Issue in evaluation of Role Membership Rule in gtc trusted recon.

Similar Messages

• Role membership rule not working

  Hi guys,
  When I create a role and assign 'membership rule' to it, the members are shown in preview screen.
  But they are not  show up in members screen of that role.
  My environment is 11gR2 SP1.
  It is working nicely in 11gR2 base. But from some bundle pack and after, it is not working.
  1. is it right?
  2. if then, why is it changed?
  3. and how shoul I assign members to role?
  (as a workaround I modified the memner arrtibute. => not working
  and restart OIM, => still not working
  and reboot the server.> still not working...)
  can anyone help this?
  regards,
  dongsu

  J,
  It has been a critical issue in real customer project this year.
  Certainly we informed it to local oracle team and they says it is intentional change and we have to accept it.
  (means create role first and read in users by trusted recon from source again.. bra bra..)
  But I do not get any documented information about it.
  Actually in BP4 (may be..) if I change any attribute value of that user who supposed to  belongs to that role, then it works.
  But in BP7 and now in PS1, even that approach do not working.

• Nesting of Rules for Auto Group (Role) Membership Rules in OIM 11gR2

  Does anyone know how to nest rules for auto group (role) membership in OIM 11gR2. The General rules in Design Console are no longer used for auto group membership and the rules that can be configured in the Role properties cannot be nested as far as I can see.
  Any info is appreciated.
  Thanks!

  My mistake... this is possible in the web ui.

• Roles Not Getting assigned during trusted reconn in OIM 11gR2

  Hi Experts,
  I have created a Role, Access policy for ACF2 and a rule for automatically provision Users whose Company Code = 200 (company code is a UDF)
  The records are getting provisioned if I assign the role manually to the user and run Evaluate user Policies task. But if i reconcile the user from trusted resource, the users with company code are not getting even the role assigned to them.
  Am i missing something. Please help me out!!

  I followed the exact same steps to create the rule,
  Search your Role > Select Your Role > Detail will be opened > Members Tab > Right top Corner > Add Rule > Select your condition
  I even tried with User Type = Consultant etc with some OOTB attributes but still no luck
  Once the recon is complete and user is created in OIM, i don't see the role added to user. Now, if i open the role again and edit the rule and navigate to preview results tab I see the newly created user listed in preview, and if I click Save without any changes, user gets added to the role.
  I think this could be due to our custom event handler as mentioned by NN, please let me know if you have any other clue to debug this issue.

• GTC Trusted Recon Issue 11g R2

  Hi,
  We have configured csv as our trusted source and onboarding the users into OIM via GTC. When We execute the task only one attribute which is Organization attribute provided as a literal value under Recon staging is appearing under the event. CSV is getting archived successfully, but events are failing with notes:
  oracle.iam.platform.kernel.ValidationFailedException: Orchestration validation failed on the event handler - CreateUserValidationHandler at oracle.iam.platform.kernel.impl.OrchProcessData.runValidationEvents(OrchProcessData.java:248) at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.validate(OrchestrationEngineImpl.java:699) at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.process(OrchestrationEngineImpl.java:547) at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.orchestrate(OrchestrationEngineImpl.java:485) at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.orchestrate(OrchestrationEngineImpl.java:403) at sun.reflect.GeneratedMethodAccessor3793.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149) at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:25) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at $Proxy249.orchestrate(Unknown Source) at oracle.iam.reconciliation.impl.UserHandler.orchestrate(UserHandler.java:218) at oracle.iam.reconciliation.impl.UserHandler.executeSingleEvent(UserHandler.java:180) at oracle.iam.reconciliation.impl.EntityTypeHandler.create(EntityTypeHandler.java:98) at oracle.iam.reconciliation.impl.EntityTypeHandler.applyRule(EntityTypeHandler.java:80) at
  Can someone please help me on this one.
  Thanks

