NW IDM Role approval based on Role

Similar Messages

• Integrate IdM roles with Sun Access Manager roles

  Hi all,
  I am currently working on a solution involving Sun Identity Manager 7.1 and Sun Access Manager 7.1 as well. We use AM for overall authentication and SSO across the application, and IdM for user provisioning.
  I need to create roles in Identity Manager, and I would like that when I assign a role to a user in Identity Manager, he gets the same role in my Access Manager repository (Sun LDAP). Identity Manager does provide a way to set attribute values in resources when a role is set. Access Manager on the other hand has both dynamic roles, based on an LDAP search, and static roles.
  What are the important differences between static and dynamic roles in AM?
  Does anybody know a good way to propagate roles from Identity Manager to Access Manager?
  Thanks.

  I found answers to my question. I succeeded in setting the Access Manager role from Identity Manager using the nsRoleDN attribute. Here are some references to begin with:
  About directory server roles:
  http://docs.sun.com/app/docs/doc/820-2493/fvbrn?a=view
  Forum thread reference:
  http://forums.sun.com/thread.jspa?threadID=5208694
  Here are roughly the steps I followed to get this working.
  Access Manager roles setup:
  1. In Access Manager, create a new static role named test_role under the identities realm (in Subjects > Role).
  Identity Manager roles setup:
  1. Create a new role in Identity Manager: tab Roles, click New....
  2. Assign the LDAP resource to synchronize the role with.
  3. On the Assigned Resources line, click the Set Attributes Values button. This shows up the attributes listing allowing you to bind your IdM role to your LDAP repository.
  4. Set the attribute nsRoleDN to the LDAP DN of the role that was created in AM (nsRoleDN must be added in the resource attributes mapping before).
  * In the column Value override, select Text.
  * In the column How to set, select Authoritative merge with value, clear existing. (* See IDM Admin guide about this setting, I am still not sure how it reacts with multi-value attributes)
  * In the text box, enter the role DN text (ex: cn=test_role,dc=com).
  5. Save the role. You can now add the role to a user.

• Profile Type Privilege Assignments through IDM roles are stuck in Pending State

  Hi Everyone,
  We are getting a strange problem in our project in IDM 7.2 SP8. We use IDM role based concept where backend system specific technical roles, profiles (called as privileges in IDM) combined into IDM roles and these IDM roles are assigned to users.
  Events are configured on the privileges level (i,e backend system specific technical roles, profiles) in IDM so that once a IDM role is assigned to a user the corresponding privileges are assigned to user in IDM and these assignments triggers provisioning to associated backend systems.
  Now for role type privileges the provisioning is working fine. But for profile type privileges the provisioning status is always showing as pending and nothing happening and even no logs are showing in job log.
  I tried with execution of the mc_analyze_assignments stored procedure that came with SP08 to find the logs at least but still no information appearing. Looks like the triggering itself is not happening.
  I also compared the member events definition for the profile type privileges with the role type privileges (for which the provisioning is working fine) and looks like the settings are exactly same.
  Can any one suggest any other things that we are suppose to check? Any help is highly appreciable.

  Hello Venkata,
  did I understand correctly: You have business roles, that have SAP-profiles & SAP-roles (both privileges in IDM) assigned. Now you assign such a business role to a user, but only the SAP-roles are provisioned to the backend system and the SAP-profiles are not?
  Since you can see them in the UI for the user as pending, it looks like at least the provisioning is triggered, just not completed.
  You could check with the following SQL-statement, if they are waiting for the sucessful completion of another task and work your way from there:
  select * from mxp_provision where msg like 'Wait for%'
  The MSG-column gives you the audit-id of the "blocking" task and you can find more information about that one via
  select * from mxp_audit where auditid=<auditid>
  to see, what is going on there.
  Also do you have access to the Monitoring-tab via http://<portalurl:port>/idm/admin? In the provisioning-audit you might find some clues for those operations, too.
  Regards,
  Steffi.

