OIM 10G OID user account / group membership reconciliation

Hello
I have an OID environment that is used for OAM access to applications within the environment. I need to be able to reconcile users from OID into OIM along with their group membership so that roles for users are maintained and updated. I have ORM integrated within the environment so entitlements would need to flow to orm to document that users are members of a role / OIM group. Not sure if this is possible through the trusted reconciliation or if there is a user / group target reconciliation that can be used for this. Any help you can give for this would be appreciated.
Thanks

When i use ADCS timestamp as 0 (to capture changes from the beginning and not necessarily after the group change event occured on the AD side) and run AD user target recon this is getting updated. Is this correct and if so how can i always default ADCS timestamp as 0 in the scheduled task and are there any side effects for this sort of approach.
Prasad.
Edited by: Prasad on Nov 7, 2011 12:31 PM

Similar Messages

  • Invoke an adapter on change of User's Group Membership details

    Hi
    I need to invoke an adapter on change of User’s Group Membership details. I am not able to figure out from where I can invoke my adapter.
    Does anyone have any idea about this?
    -- Another Question: what is the purpose of having “tcUSRautoGroupMembership” in User’s Object Form on Post Update. It would be nice if you give some details about this task.
    -Hardew

    Thanks for quick response.
    What you have mentioned, is applicable for a specific value of a user’s OIM Profile filed; that means it will triggered only if a user has specified value i.e. "blah blah" for that field i.e. fieldA.
    However my scenario is slightly different. Let me explain my scenario by example:-
    I have N numbers of OIM groups i.e. g1, g2, g3, g4……, gn and a user called myUser. This user is a member of two groups’ g1 and g2, now if I make myUser to member of one more group i.e. g3 or remove i.e. g1; then I want to perform a custom task using adapter on this Group Membership change.
    Is there any “Data Object Form” where I can associate my adapter on post-update to detect change of User’s Group Membership?
    _hardew                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

  • Difference between "account group" and "reconciliation account"

    Hello,
    I am new to SAP and I would like to understand the difference between the "account group" and the "reconciliation account" that appear both in the vendor master records.
    From what I read, "account group" is just a classification but has no "accounting" impact whereas "reconciliation account" (goods suppliers, overhead expenses suppliers...) do have an accounting impact.
    However I am not sure so I would like a confirmation on that and if possible examples so I could really understand.
    Thank you.

    Hi,
    The account group is a way to divide vendors into groups for reporting later on.
    The account group is also the link to the number range and the field selection functionality.
    Please refer the below link for more clarity.
    http://help.sap.com/saphelp_46c/helpdata/en/53/c98647ca3711d2b494006094b9114a/frameset.htm
    Account group
    The reconciliation account is the account is the account which is posted to at invoice receipt stage where the vendor account represents the sub ledger and the reconcilation account the ledger.
    Reconciliation Account
    http://sapdocs.info/sap/fico/reconciliation-accounts-and-special-gl-indicator/
    Hope it helps you.
    Thanks.

  • OIM 9.1.0.2 Group Membership Removal for Disabled Users

    Hello
    In OIM 9.1.0.2, when a user is disabled, they are removed from the groups they are a member of within 24 hours. i was wondering if this is a set time and if so, can this be extended to a specified time so membership can be left for a week before it is removed from the user. If you can let me know on this I would appreciate it.
    Thanks
    Nick

    Today, when accounts are disabled, within 24 hours all the group memberships are removed on the OIM side. I would like to change the interval for the cleanup so that when an account is disabled, all the existing group (role) memberships stay assinged to the account then after 30 days of the account being disabled, the group (role) memberships are removed. Not sure if this would be an ORM thing or OIM, but I think it would be OIM since ORM still has the role mappings for users when they are disabled.
    Thanks
    Nick

  • Disable OID User account after 90 days of inactivity - OIM

    Hello there,
    I have a requirement where I have to disable a users account if he/she has not logged in since last 90 days into our environment(OID). The users are authenticated via OAM when they are logging in. Does anybody has any idea which attribute in which object class in OID needs to be checked for the last login attempt made by the user and what is the datatype of the same? Is it a date that I can compare after making a initial LDAP context to OID and pointing to each single user?
    Really need a solution for this. Please respond.
    Many Thanks,
    - oidm.

    Check the schema description at:
    http://download.oracle.com/docs/cd/B28196_01/idmanage.1014/b25348/schema.htm#CFHCGFCC
    You create a code that runs daily, check for the last login dates and, if is older than 90 days, you disable the OID user.