  I think I got the issue, I am passing Hire date and is throwing this error at the end:
  Thor.API.Exceptions.tcAPIException: Exception occurred while inserting data into table RA_HRFEED_GTC due to java.sql.SQLException: ORA-12899: value too large for column "OIMNG_OIM"."RA_HRFEED_GTC"."RA_CUSTOMPROPERTY9" (actual: 10, maximum: 7)
  at oracle.iam.reconciliation.impl.ReconOperationsServiceImpl.createReconciliationEvent(ReconOperationsServiceImpl.java:383)
  at oracle.iam.reconciliation.impl.ReconOperationsServiceImpl.createReconciliationEvent(ReconOperationsServiceImpl.java:370)
  at oracle.iam.reconciliation.impl.ReconOperationsServiceImpl.createReconciliationEvent(ReconOperationsServiceImpl.java:366)
  at sun.reflect.GeneratedMethodAccessor13916.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
  at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
  at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:25)
  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
  at $Proxy1434.createReconciliationEvent(Unknown Source)
  at Thor.API.Operations.tcReconciliationOperationsIntfEJB.createReconciliationEventx(Unknown Source)
  at sun.reflect.GeneratedMethodAccessor13915.invoke(Unknown Source)
  But I since hire date is of type text, I am passing the date in MM/dd/yyyy format...am i Missing something here?
  Thanks again

• Execution of membership rules during creation event in OIM

  Hi,
  I have a question regarding the execution sequence of a role membership rule/s. As noted in the section "Orchestration Concepts" of the Oracle 11gR1 Developer's Guide (http://docs.oracle.com/cd/E21764_01/doc.1111/e14309/oper.htm#CCHJHFGE), there are 6 Orchestration stages:
  1. Validation: Stage to perform validation on the orchestration, such as validity of orchestration parameters. Orchestration parameter is the data that is required to carry out the orchestration operation.
  2. Preprocess: Stage to perform orchestration parameter manipulations or get approvals or perform Segregation of Duties (SoD) checks.
  3. Action: Stage in which the action takes place.
  4. Audit: Stage in which the auditing of operation is performed.
  5. Postprocess: Stage in which consequent operations related to the current operation takes place. Examples of consequent operations are auto role membership and policy evaluation on a user creation.
  6. Finalization: Last stage in the process to perform any clean up.
  The question is: If a role membership rule has been set up so that a user will be assigned a role if a particular user attribute is set during the preprocess or postprocess stage, when is the actual execution of the membership rule performed? i.e. in which orchestration stage is the role membership rule executed?
  regards,
  Evangelo
  Edited by: 953049 on 25-Sep-2012 22:04

  Custom Preprocess handler doesn't work in 11g. Are you sure? The documentation only states that it will not work for trusted reconciliation (from Oracle support article ID 1262803.1 - OIM11g: Sample Code For A Custom Event Handler Implemented for Pre-Process Stage During Create User Management Operation).

• OIM 11g: Issue while evaluating rule for Role Membership

  Hello All,
  I have configured few General Rules using 2 of our User Defined Fields, these general rules are used to determine role membership.
  What we observed that once "Identity Status" attribute is set to "Disabled" for OIM User Profile then OIM stops evaluating these configured General Rules for Role Membership.
  Env Details:
  Product Version: Oracle Identity Manager 11.1.1.5.0
  App Server: WebLogic Server Version: 10.3.5.0
  OS: Red Hat Enterprise Linux Server release 5.5
  Database: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64 bit
  Please let me know if any of you have encounter this issue and if there is any workaround available for it.
  Thanks,
  Shyam

  Re: OIM11g: Resource not revoked if the Identity Status is DISABLED
  XL.EvaluateMembershipForInactiveUser
  Workaround:
  You can make you of Event Handler and assign that group with APIs.