• IDM roles creation / updation and deletion via workflows

  Hi,
  We are in IDM 7.1. I wanted to know if there is any way to create / update / delete IDM roles using in the workflow / rules on a data driven logic rather than using the IDM admin page (Roles tab) and creating them with LDAP group attributes assingned and making them pre-defined.
  I've read in most of the postings that most of the time it has been retreived but no other options being done.
  Anyone having ideas???
  Regards
  Krishna

  Hi,
  check these FM , i dont know it will work for u or not.
  BAPI_USER_ACTGROUPS_ASSIGN     User: Change entire activity group assignment
  BAPI_USER_ACTGROUPS_DELETE     User: Delete entire activity group assignment
  BAPI_USER_CHANGE               Change User
  BAPI_USER_CLONE                Create User with Template in Another System
  BAPI_USER_CREATE
  BAPI_USER_CREATE1              Create a User
  BAPI_USER_DELETE               BAPI to Delete a User
  BAPI_USER_DISPLAY              Display Users
  BAPI_USER_EXISTENCE_CHECK      Check a user exists
  BAPI_USER_GETLIST              Search for Users
  BAPI_USER_GET_DETAIL           Read User Details
  BAPI_USER_INTERNET_CREATE      Create a user in the Internet
  BAPI_USER_LOCACTGROUPS_ASSIGN  Change Activity Group Assignment for Dependent Systems from Central Sy
  BAPI_USER_LOCACTGROUPS_DELETE  Delete Activity Group Assignments in the Dependent Systems
  BAPI_USER_LOCACTGROUPS_READ    Change Activity Group Assignment for Dependent Systems from Central Sy
  BAPI_USER_LOCK                 Lock User
  BAPI_USER_LOCPROFILES_ASSIGN   Change Profile Assignment for Dependent Systems from Central System
  BAPI_USER_LOCPROFILES_DELETE   Delete Profile Assignments for Dependent Systems
  BAPI_USER_LOCPROFILES_READ     Change Activity Group Assignment for Dependent Systems from Central Sy
  BAPI_USER_PROFILES_ASSIGN      User: Assign profiles
  BAPI_USER_PROFILES_DELETE      User: Delete All Profile Assignments
  BAPI_USER_UNLOCK               Unlock user
  Reward points if useful..
  Regards
  Nilesh

• SUN IDM Role removal does not remove the set atributes

  Hi,
  I am using SUN IDM Roles to set a multi valued attrubute on a resource using merge with value property.
  But when I remove any of the assigned role the corresponding ATTRIBUTE value is not getting removed.
  Is there anything specific which needs to be done.
  eg: Role1 sets attribute PRIV on resource A to "ADMIN"
  Role2 sets attribute PRIV on resource A to "MANAGER"
  If I assign both Role1 and Role2 the PRIV will have "ADMIN" and "MANAGER"
  But if I remove Role1 still "ADMIN" is present under PRIV.
  Is there any workaround for this. Please advice.
  - Thanks, ARK

  Try using "Authoritative Merge with Value" instead of just "Merge with Value".

• GRC AC ARM/ARQ: Approver based on Business Unit / Company...

  Dear all.
  I am wondering if it is feasible to stablishn approver based on a Business Unit / Company.
  That is to say:
  At the Access Request Creation functionality the requestor could indicate the first name, last name, ....and also it could indicate an specific company, or business unit.
  The requestor also assign some roles for some system.
  The requestor Submits the request and it goes to the approver assigned to the company
  Regards and thank you.

  Hi Neraaj. Thanks for your reply, was great!
  So now i am moving to next level. My idea is as follow:
  have a user requestor who creates Access Request. They set the user id, the name, last name and the Organization (not the department, not the company,...)
  I want to create a BRF+ to send the request to an Organizational owner for the Organization set by the requestor.
  For that i don't want to create an agent rule because i have to maintain the relationship Organization-Owner into the decision table.
  I want to create a BRF+ rule to fecth the owner of the Organization. Where is this owner set? I want to upload a Organizational strcuture into the Access Control organization Master Data. For each Access Control Organization view you can set different tabs AC users, AC roles and Owners. Just like into the image below:
  For that i suppose i need a DB Look up just to search for the Owner set in that tab but i am not pretty sure about:
  Where is this relationship located?. I have check at HRP100X tables and i found the organizations objects and more data but nothing like the approver.
  Once i have found this relationship i don't know if it is possible to get the owner into a variable and set this variable as the result of the function.
  Any advise will be well come.
  Regards and thank you.

• In R12 can we have approval based on rules like Cost Cente or Account?

  Hi All,
  -In R12 GL can we have approval based on rules like Cost Centers or Account. I know a rule based on Amount can be setup
  -In R12 GL can we use the PO hierarchy and its Rules
  Thanks.

