Need information on OAM 11gR2 protecting OIM 11gR2

Similar Messages

• Need Information on database tables in OIM Schema

  Hi All,
  Is there any document/link where can I get all the information on all OIM Schema database tables like obj, orf and so forth information?
  Regards,
  Sunny

  Hi,
  Also, you can perform the queries below to get the table names and the name of each field when using the OIM's api. Change the OIMDBUSER value for your OIM's schema name. You'll notice some tables do not have comments, for example, the resource and process form tables (starts with UD). For the ""UD_*" tables, you can get the SDK_DESCRIPTION
  <h3>Getting the table names WITHOUT UD_ descriptions</h3>
  *SELECT* t.owner, t.table_name, tc.comments <br>
  *FROM* all_tables t, all_tab_comments tc <br>
  *WHERE* t.owner = 'OIMDBUSER' *AND* tc.table_name = t.table_name
  *ORDER BY* t.table_name
  <h3>Getting the table names WITH UD_ descriptions</h3>
  *SELECT* t.owner, t.table_name, NVL(tc.comments, NVL(sdk.sdk_form_description, 'No Comments')) comments <br>
  *FROM* <br>
     all_tables t<br>
      *LEFT OUTER JOIN* sdk *ON* t.table_name = sdk.sdk_name, <br>
     all_tab_comments tc <br>
  *WHERE* t.owner = 'OIMDBUSER' *AND* tc.table_name = t.table_name
  *ORDER BY* t.table_name
  <h3>Getting the column names for OIM API</h3>
  *SELECT* lku_field, lku_type_string_key <br>
  *FROM* lku <br>
  *WHERE* lku_type = 'f' <br>
  *ORDER BY* lku_field
  Renato

• Need clarifications on OIM 11gR2

  Friends,
  I have successfully installed OIM 11gR2 on Linux 64 bit and used weblogic 10.3.6. I have few queries and expecting your expertise.
  1) Tried to install JDeveloper on it but it is getting failed saying it is not compatible with middleware. After googling, i found need to apply some ADF runtime drivers. But, I am not sure how to do. Can you please provide me some directions?
  2) I went thru the documentation on sandbox concept in OIM 11gR2 but did not understand. Can you please explain me its concept clearly?
  3) I tried to install OID from IDM 11.1.1.6 but it is getting failed saying it requires 32 bit Linux os but i did not find 64 bit OID software. Can you please provide me url where i can download OID software for Linux 64 bit.

  Hi Thiago,
  Thanks for your replies.
  Yes, I followed certification matrix and tried to install 11.1.1.6 only on wlserver 10.3.6.
  Can you please eloborate on the below points? Or If there are any urls for detailed steps, please provide them.
  -What you have to do:
  +2.1-On Application Server Navigator you can create types of connection:+
  +2.2-Integrated WLS option+
  +2.3-Standalone WLS option+
  +2.4-This first option you can install a local standalone WLS 10.3.6 server on your environment, then create a separate "integrated WLS" connection to the standalone server.+
  +2.5-Then go to your Application's properties through the Application menu -> Application Properties -> Run -> Bind to Integration Application Server option you can the brand new option created WLS server connection to work with your application.+
  +3.0- Don't forget that you need to install the ADF Runtimes for the server to be able to work with ADF applications+

• Can we use OID 11gR1 with the OAM/OIM 11gR2

  Hi,
  I am installing the IdM 11gR2. As OID does not comes with this pack. so can we use/install the OID which comes with the IdM 11gR1.
  Or is there any other option like OUD.
  Can we integrate the OUD 11gR2 with the OIM/OAM 11gR2 to manage the users/groups.? If yes, please share some document for it.
  Please suggest the best option as we are learning OIM/OIM 11gR2.
  Thanks
  Harry
  Edited by: Harry-Harry on Jan 28, 2013 12:59 AM
  Edited by: Harry-Harry on Jan 28, 2013 1:10 AM

  The latest OID in 11gR1 is 11.1.1.6
  It will support integration with 11gR2 OIM and OAM. Kishore already sent the certification matrix link.
  I am currently using OID 11.1.1.6 in above configuration and works fiine. Any other questions feel free to post your questions.

