not been released to the users yet. So this cannot be because of SERVERTHREADS and AGTSVRCONNECTIONS. Also the older version worked fine without all those settings defined in essbase.cfg. Anyways even if we consider that this was because of those parameters, I have defined those in the essbase.cfg and still not luck. Still get the same errors. Any other thoughts anyone?
Thanks,
Ted. -
How to Map Proces form field with Resource form field?
Hi,
How to Map Proces form field with Resource form field while creating Process form in Form designerAre you talking about Provisioning ?
then you do that in Data Flow under Process Defintion in OIM 10g
In OIM 11g you use Request Dataset. In that you can directly map fields to process form. -
OIM - Priorities for Access Policies
Hi
In my OIM deployment I have 7 access policies that I use to provision different resources. Each of these has a separate priority (naturally).
While provisioning a new user these polcies are applied in decreasing order of priority. (i.e policy with priority 1 is applied first and policy with priority 7 is applied last) - atleast as far as one can tell from the order of the email notifications.
How can I configure OIM in such manner that while de-provisioning a user these policies are applied in the reverse order (i.e policy with priority 7 should be applied first and so on till the last policy that is applied is the one with priority 1)?
Any help will be appreciated.
Thanks in advanceUse the APIs to add the group name to the group name child form of the AD process form.
Or write a custom connector that does the group add directly to AD.
Both approaches works but approach one is more elegant.
Best regards
/Martin -
How to do when the downtime of OIM?
In case of prolonged downtime of OIM, user will manage the user profiles directly at target resource to continue the normal user activities. However, when the OIM comes back to service, please advise how to reconciliate these updated user accounts information (including newly created user accounts during the OIM downtime).
Hi,
I think It will depend on the connectors you are using, and how are they configured. For the previously created target accounts, It should update correctly the changes made on the target side, no matter how far in time is its last reconciliation run.
Now, if you have a system with a high customization level, you can find some troubles with the newly created users/target accounts:
a) If you have Membership rules & Access Policies that provision your users in the different targets automatically, and you have a trusted reconciliation source for the users creation, when the new users come into the system through reconciliation the access policies will trigger, and OIM will generate new accounts for that user in the correspondant targets. This can be a mess, as the actual target accounts may already exist.
b) If the user already exist, but target accounts have been created for him/her, maybe they have been created without being aware of the reconciliation matching rules. If this happens, OIM won't link automatically the new account with the correspondant user, and you'll need to manually select the user in the Reconciliation Manager (Design console).
c) The worst problem you could find is that, in the same scenario as "b", the reconciliation matching rules apply with a user that, in fact, is not the actual account owner. This shoud not happen, if the target system allows you to create a logical matching rule (User's Passport number, employee number, ...).
These are common troubles when reconciling resources (in example in a initial load of OIM, when all the users and target accounts are previously created in target systems).
Regards, -
OIM 9.1.0.2 - Access Policies issue
Hi Gurus,
I have facing a strange behavior in the Access Policies features.
When users are inactived in the OIM, they should be removed from the groups associated to the AP, but the groups remain associated and because that the AP is triggered again provisioning resources to the users.
Has someone faced the issue?
Brgds,
CarlosWhat does all of your group membership rules look like? Are you sure your right side is the correct format? You can create a rule where Users.Status = "Active". Just need to make sure it's case sensitive so you'll want to check the database for existing values.
-Kevin -
User provisioning problem from OIM 10g to Siebel CRM
Hi Team,
I am facing User provisioning problem from OIM 10g to Siebel CRM.Please find the log details.