• Error in auto role assignment based on membership rule

  Hi All,
  Now this is a strange behavior I am finding. I had created an auto-membership rule in OIM and had assigned that to a role in my OIM. Now whenever I created an user, and based on a custom attribute that I was setting in the create user page. Now this was working totally fine. After that I did LDAP Sync and all and I am sure it was working even then. Now suddenly the auto assignment of role has stopped working and the user doesn't seem to get the role automatically at all.
  And more strange is the point that when I modify any attribute in the user profile, the membership rule gets triggered just like it should during the user creation.
  Can someone suggest anything for this if they have faced the same?
  Thanks,
  $id

  I had been struggling with Role membership and access policies myself on 11.1.1.5.2.
  Look at the following articles if those help:
  Auto Role Membership Not Getting Evaluated On Create Event With Custom Post-Proccess Event Handler [ID 1469286.1]
  Role Memberships Given, But Access Policies Not Triggered For Enabled Users [ID 1473348.1]
  As for the limited release 11.1.1.5.2AK patch, it changes the way event handlers are triggered and the way access policy is re-evaluated. Also in that patch Oracle has given out new API for getting the service in event handler and that is supposed to bring order and synchronization of the event handlers. As far as confirmation from support goes, the event handlers are same from B2 to B3 and B4. Oracle is waiting to hear from customers about the results of the 11.1.1.5.2AK patch before it would be made available in GA.
  -Bikash
  Ref: {thread:id=2421106}

• Adding Unknown computers resources by direct membership rule issue

  Hi, everybody!
  Finally, i've got issue discrabed here
  http://blog.coretech.dk/kea/collections-not-being-refreshed-in-configmgr-2012-r2/
  In situation with large count of primary sites and unknown computers accounts (two for each site certainly),  it's placed to be a big problem deploying task sequences to unknown computers...The comfort and rigth decision in
  my thought is deploying tasks to site's unknown collection that contains two of all unknows (only each site x86 and x64 account) directly. But after creating those/that collections/collection per sites becomes alive previously noticed trouble....How
  can we add/devide unknown computers for deploying tasks on them....Situations with availiable lists of all task sequences (as you know right that occurs while deploying tasks to  unkonow built-in collection) of all hierarchy in installing process misleads
  primary sites sccm admins....there are situations with starting wrong tasks (belongs not to their site unknowns).....
  I repeat, adding each sites unkonws to separate collection directly occurs upper link problem...
  Is any idea, guys?         

  Jason, it is above 20 sites...
  I've noticed one thing: when i use collection adding direct membership rule wizard using "unknown computer" and it's "site code" like criteria, collecton working fine. As soon as, i use console's "adding to existing collection"
  capability clicking by right mouse click on one of the unknowns...it's gonna to be fail to update in previously described way..... 

• Rule based Role membership in OIA is not pushing to OIM

  Hi All,
  Rule based Role membership in OIA is not pushing to OIM due to error as
  00:01:38,055 DEBUG [DBIAMSolution] Group Role container for JDE.JDE_BHRUSRTT found...
  00:01:38,144 ERROR [DBIAMSolution] Error Occured while adding users to role
  Thor.API.Exceptions.tcAPIException: Error occurred while find User information: USER_NOT_FOUND
  at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:234)
  at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:348)
  at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:259)
  at Thor.API.Operations.tcGroupOperationsIntf_13pobh_tcGroupOperationsIntfRemoteImpl_1035_WLStub.getAllMemberUsersx(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
  at $Proxy396.getAllMemberUsersx(Unknown Source)
  at Thor.API.Operations.tcGroupOperationsIntfDelegate.getAllMemberUsers(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Meth
  Any one can help will be appreciate...
  Thanks
  Bikas
  Edited by: Bikas Mandal on Mar 27, 2013 6:15 AM

  Try these steps and let me know what you see:
  Login to OIA > Administration > Configuration > Workflows
  Select Role membership create workflow
  And check if you have added OIM provisioning server in the Step5 of the workflow.
  Cheers,
  Vamsi.