• OIM 11gR2 - Identity console - Search Users Page.  Need to add employee number by default.

  Hi,
  I am new to oim 11gR2.  I have a requirement , to add the employee number field in the user search box. I do not want to use the Add Fields button to add the employee number search field.
  When any user goes to the search page, they must find the employee number field in the search box in addition to the other default fields like lastname, firstname, etc.  Is it achievable? Thanks in advance.  
  If possible.... can you please provide the steps to achieve it?.. thanks

  Karthik Perath
  Thanks for the answer....... but I guess you misread the question.  I am able to add new fields as columns to the search results table.  My problem is I want to add the searchable field to the query form.  Also, I do not want to use the Add Fields button (because that is a part of Saved Search which is Personalization and limited only to the creator) , I want the newly added searchable field. for example Employee Number ( which is not there by default)  to be made available to all the end users of Identity Self Service system..... Hope you got the problem... 

• OIM 11gR2 : User groups not visible on UI

  Hello Experts,
  I have a requirement in which i need to assign the user provisioned to AD to some group(s) depending upon certain conditions like BU, Location etc. I created a Process Task adapter for the same and am able to successfully assign the users to the desired groups.
  But i am able to check for this validity from the Backend only.
  Ideally the groups assigned to the user must be visible after following these steps:
  *1. Search for a user provisioned to AD.
  2. Go the the Accounts tab.
  3. Click on the AD account (to which the user has been provisioned)
  4. A process form is displayed in the lower half of the webpage which also shows the information regarding the groups assigned to the User. But the groups are not getting displayed.*
  Kindly Help.
  Edited by: IDM_newbie on Jan 24, 2013 11:24 PM

  But sir, the groups are listed under the Accounts tab. Is there any schedule job provided by OIM 11gR2 which results in the display of Groups assigned to the user as well under the Accounts tab ?
  Edited by: IDM_newbie on Jan 25, 2013 1:51 AM

• Multiple self-registration pages in OIM 11gR2 PS1

  Hi All
  I have a requirement to implement multiple self-registration pages in OIM 11gR2 PS1. Has anybody faced such requirement before.
  Any pointers will be highly appreciated.
  Thanks

  Hi,
  Basically i need some more information about your use case.
  Can you please elaborate the use case. What actually you want to do  by having multiple self-registration pages