Running Get Attribute Mapping
Running Siebel Create User
<com.siebel.common.common.CSSException>
<Error><ErrorCode>8716601</ErrorCode> <ErrMsg>Socket had incorrect word size: 0.(SBL-JCA-00313)</ErrMsg></Error>
</com.siebel.common.common.CSSException>
at com.siebel.om.conmgr.Connection.readPacket(Connection.java:550)
at com.siebel.om.conmgr.Connection.run(Connection.java:286)
at java.lang.Thread.run(Thread.java:619)
[CMGR FATAL] Error: <com.siebel.common.common.CSSException>
<Error><ErrorCode>8716601</ErrorCode> <ErrMsg>Socket had incorrect word size: 0.(SBL-JCA-00313)</ErrMsg></Error>
</com.siebel.common.common.CSSException> connection:1
<com.siebel.common.common.CSSException>
<Error><ErrorCode>8716601</ErrorCode> <ErrMsg>Socket had incorrect word size: 0.(SBL-JCA-00313)</ErrMsg></Error>
</com.siebel.common.common.CSSException>
at com.siebel.om.conmgr.Connection.readPacket(Connection.java:550)
at com.siebel.om.conmgr.Connection.run(Connection.java:286)
at java.lang.Thread.run(Thread.java:619)
[CMGR FATAL] Error: <com.siebel.common.common.CSSException>
<Error><ErrorCode>8716601</ErrorCode> <ErrMsg>Socket had incorrect word size: 0.(SBL-JCA-00313)</ErrMsg></Error>
</com.siebel.common.common.CSSException> connection:1ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],====================================================
ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],com.thortech.xl.integration.siebel.utils.SiebelConnection : createSiebelConnection() : Siebel Connection Exception:Could not open a session in 4 attempts. {1}(SBL-JCA-00200)
ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],====================================================
ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],====================================================
ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],com.thortech.xl.integration.siebel.proxy.SiebelProxyEmployeeProvisionManager : createSiebelConnection() : BaseException: Siebel Connection JDB Exception: Could not open a session in 4 attempts. {1}(SBL-JCA-00200)
ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],====================================================
ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],====================================================
ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],com.thortech.xl.integration.siebel.provision.SiebelUtilEmployeeProvisionManager : createEmployee() : BaseException: Siebel Connection JDB Exception: Could not open a session in 4 attempts. {1}(SBL-JCA-00200)
ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],====================================================
Regards,
Ravi.Hi
I facing the same error message as yours, using OIM 11g R2
Are you able solve it ?
Please share
Many Thanks !!! -
Provision a RO several times with one user using Access Policies
Hello,
we need to provision several Unix machines and for this purpose, we use one only resource object (SSH User). Additionallyl, we created an access policy for every machine:
- Access Policy Unix Server 1
- Access Policy Unix Server 2
- Access Policy Unix Server N
We created the following group in OIM: SSH Group.
We set the policies in such a way that whenever a user is added to the SSH Group, the SSH User RO is provisioned with the user for every machine. We created several access policies, because the parameters of the form are different for every machine.
The problem is that when a user is added to the SSH Group, the SSH User resource object is provisioned only once. It is provisioned by the access policy with the highest priority. We would like that the SSH User RO was provisioned by every access policy. That is, the user should have the SSH User RO provisioned N times, after adding it to the SSH Group.
Is there any way to achieve this without creating a resource object for every Unix Machine? We need to provision more than 300 Unix machines and this would require a lot of time...
Thank you for your helpThere are other options. You could create a child table to hold the IT Resource information, assuming all parent data is the same for every system. Then on the insert/delete to child table entries, you can provision and de-provision from that target. On disable/enable you would need to search through the child table and perform the action against all instances. The same for the other update tasks.
This is the limitation of access policies. They manage a single resource object target instance. You could also code a generic resource that has child table entries. When an insert happens, you can use the APIs to provision and instance of the specific target with the provided details. Then you could create access policies to add entries to the child table, and each would provision the appropriate object, and deprovision too.
Takes some custom code, but it's doable. Just remember though that they are all still the same resource object, so reporting would show them all, as well as attestation, as a single instance, with multiple provisioned to each user.
Another option is to duplicate the work flow using find and replace in the XML and generate a unique workflow for each instance.
-Kevin -
JPA:How to map List Map Enumerated,EntityType database?
as we know that we can map collections to database with ElementCollection annotation; how to map a collection of collection of entity?
for example:
List<Map<Enumerated,EntityType>>
thanksyou have to do customization to acheive this.
Check this Link
Re: OIM: Manager Request access for subordinate
Maybe you are looking for
-
After connecting my 3gs phone to itune last night to download items and to get new updates my phone will not work, it says to add a sims card to phone but the sims is already in it. How can I get my phone to work?
-
Adobe Active X will not work with my Windows 7. Suggestions?
My Adobe Reader 9.xxx was replaced with Active X, which will not work for me. I keep getting a box message that says perhaps the Adobe.com site is too busy at the tine. I would rather have my Adobe reader 9.xxxxx back as it worked very well for me.
-
Drill Down Reporting - Same Page
Hello, New to Apex here. I'm wondering if Apex can create reports like this: http://www.c-sharpcorner.com/UploadFile/MohanKumar.R/DrillDownReport02212008083910AM/DrillDownReport.aspx Any help is appreciated. Thanks!
-
Write/read a binary value to/from IO pin in python
I plan to buy 15 IO cards. Before I purchase I like to know if I can use python to write a binary byte to IO pin in python. What is step by step to achieve this? I want to read a byte from IO pin, what is step by step of getting this? I am using PCI-
-
OAF 5.10 - how to extend existing Apps 11i page ?
I am having problems with getting substitutions to work for use when extending existing Apps page, so any hints would be appreciated. I have setup "-Djbo.project=mzCustom" in the projects "Java Options" (mzCustom is the project name) and also made su