• When Role is assigned to User through membership rule then it's membership is not added to OID ?

  Hi All,
        I have OIM 11gR2 installed with  LDAPSync enabled.
  When tried to assign Role to User through membership rule, Role is successfully assigned to User in OIM, but it is not added in OID.
  Role membership is added in OID when User requests Role through Catalog search. Also, Role membership is added in OID after running job 'LDAPSync Post Enable Provision Role Memberships to LDAP '.
  How can I add Role membership in OID  as soon as Role is assigned to User  through membership rule in OIM ?

  Hi
  It sounds like you have not selected anything on the Presentation & Data tab of the Workspace Startpoint/User Service.
  You need to specify:
  Your Asset (the form you want to present to the user)
  An associated Action Profile (tells the server how you want the form rendered...typically it is set to Default which uses the Render PDF Form process)
  The variable to hold your data(typically an xml variable)
  Make sure these are set.
  Diana

• OIM 11g R2 Membership rules and roles

  All,
  I have noticed that the NOT operator is not available while creating the membership rules in roles.
  Is there any work around for this?
  I am planning to write a post process event handler to add the roles if I can't find any other way around this.

  You can add elements but that would be difficult to manage. Suppose you have 100 departments and you want exclude Department 1000 then it would be difficult to add Department 1 to Department 999 in your rule.
  As of now you can go ahead with your Event handler.
  I opened an ER with Oracle long back.

• Event Handler not Triggered when user is assigned by Membership Rule

  I have defined a post-processed event handler for RoleUser Entity.
  The handler is triggered normally when a user is manually assigned a role.
  However, it is not trigger, if users are assigned through membership rule.
  I have tried both the single execute method and the bulk execute method.
  OIM version: 11gR2

  Hi,
  Check the list of orchestration handlers triggered for this operation in the Diagnostic Dashboard. Check whether, if your custom event handler is present in the list. If its isn't, then there must be something wrong with your Plugin.
  Thanks,
  RK.

• How to create the roles and rule

  i buddies,
  here i have small requirement, but i am confusing to do that as i am new to OIM. my requirement is
  1) i have to create 2 roles named a and b.
  2)then i have to create one rule which states that these two roles can'be the same in that organization.
  3)after that i have to create one user and i have to assign the first role i.e a.
  4)if i assign the second role ie b to the same user , it should not allow me.
  to accomplish this task what is the work flow i have to create ? please tell me the steps...
  Thanks
  Balu

  First create 2 user groups called Group A and Group B.
  Create the group membership rules for A and B which will instruct oim to evaluate group membership rules when a user is created in OIM.
  for example: If user's cost center (on the user form) is "AAA" then he should be assigned to Group A. this will be your group membership rule for group A
  Then for constrcuting the group membership rule for Group B you can say,
  if user's cost center !="AAA". This will ensure that any single user in the system will not be a part of both groups at any given time, depending upon this attribute called cost center.
  you can then define access poclicies on the groups/roles which is used to auto-provision resources for any member of that role/group.

• Role membership operators

  hi all,
  In IDM 11gR2 I have noticed that there is no operator for the condition 'Not Equalto' i.e '!=' , in 11gR1 this condition operator was available, I have a requirement by which i need to evaluate a string (company name) as 'equalto' for one Role and 'not equalto' for another role but 'not equalto' doesn't exist anymore what to do?
  even 'else' condition is not there with IF statement of the Rule.

  Yes, R2 UI doesn't allow NOT condition. In this case you can create membership rule using Design Console->Rule Designer as earlier. Now the problem is how can you attach the same because UI doesn't have option to attach Design console's membership rule. You can try updating DB directly(RGP table). set the RUL_KEY(rule key) and UGP_KEY(role_key). commit it and restart oim. I haven't tried it.
  http://docs.oracle.com/cd/E27559_01/user.1112/e27151/role_mangmnt.htm#BABHAEHE
  or better raise SR for attaching design console's Rule with role.