• Pre populate adapter in OIM 11gr2 not triggered in database

  Hello,
  Folowing is the steps for creation of pre populated adapter in OIM
  ** we have created one form in OIM which is provisioned to Database**
  Steps
  · Installed GTC connector for Database Web App 9.*
  · Created new user and Table in Database
  · Created IT resource for Database
  · Created Sandbox, App Instance and Form, published sandbox
  · Started catalog synchronization job scheduler
  · Created user and and request account to app instance.
  * select application instance to catalog and checkout.
  ** we have created adapter as per the following link
  http://idmrockstar.com/blog/2009/08/how-to-create-a-prepopulate-adapter-in-oim/
  create a pre populated adapter that will populate the firstname of user in email using java class
  source code:
  public class AdapterClass{
  public String email( String fname )
  return fname;
  Steps:
  1) In the design console I have open the Adapter Factory and create a new adapter name :firstname
  adapter type: pre-populate rule generator
  click on save
  2) select variable list tab:
  variable name:Firstname
  type:String
  Map to : Resolve at runtime
  click on save
  3) select Adapter Task tab
  * click add and select logical task
  * select SET VARIABLE and click continue
  * Operand Type:variable
  * Operand Qualifier : FIrstname
  click save and save the adapter
  4) compile the java class into jar file and move the jar file into OIM_HOME\server\JavaTasks
  5)Create a new Adapter with the following"
  Adapter name:Email
  Adapter type: Pre-populate rule Generator
  click save
  6) select variable list tab:
  variable name: var1
  Type:String
  Map to:Resolve at runtime and click save
  7) select Functional Task tab:"
  select java click continue
  select the following information:
  Task name:email
  Api source: JavataskJar:Adapterclass.jar( the jar file which you have create)
  application api: adapteclass
  click save
  8) In the Application method parameters,select the first input: String
  Cange Map to:Adapter variables
  Set the name to:var1 and click save
  9) select the output:STring
  change map to:Adapter variables
  set name to: return variable
  10) click save and save the adapter and click on Build
  Adapter is now build the next step isto join it to the form
  ** join the adapter to the form**
  Steps:
  1) click on form designer and search the related form which we have created
  2) In the respective form click on create a new version and create a new version
  3) and then click on Pre populate tab and click on ADD
  4)select adapter field to firstname
  Rule : default
  Adapter : Firstname
  and click on save
  5) In the adapter variable field click on firstname and fill the following
  map to: Process data
  Qualifier : firstname
  6) Repeat steps 3 to 5 to map the email adapter
  7) click on save.
  Now we have done with all the steps and now we have created one User submit the user
  we have click on request acounts ---> search the catalog and select the application instance (select the app instance "database provisioning") ---> add to cart ---> and check out ---> fill the form leaving email field --> ready to submit ---> submit
  now we have check this user in database but still pre populated fields are not reflected. since this not working so we have found the other three links
  Re: OIM 11gR2 - Prepopulate Field Empty Problem
  http://fusionsecurity.blogspot.in/2013/01/populating-request-attributes-in-oim.html
  http://identityandaccessmanager.blogspot.in/2011/07/prepopulate-adapter-in-oim-11g.html
  according to these links they mention to implements the prepopulationadapter interface into the java class and create the plugin.xml for the class which we have used in jar.
  so we prepared a plugin.xml
  <?xml version="1.0" encoding="UTF-8" ?>
  <oimplugins xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <plugins pluginpoint="oracle.iam.request.plugins.PrePopulationAdapter">
  <plugin pluginclass= "com.oracle.demo.iam.prepop.plugin.UserLoginPrePop" version="1.0" name="UserLoginPrePop">
  <metadata name="PrePopulationAdapater">
  <value> My_users::email</value>
  </metadata>
  </plugin>
  </plugins>
  </oimplugins>
  and the java class which implements "PrePopulationAdapter".
  they mention to put that jar into one directory named "lib"and paste the xml and lib folder into the OIM_HOME\server\plugin
  BUt we stuck on how to configure the adapter or what is the next steps for the above process. or there is something that we have missed in the process
  please do reply its urgent
  Regards,
  Tushar Palekar

  hii i have followed all your steps regarding the pre populated adapter ,but no luck.
  java code :
  package com.oracle.demo.iam.prepop.plugin;
  import java.io.Serializable;
  import oracle.iam.request.plugins.PrePopulationAdapter;
  import oracle.iam.request.vo.RequestData;
  public class Userfname implements PrePopulationAdapter {
  public Serializable prepopulate(RequestData requestData){
  String fname = "xyz";
  System.out.println("Returning fname ==== " + fname );
  return fname ;
  2)i have create a jar for this code and paste it into lib folder.
  3) i have create a plugin.xml
  <?xml version="1.0" encoding="UTF-8" ?>
  <oimplugins xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <*plugins pluginpoint="oracle.iam.request.plugins.PrePopulationAdapter">*
  *<plugin pluginclass= "com.oracle.demo.iam.prepop.plugin.Userfname" version="1.0" name="Userfname">*
  *<metadata name="PrePopulationAdapater">*
  *<value>register::LAST_NAME</value>*
  *</metadata>*
  *</plugin>*
  *</plugins>*
  *</oimplugins>*
  4)i register the plugin using ant -f  pluginregistration.xml register
  5)i have restartthe oim server and then i create a user using the same app instatnce in which i have create the form(ie.register),and
  request acount-->select app instance ---> add to cart
  but the last name xyz as per the java code is not reflected in the dadbase table.
  please help
  tushar palekar