  • OIM: Issue with changing AD group membership

    I'm trying to add/remove groups in the AD child form and I get the error below.
    - I can successfully change properties on the main form, such as last name, etc...
    - I don't get why the errors come up from the schedule task API..ex: com.thortech.xl.schedule.tasks.ADITRes ??
    - I've tried tracing this all the way to the .jar file using a decompiler... I think it has somethign to do with either the Group DN or the IT resource, but can't tell which.
    - I've successfully Reconed all Groups/OUs.
    - I don't see how it can be the ITResource since I can change attribs, unless it's looking at the IT resource of the Schedule task.
    EDIT: I'm using OIM 9102BP11 with latest version of the ADconnector (9.1.x)
    I should also note that this was working perfectly fine until I tried to move to GCADITResource. Even when I move back to regular ADITresource, provision a new user, i keep getting this error.
    DEBUG,20 Sep 2010 10:28:56,377,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADITRes : initialize:: STARTED
    ERROR,20 Sep 2010 10:28:56,377,[OIMCP.ADCS],====================================================
    ERROR,20 Sep 2010 10:28:56,377,[OIMCP.ADCS],*com.thortech.xl.schedule.tasks.ADITRes : initialize : null*
    ERROR,20 Sep 2010 10:28:56,377,[OIMCP.ADCS],====================================================
    ERROR,20 Sep 2010 10:28:56,377,[OIMCP.ADCS],================= Start Stack Trace =======================
    ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADITRes : initialize
    ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],
    ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],*Description : null*
    ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],*java.lang.NullPointerException*
    at java.util.Hashtable.put(Hashtable.java:396)
    at com.thortech.xl.schedule.tasks.ADITRes.initialize(Unknown Source)
    DEBUG,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : hashTableEnvForDirContext:: STARTED
    ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],====================================================
    ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],*com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : hashTableEnvForDirContext : null*
    ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],====================================================
    ERROR,20 Sep 2010 10:28:56,379,[OIMCP.ADCS],================= Start Stack Trace =======================
    ERROR,20 Sep 2010 10:28:56,379,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : hashTableEnvForDirContext
    ERROR,20 Sep 2010 10:28:56,379,[OIMCP.ADCS],
    ERROR,20 Sep 2010 10:28:56,379,[OIMCP.ADCS],Description : null
    ERROR,20 Sep 2010 10:28:56,379,[OIMCP.ADCS],java.lang.NullPointerException
    at java.util.Hashtable.put(Hashtable.java:396)
    at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.hashTableEnvForDirContext(Unknown Source)
    at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.connectToAvailableAD(Unknown Source)
    at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.getAttributeValues(Unknown Source)
    at com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks.addUserToGroup(Unknown Source)
    ERROR,20 Sep 2010 10:28:56,379,[OIMCP.ADCS],================= End Stack Trace =======================
    ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],====================================================
    ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],*com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks : addUserToGroup : ADD User to Group Operation Failed:null*
    ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],====================================================
    ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],================= Start Stack Trace =======================
    ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks : addUserToGroup
    ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],
    ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],Description : null
    ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],java.lang.Exception
    at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.hashTableEnvForDirContext(Unknown Source)
    at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.connectToAvailableAD(Unknown Source)
    at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.getAttributeValues(Unknown Source)
    at com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks.addUserToGroup(Unknown Source)
    ERROR,20 Sep 2010 10:28:56,381,[OIMCP.ADCS],================= End Stack Trace =======================
    DEBUG,20 Sep 2010 10:28:56,381,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : disconnect:: STARTED
    DEBUG,20 Sep 2010 10:28:56,381,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : disconnect:: FINISHED
    DEBUG,20 Sep 2010 10:28:56,381,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks : addUserToGroup:: FINISHED
    INFO,20 Sep 2010 10:28:56,563,[XELLERATE.ADAPTERS],Adapter: adpADCSADDUSERTOGROUP has completed for the task: Add User To Group.
    Edited by: Alex S on Sep 20, 2010 10:45 AM

    The individual rows in the AD user group object child table contains references to which IT resource this group refers to so if you switch ADITresource back and forth it is very easy to get things out of synch.
    The exact structure of references between the rows in the child table, the IT resources and the DN of the groups is a bit complex so I can't tell you by heart exactly how it should be but take a look into this and hopefully you will be able to spot the issue.
    Best regards
    /Martin

  • How to verify user LDAP group membership

    Hi,
    we are attempting to determine if a user is a member of a specific LDAP group in our directory and if the user is a member it should return TRUE else FALSE (this is done by defining the LDAP attribute 'CN' (property) which returns a result 'CN=<UserName> or returns 'getting 0 entries'. The query we have is
    (&(cn=<username>)(memberOf=CN=<groupname>,DC=domain,DC=com)).
    Any pointers on how to do this ?
    Thank you.