  Dear Srinivasan Muthu,
  Assuming that Red,Blue and white are the values for the chracteristic say Colour and if this assigned to
  a class type say 023 batch,while uploading the stock,the system asks the chracteristic value.
  Say suppose if you are entering 561in MB1C or 101 movement in MIGO for that material and if you
  select for Blue,then in MMBE you can click on the stock quantity and right click-->batch classification.
  The system shows for Blue colour.
  check and revert back.
  Regards
  Mangalraj.S

• Get a list of IDM roles in a workflow

  Hi,
  I have a workflow and I need to
  get a list of roles that are defined in IDM.
  How do you do this ?
  I know that in a form you can call:
  <invoke name='getRoles' class='com.waveset.ui.FormUtil'>
  <ref>:display.session</ref>
  </invoke>
  but I need to do the same from a workflow that gets run
  from ActiveSync, where there is no :display.session variable.
  Thanks,
  John I

  Ah, I just found the answer myself:
  <invoke name='getRoles' class='com.waveset.ui.FormUtil'>
  <invoke name='getLighthouseContext'>
  <ref>WF_CONTEXT</ref>
  </invoke>
  </invoke>

• Synchronize SAP Roles with IDM Roles

  Hi, i have a question concerning SAP integration in IDM.
  Is it possible to import the Roles from SAP (named Activity groups) in IDM? And how does the "synchronize identity system roles with resource roles" function work?
  Thanks in advance!
  gojo

  The job synchronizes FND Users with the Workflow directory service (plus any other systems you specify). PER is a special case, and will only be synchronized with the Workflow directory service if they are associated with a user - otherwise the records are not included. If they have corresponding HZ_PARTY records, then these may be synchronized, but should not really be used for notifications, since there is no login mechanism for the users to view the notification sent to a party record.
  HTH,
  Matt
  WorkflowFAQ.com - the ONLY independent resource for Oracle Workflow development
  Alpha review chapters from my book "Developing With Oracle Workflow" are available via my website http://www.workflowfaq.com
  Have you read the blog at http://thoughts.workflowfaq.com ?
  WorkflowFAQ support forum: http://forum.workflowfaq.com

• Req (or PO) approval based on dollar limit with a supplier

  Is it possible to auto reject a Req/PO(preference to Req, but maybe PO is easier) based on a dollar threshold minimal threshold.   The idea is that some company have a minimal dollar amount for orders placed and if we would like to prevent the order from going out to the supplier only to be rejected.

  Hi Sonali,
  I've listed down VERY BASIC steps below but hopefully it could guide you through configuration.
  Below is an example for Purchase order approval:
  Assumption:
  a. 2 Buyers
  -   B01 = Buyer 1
  -   B02 = Buyer 2
  b. Amount
  -   <=100USD = No Check
  -   >100USD = Other Buyer Check
  1. /nCT04 Create 2 characteristics (Buyer and Amount)
  2. /nCL02 Create Class for PO approval (Class type is 032) and assign Characteristics created in step 1.
  3. Define Release Procedures for PO (IMG> Materials Management> Purchasing> Purchase Order> Release Procedure for Purchase Orders)
  3.1 Release Group - create release group and assign class created in step 2.
  3.2 Create release code B1 and B2 (assuming that either buyer can approve the other's work)
  3.3 Release indicator = R for released, B for blocked
  3.4 Create 2 Release strategies
  3.4.1 RS1 = B02 checks B01
  Release Code is B2 (for Buyer B02)
  Classficiation (Buyer=B01; amount is >100USD)
  3.4.2 RS2 = B01 checks B02
  Release Code is B1 (for Buyer B01)
  Classficiation (Buyer=B02; amount is >100USD)
  Note: This is a very basic example and you need to play around with the other system settings.  Also, it is possible to determine values dynamically via user-exit if the requirement is more complex.

• Project approval based on Teams/Managers

  Hello All,
  In Project server 2013 workflow, I want to assign the approval workflow for the review purpose to the members based on the teams.
  Say I have 3 teams, team 1, team 2 and team 3.
  Team 1's members are Member11, menber12 and member13 and so on.
  Say if member11 submits the proposal for review and the initial approval must be made by the members of the same team(ie., member12 and member13) before the approval goes to manager. 
  So in such scenario,is it possible to automate these things using categories and security groups or I should add all these personnel separately for each project as reviewers?
  Also can I know how to allocate a set of managers per team or per individual, which I can access in the workflow designer to assign the approval workflow to them?
  Thanks,
  Shan 

  Create a SPS group and add all the team members Member11, menber12 and member13
  When you create the workflow, make the approval should go to that sps group, so that all the people in the group will be notified. If anyone approves it, it will go to the next stage.
  Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management