• Replicating the app functionality from OIM 10g to OIM 11gR2

  Hi,
  I have a resource object with an object form and a process form and approval, provisioning configured in OIM 10g design console. Provisioning is manual provisioning assigned to a particular group based on a task assignment adapter. For replicating the same in OIM 11gR2 i followed the following steps.
  1. Created a Resource object in Design console.
  2. Created a dummy IT Resource ( Since while creating app instance it is having IT Resource as Mandatory field. * Is there any way to skip this as i do not have any IT resource in my original app as it is going for manual provisioning?)*
  3. Created a process form in Design Console with the same fields as present in my 10g app process form.
  4. Now i need to Create an app instance and select the created resource object and IT resoource. Also i need to create a form associated with the app instance in which i will add the fields as present in the object form in my 10g app. ( Here i am not understanding how data will flow from object form to process form since there is no data flow mapping here)
  5. Other steps like creating the SOA composite with human tasks and deploying it and after that creating approval policies is pretty much clear.
  Please clarify whether the steps are correct and also the queries which i have posted in between. Thanks in advance.
  Regards,
  Durgaprasad
  Edited by: Durgaprasad on Jan 17, 2013 3:38 AM

  Thanks Gyanprakash. Wll disconnected resource trigger our custom approval process if we select the resource name properly in scope in operational level approval policy. Have you tried a disconnected resource with your custom approval process. Because i read the following lines in admin guide
  Oracle Identity Manager supports provisioning of disconnected resources by using the SOA worklist for manual provisioning of disconnected resources. After the role-based provisioning decision or SOA request approval is complete and the corresponding application instance is determined to be a disconnected application instance, a new SOA workflow is started. This new SOA workflow is assigned to the manual provisioning administrator.
  So i thought disconnected app instance will have its own approval process configured during the creation and it will route accordingly. So just wanted to clarify how to make disconnected app instance to trigger our approval. will approval policay take care of it as i am going to select the name of the disconnected app in the scope field.

• Request dataset in OIM 11gr2

  Hi Experts,
  I have integrated OIM 11gR2 with Siebel and able to provision by xelsysadm. My requirement is End User will be raising request for siebel resource and approval workflow associated with is triggered.
  1. End user raising the request is able to view the process form, I need to restrict few attributes i.e. position and responsiblity should not be visible to end user
  2. Position and Responsibility should be provided by approver (this is specified in request data set of provision resource)
  3. As per Oracle document there is no request data set for PROVISION and MODIFY resource. What is the replacement for this?
  4. After Request is raised it has been assgined to xelsysadm, how do i control the approval ?
  Regards
  A Abhinay

  1. End user raising the request is able to view the process form, I need to restrict few attributes i.e. position and responsiblity should not be visible to end userEnd user will see Application Instance Form and you can customize the UI to hide attributes
  2. Position and Responsibility should be provided by approver (this is specified in request data set of provision resource)
  Make your Java Code/Beans/Expression to show/hide attributes conditionally.
  3. As per Oracle document there is no request data set for PROVISION and MODIFY resource. What is the replacement for this?Application Instance Form
  4. After Request is raised it has been assgined to xelsysadm, how do i control the approval ?Approval Policies

• Pre-populate Organization to the self registration request in OIM 11gR2 PS1

  Hi All
  I want to know if there is a way to pre-populate Organization to the self registration request in OIM 11gR2 PS1.
  I am trying to configure auto approval and for that I need to add org to the request.
  Thanks

  Hi,
  you can look into the following post : https://forums.oracle.com/message/10830661
  Thanks

• [ OIM 11gR2 PS1 ]How to add additional field on Application Instance Form ?