    You could do a couple of things...
    1) Install dsquery (add remote AD tools to your box) and run something like
    dsquery group -u <user name>
    Username would be their login name, yours is "swaupadh" for example. This would return a listing of all the groups they are in and you could regex through that output for the group you are looking for. Use either the Execute Powershell or Execute Windows Command activity here.
    2) Use powershell functions and powershell capability to check for group membership, something like this:
    function Get-GroupMembership($DN,$group){
        $objEntry = [adsi]("LDAP://"+$DN)
        $objEntry.memberOf | where { $_ -match $group}
    //EXAMPLE CALL
    Get-GroupMembership "Cn=kazun,dc=contoso,dc=com" "Backup Operators"
    Then you can regex through the output for the "True" or "False" word and run with that.
    Either should get you what you want.

  • OIM Disable OID Users Error

    Hello
    WHen disabling users in OIM, the connected OID resource is not disabled and I receive the below error in the log. Is there a status definition or lookup that needs to be filled in for this to complete?
    2012-06-28 11:30:10,048 INFO [STDOUT] Target Class = com.thortech.xl.integration.OID.tcUtilOIDUserOperations
    2012-06-28 11:30:10,142 ERROR [XL_INTG.OID] ====================================================
    2012-06-28 11:30:10,142 ERROR [XL_INTG.OID] com.thortech.xl.integration.OID.tcUtilOIDUserOperationsMapping for ldapdisabled missing in the lookup definition
    2012-06-28 11:30:10,142 ERROR [XL_INTG.OID] ====================================================
    Thanks
    Nick

    Have you changed your OID user process task mappings for the Enable User and Disable User tasks? By default these set AttrName to "UserEnabled" and "UserDisabled", both of which map in lookup AttrName.Prov.Map.OID to attribute orclIsEnabled.
    Your error messages seems to suggest your Disable User process task mapping for OID User has been set to have AttrName set to ldapdisabled, and this attribute does not have a mapping defined in AttrName.Prov.Map.OID.

  • Disable OID user account

    I am new to OID, but very familar with Novell eDirectory and Microsoft Active Directory.
    Both Novell eDirectory and Microsoft Active Directory have the ability to disable login accounts so they can not be used for login (ie say when a user leaves your company).
    I have been unable to find in OID how to disable a user account, could someone point me to that please?
    B

    there is an attribute called "orclisenabled" and you can disable a user by setting this attribute to "Disabled"

  • User's Group Membership problem with enterprise domain

    Hi
    I have some problems synchronizing Active Directory in LiveCycle ES 8.0.1.
    I'm able to import the users and groups from an active directory to a enterprise domain... but the asociation user to group is not keeped.
    The problem could be why the DN of users is different to the DN of the group?
    the DN users is something like this:
    OU=CED,OU=CDC Utent,DC=house,DC=lan
    and the DN of the group:
    DC=house,DC=lan
    Thanks

    Ok, I think that is not DN value the problem... I tried with another active directory and the association user to group is keeped! But why?
    In the users details of active directory that doesn't synchronize well I have 2 more attribute:
    dSCorePropagationData
    profilePath
    But really I don't understand where is the problem. Maybe the version of Active Directory?
    Does anybody else have this weird issue?
    Thanks.

  • Users not provisioned from OIM to OID user group child form

    I have created 3 fields in UserForm named Application1, Application2 and Application3.All are textfield. Now I have a field in Process form in child table name Applications which is a lookup type and a multivalue attribute. Now the requirement is that whenever a user gets some value in UF for any application (Application 1, 2 or 3), the field Applications in PF should get auto populated by that application value.
    Applications lookup in Process Form has already all the applications1, 2 and 3 in the lookup code and decode value.