• Installing IDM via text based browers

  We have succesfully installed IDM 11g and OAM 10g on RHEL5 several times but the installation was completed using Firefox. OAM especially requires the use of a browser to access the Access and Identity servers to instantiate the access server, policy manager, webgates, etc.
  We have a request from a customer wondering if IDM and OAM can be installed using a text based browser like Lynx in the event that connection speed makes use of a gui or x-client browser impossible.
  Hopefully this is a simple answer...
  thanks

  Hi OldGuy,
  The browser part of OAM setup requires accessing pages with quite a lot of javascript, and some java applets (configure attributes for the Identity setup, for example), and it is asking a lot for any text-based browser to be able to negotiate these (Lynx does not even support javascript, according to Wikipedia). maybe other text browsers have more features, but at the very best there will be a large number of key-clicks required to pass the installation screens.
  In my experience, when having to do installation remotely over a slow network, customers have used VNC or simiilar to a machine on the remote network, and used a browser in that session. Obviously that can still be painful, but I doubt if a text-based browser will work at all.
  Regards,
  Colin

• PO Approval based on Vendor Category.

  Hi
  There is a typical scenario in my client's system. Now we need to implement SAP
  PO approval process is there.
  There are two major characteristics
  1. PO value
  2. Vendor's present category.
  Vendor's present grade :
  During vendor evaluation, vendor are scored and classified into A,B,C, D categoires.
  At the time of creation of PO, it should check for Vendor's category and PO value for triggering Release strategy.
  Can any help me on this... how to assign vendor categories to a communication structure CEKKO.
  Thanks in advance.
  Atchyuth

  Try and use exit
  M06E0004
  Changes to communication structure for release of purchasing document

• Workflow Step to Reject or Approve based on a page property

  I have extended the MyProcess.java workflow process from the CQ5.5 training class, so that it sets the approve property to true or false, depending if the page contains any expired assets or not.
  So the next step is to publish the page if the approve page property is set to true, and if the approve property is set to true, make the workflow go back to the initial step.
  Can this be done with the "Or Split" step with 2 branches.
  What would the ecm script code to get the page property approved and test if it's set to true or false?
  Thanks
  Tyrone

  Hi Kevin,
  Not a problem. Thanks for all the replies.
  I knew that method (IF_HRASR00GEN_SERVICE~GET_SPECIAL_FIELDS) will be called when the REJECT button is hit.
  But this method is originally empty with no code, I am wondering whether I can add some code over here like below:
  CALL METHOD me->IF_HRASR00GEN_SERVICE~DO_OPERATIONS
            EXPORTING
              special_fields   = special_fields
              SERVICE_OPERATIONS = SERVICE_OPERATIONS
              no_auth_check    = no_auth_check
              message_handler  = message_handler
            CHANGING
              help_datasets    = relevant_help_datasets
              SERVICE_DATASETS = relevant_service_datasets.
  I am not sure how to use the "Call method me->",
  I am still figuring out what values to be passed into the DO_OPERATION method. When the code runs into that method, I wish that I can use "If formscenario_stage = Approve" and "processing_status = reject" then_ do the comment field validation in the method.
  Thanks
  Regards,
  Justin

• Approval Based on Query

  Hi,
  I want approval procedure for inventory transfer when my destination warehouse is 'ABM'
  I tried folowing 2 queries but not working
  SELECT 'TRUE' WHERE $[WRT1.WhsCode] = 'ABM'
  or
  SELECT DISTINCT 'TRUE' WHERE $[WRT1.WhsCode] = 'ABM'
  Please help
  thanks

  Let us take we have three warehouses
  According to this i have explained this
  Create one UDF on Header Level as To Warehouse
  SELECT 'TRUE' where $[$UDF]='warehouse1Code'
  SELECT 'TRUE' where $[$UDF]='warehouse2Code'
  SELECT 'TRUE' where $[$UDF]='warehouse3Code'
  Save this three quires.
  and select warehouse1 to warehouse1 user user defaults, same for 2 and 3.
  Go to Approval Stage and Create New Select the user as Warehouse 1 user
  Create same for 2 and 3
  1. Create Approval template 1 with orginaters 2 and 3 warehouse users. and stages as approval stage1 where warehouse 1 user is selected.
  Documents as Inventry transfer document.
  Terms Click on when the following applies.
  Quirey name Select the quirey name as  quirey with 1st warehouse
  Create for second and third warehouse as same.
  It will work fine for approval in inventory transfer.