  Hi,
  In our scenario we have Disconnected applications in OIM. AI (Application Instance) form and PD editing is created by OIM.
  We want to add additional field in AI form.It is visible in back end. But,its not visible in OIM admin console for admin and as well for end user.
  Is there any property related to form field in AI ,where we need to make changes to make it visible ?
  Instance used is OIM 11gR2 PS1
  Thanks,
  RPB
  Edited by: RPB25 on May 29, 2013 9:46 PM

  I was able to resolve this issue . we need to click on "regenerate view".

• Configuring ACF2 connector with OIM 11gR2

  Hi Experts,
  I am working on configuring ACF2 connector with OIM 11gr2, In an intermediatory step we need to copy VOYAGER_ID.properties file. The comment against this file is written as: Rename VOYAGER_ID with the name "Voyager server's VOYAGER_ID control file property".
  Can anybody please tell what does this actually mean?
  thanks

  Rename the copied file to match the VOYAGER_ID property. For example, if the target system has VOYAGER_ID = VOYAGE14, then the .properties file should be named VOYAGE14.properties.
  The Voyager reconciliation agent sends a unique identifier value, called VOYAGER_ID, each time a reconciliation event occurs. This value must match the name of the .properties file being used by the topsecret-adv-agent-recon.jar file for reconciliation.

• OIM 11GR2 UNIX Connector Reconcile users from UNIX inquiry

  Good Day!
  I would like to ask whether there is a way in OIM that when I reconcile all new users from my UNIX server, OIM will also create the resource which this user is provisioned upon?
  Here is my scenario:
  1.) Freshly installed OIM 11GR2.
  2.) Installed UNIX connector on OIM 11GR2.
  3.) Configured UNIX TRUSTED Resource
  4.) Reconciled all the UNIX users into OIM. (New users are created since my OIM doesn't have any user)
  5.) The problem is when the new users are now created in OIM, they don't have entitlements or accounts linked to the UNIX server which they have been pulled upon.
  I would like to ask whether I need to configure something to have the entitlements/accounts linking possible?
  If not, what are the ways I can achieve this?
  The only way I can think of is have the UNIX users be created in a flat file first then load via GTC then have reconciliation to have OIM to link these users to UNIX which I believe should be able to do the scenario I am asking upon.
  Thanks in advance!
  Regards,
  Jeff

  By the way, checking target resource recon by default will not create new users when OIM is not able to establish a link.
  In my case, OIM doesn't have any users since this is a fresh install hence even running target resource at start will won't create the new users in OIM right?
  based from this:
  "You configure application (AD, OID, OVD, HR) etc in Target Resource Mode if that OIM is source of truth for user provisioning (All users are created in OIM and OIM then provision accounts in Application. Any changes in Application are reconciled back to OIM)."

• Protecting OIM screens with OAM

  I'm looking for advice from anyone with experience of protecting OIM screens, by user role, using OAM.
  I'm protecting the OIM application using OAM but I want to add more granularity to prevent access to individual screens depending on the users role.
  An example of my problem is how to protect the OIM Account Profile screen but not the Resource Profile screen. The visible url for both is .../ViewProfile.do but some javascript sets method=accountProfile for one and method=resourceProfile for the other.
  I need to protect the screen both when a user clicks on a menu item that leads to the screen and if a logged in user manually types in the full query string that will give access to the screen.
  I've set up an OAM policy domain with some policies and can successfully protect only one of the screens when a user manually enters a url, by using a query string entry for 'method' in the policy.
  What I can't figure out how to do is how to set up a policy for when a user clicks the link for the screen and the 'method' variable is set by the javascript.
  I've tried setting a querystring variable as method and value as accountProfile rather than entering the actual querystring, but this doesn't work.
  Any help greatfully received.

  Hi Andy,
  When I got the same issue, I resolved it by adding the Nexaweb details to the OHS server.
  I was using OHS as a proxy server. we have to allow the Nexaweb urls from the proxy server. In order to do that you need to add the Nexaweb details in mod_wl_ohs.conf file if you are using Oracle HTTP Server (OHS). Restart the webserver. It will work.
  Also you can protect the Nexaweb url in OAM. But this is optional. But I recommend to do it.
  Regards,
  MADHU