    In your adapter, read all the values from UDF (User Form)
    If value is not equal to NULL then use tcFormInstanceOpetaionsIntf API to add values in Process Form.
    http://otndnld.oracle.co.jp/document/products/id_mgmt/idm_903/doc_cd/javadocs/operations/Thor/API/Operations/tcFormInstanceOperationsIntf.html#addProcessFormChildData%28long,%20long,%20java.util.Map%29

  • Vendor account group assign to Reconciliation account

    Hello Experts,
    Is it possible to customize a reconciliation account assignment to vendor account group?
    Our requirement is when you create a vendor, then select a vendor account group, the reconciliation account will automatically be proposed in the field. This is to avoid selecting wrong reconciliation account when creating a vendor.
    I had a look in SPRO but I couldn't find anything that could do that.
    Thanks in advance
    Regards,
    Catherine

    Thanks for your inputs,
    I have checked in the system if there is a user_exit. Could you please confirm me that the user_exit "GLPLAN00 - Enhanced authorization and master data validation" is the good one?
    My objective is to have the correct reconciliation account automatically populated when I am creating a customer/vendor with a specific account group.
    e.g. select account group - XXXX Non-trade customer / Reconciliation acct XXXXXX non trade customer automatically populated.
    Thanks in advance for your help.
    Catherine

  • User Group Membership change Alert

    As a system administrator, I will like to be alerted when a user's group membership has changed on the domain. Can Spiceworks compare the imported memberships in its database with AD and alert me when they do not match? Below is an image of the information that SW imports which could be used for this comparison.
    This topic first appeared in the Spiceworks Community

    Assuming you know the dn of the groups to remove the person from and add them to, and the dn of the person to move, you should be able to do something similar to:
    Attributes attrs = new BasicAttributes(true);
    Attribute uniquemember = new BasicAttribute("uniquemember");
    uniquemember.add("uid=user,o=domain.com"); //add user to move to attribute
    attrs.put(uniquemember);
    DirContext ctx = //connect to your ldap dir
    try{
         ctx.modifyAttributes(groupToRemoveFromDN, ctx.REMOVE_ATTRIBUTE, attrs);
         ctx.modifyAttributes(groupToAddToDN, ctx.ADD_ATTRIBUTE,attrs);
    catch (NamingException ne) {
         //return error appropriately
    try{
         ctx.close();
    catch (NamingException ne) {
         //do what you want with error
    }You also might want to check out the JNDI tutorial at http://java.sun.com/products/jndi/tutorial/index.html
    --Nicole

  • OBIEE only getting limited number of group membership records

    Hey everyone,
    I'm seeing some strange behavior with the group membership functionality of OBIEE. Right now we're on version 10.1.3.2 and we've implemented SSO and we setup a query against LDAP (AD) to get user group information similar to the way Venkat's blog demonstrates:
    http://oraclebizint.wordpress.com/2007/10/12/oracle-bi-ee-101332-and-oid-user-and-group-phase-2/
    At first glance, everything was working smoothly, however, on second glance, I noticed that on users who were part of lots of groups (i.e. 80 groups), not all of their membership information was getting into OBIEE. On my test user, who was part of only 10 groups, I ran a test in which I only gave access to the Answers module to a person from the 10th group. When I logged into OBIEE as my test user, I was able to access answers.
    On my second test user, who had 80 groups, I set access to answers for the 75th and 80th groups (both different tests). Neither test allowed this user to access answers. However, when I choose the 5th group returned, the user was quickly able to see and access answers.
    When I test out the call to the Oracle function in the Admin tool, I see all the groups returned there.
    These strange results lead me to believe that there is only so many group membership records that OBIEE can receive. Is that true? Has anyone seen this before? Did I forget to set something appropriately?
    Thanks everyone for your help!
    -Joe

    Hey,
    Sorry about the delay in getting back to you, I was slammed with some work right before the Holiday. Anyway, below is the sample code and an example of it's usage. be sure to replace the <BASE DN>, <LDAP HOST>. <LDAP USER>, and <LDAP PASSWORD> with the appropriate values for your situation.
    Also, you'll need to create the "ARRAY" datatype like in Venkat's blog.
    Best of luck!
    -Joe
    select * from table(getusergroup(‘Jbertram’));
    create or replace FUNCTION GETUSERGROUP(Username in Varchar2) RETURN ARRAY PIPELINED AS
    -- Adjust as necessary.
    l_retval pls_integer;
    l_session dbms_ldap.session;
    l_attrs dbms_ldap.string_collection;
    l_message dbms_ldap.message;
    l_entry dbms_ldap.message;
    l_attr_name varchar2(256);
    l_ber_element dbms_ldap.ber_element;
    l_vals dbms_ldap.string_collection;
    l_raw dbms_ldap.binval_collection;
    l_ldap_base varchar2(256) := '<BASE DN>';
    l_filter varchar2(100) := '(&(cn='||Username||'))';
    l_ldap_host varchar2(100) := '<LDAP HOST>';
    l_ldap_port number := 389;
    l_ldap_user varchar2(100) := '<LDAP USER>';
    l_ldap_passwd varchar2(100):= '<LDAP PASSWORD>';
    l_result varchar2(100);
    begin
    -- Choose to raise exceptions.
    dbms_ldap.use_exception := true;
    dbms_ldap.utf8_conversion := false;
    -- Connect to the LDAP server.
    l_session := dbms_ldap.init(hostname => l_ldap_host, portnum => l_ldap_port);
    l_retval := dbms_ldap.simple_bind_s(ld => l_session, dn => l_ldap_user, passwd => l_ldap_passwd);
    -- Get all attributes
    l_attrs(1) := 'memberOf'; -- retrieve all attributes
    --l_attrs(2) := 'cn';
    l_retval := dbms_ldap.search_s(ld => l_session
    ,base => l_ldap_base
    ,scope => dbms_ldap.scope_subtree
    ,filter => l_filter
    ,attrs => l_attrs
    ,attronly => 0
    ,res => l_message);
    if dbms_ldap.count_entries(ld => l_session, msg => l_message) > 0
    then
    -- Get all the entries returned by our search.
    l_entry := dbms_ldap.first_entry(ld => l_session, msg => l_message);
    <<entry_loop>>
    while l_entry is not null
    loop
    -- Get all the attributes for this entry.
    dbms_output.put_line('---------------------------------------');
    l_attr_name := dbms_ldap.first_attribute(ld => l_session
    ,ldapentry => l_entry
    ,ber_elem => l_ber_element);
    <<attributes_loop>>
    while l_attr_name is not null
    loop
    -- Get all the values for this attribute.
    l_vals := dbms_ldap.get_values(ld => l_session, ldapentry => l_entry, attr => l_attr_name);
    <<values_loop>>
    for i in l_vals.first .. l_vals.last
    loop
    dbms_output.put_line(substr(l_vals(i),4,instr(l_vals(i),',')-4));
    PIPE ROW(substr(l_vals(i),4,instr(l_vals(i),',')-4));
    end loop values_loop;
    l_attr_name := dbms_ldap.next_attribute(ld => l_session
    ,ldapentry => l_entry
    ,ber_elem => l_ber_element);
    end loop attibutes_loop;
    l_entry := dbms_ldap.next_entry(ld => l_session, msg => l_entry);
    end loop entry_loop;
    end if;
    -- Disconnect from the LDAP server.
    l_retval := dbms_ldap.unbind_s(ld => l_session);
    --dbms_output.put_line('L_RETVAL: ' || l_retval);
    end;

  • Group Membership Update Task -AD Connector 11g

    OIM 11g R2:
    When will Group Membership Update task be triggered for a user? Will this get triggered when a Entitlement associated to a user is updated (entitlement metadata) -How will OIM identify that it is an update to the existing Entitlement and that User is associated with?
    This is my understanding on other group related OOTB tasks:
    Insert Group Membership will be triggered when a new entitlement  is added to the user
    Delete Group Membership will be triggered when a Entitlement is removed
    Thanks in advance.

    If entitlement display name is updated in OIM then it also get updated in provisioned resource profile for all users who are associated with the entitlement but it does not insert 'Group Update' task.
    If entitlement - group name is changed in target system them OIM treats this change as a completely new and does not update it for the existing associated users.
    Thanks,
    Pallavi

Maybe you are looking for

  • Any way to compress an 18GB m2v file to fit 4GB DVD?

    Hello all, the original post can be found here: http://discussions.apple.com/thread.jspa?threadID=2327129&start=0&tstart=0 I finally made my file and its way too big to fit on a DVD, is there any other compression I can do to get this to fit on a dvd

  • Netweaver Developer in different language

    Hello I would like to know how I can change the language of the Netweaver Developer to anything other then english. Are there language files that I can exchange somewhere? Has anyone thought of developers who would like a developing  environment in t

  • Solaris 10 format doesn't recongnise disk

    System: Intel Dual Core Dual Xeon Hard Disks: 2 external 70GB c0t0d0 - Installed with Solaris 10 partitioned as s0 /, s1, swap and s2 overlap. 2nd disk - want to partition this as /export/home - Full 70GB. However, with both disks inserted and booted

  • MQSeries - Oracle

    Hello, I have to set up a link between IBM WebSphere (MQSeries) 6.0 and Oracle 9i on WinXP. I'm using Oracle Procedural Gateway. I've successfully installed and tested the gateway, meaning that I can put and get messages from MQ queue using test scri

  • Unable to active iPad due to lack of Apple ID

    I have an iPad I would like to activate however I am unable to due so since the iPad was activated with an Apple ID I do not have.  This is a company iPad which I received from a former employee who is no longer with the company and I am unable to co