OIM 11.1.1.5 BP2 Roles removed from users automatically

Hi All,
We are using OIM 11.1.1.5 BP02 and facing issues with event handlers, role membership and access policy. We have a custom post create user handler and a custom user post update event handler. We are creating users through trusted reconcilication by using EBS Employee Recon connector and provisioning users to AD & Exchange by using the 11.1.1.5 ICF connectors.
The issue we are seeing is with the Roles of the users, the behavior we are seeing is that, on user creates through trusted recon, the users are getting roles correctly and then the resources are assigned correctly, but after sometime, the roles are removed from the user. We donot have 'Revoke if no longer applies' on the access policy and thus the resources are appearing fine for the user, but we donot want roles to be removed from the user since the rule membership rules criteria is still holding good for the user.
We are seeing this issue only with trusted reconcilication and not when we create users through the UI. Our custom event handlers have the same logic for both the execute methods; with the difference that the bulk execute method is working on the array of identities received from trusted recon while the normal execute method working on just one identity through the UI.
We are doing complex computation in the event handlers (& setting multiple fields of the user) and are forced to use UserManager API to set the fields in the create user handler (Following article: 1469286.1); this we believe is effecting the ordering of the custom event handler and the OOTB Role ChangeCalculator event handler.
We have already checked the bugs(14075985 & 14221435) and wanted to confirm if we are hitting the same and/or how can we debug this more. We have already checked the UPA_USR table but that does not tell us as to why the role is revoked from the user.
Anyone faced similar issue?
Thanks,
Bikash

The patch we were given was 14226386, also called 11.1.1.5.2AK. The readme has the following overview:
This patch addresses the concurrency issues encountered in 11g R1 PS1 as described below
1. Unlike in OIM 11g R1 PS1, when a user's role membership changes policy evaluation doesn't
     kick off immediately. Instead the user is flagged for policy evaluation in the future.
     'Evaluate User Policies' scheduled task then triggers policy evaluation for such users.
     The scheduled task ensures that there is only one policy evaluation for a user at any
     given time. So, duplicate accounts or entitlements wouldn't be provisioned to a user.
     With this fix, access policy based provisioning events will be triggered only when
     'Evaluate User Policies' scheduled task runs. Hence, the frequency of this scheduled
     task needs to be tuned for the customer's deployment. The recommendation is to set it to
     10 minutes.
     In addition to binary changes, this fix involves data model and metadata changes as
     described below.
2. In a custom event handler, use Platform.getServiceForEventHandler() instead of
Platform.getService() to get a handle to a Service available in OIM before making an API
     call. This ensures that the API completes in its entirety (including any post processing)
     when it returns. Also, this brings in predicability in the order of execution of OIM
     events on the same entity created from one another.
3. When trusted source reconciliation brings in multiple events on the same user these events
are processed by OIM sequentially.
But since then BP03 and BP04 have been released, I would suggest you find out if BP04 has resolved this from support before applying anything.
-Kevin

Similar Messages

  • Workitem is not removed from User Inbox

    Hi,
    There is requirement, when the PR is created by user, first it has to go his department Head and then to Manager, AGM, GM, etc. There are different departments.
    I'm maintaining organizational structure and giving positions in Release Strategy. Now how can i know who has created and to whom it has to go first. Shall i create different release strategy for that ?? Or is there any other way ??
    And i tried to create custom workflow and using two release steps instead of one. And giving Rule in my first release step. And in second release step i'm using the strategy. When i create the PR and release, it is not removing from User Inbox.
    Do anyone know what could be the problem ??

    Hi,
    From your requirement, its not a good idea to have all department heads assigned to a single position.
    But, you can have different positons for different departments and the association between department and the corresponding position number can be maintained in  ztable. Then have a custom rule based on function module which will make a call to this ztable and find the corresponding postion given the department of user, get this position out and use it as agent assignment in step. However to use above first you should be able to find the Deparment to which a given user belongs to.
    the position that you are talking about in your question, is it a position with relevance to HR structure or is it just that you have created for workflow purpose. In general its a good idea to have bit strong dependency with HR structure rather than going for workflow specific positions. If your position is a HR position then probably with bit of reengineering the HR organization structure with respect to your departments would be good and with a good design of org structure you can also get rid of any new custom table to maintain the relation between department and corresponding position.
    Good Luck !!
    Regards
    Krishna Mohan
    ooops !! many replies came in while drafting this mail itself, i guess rule using custom table already tried !!
    Edited by: Dubbaka Krishna Mohan on Jan 29, 2008 9:20 AM

  • Role removal from Multiple users

    Hi All
    I have a query related to removal of roles from user profile.
    I want to delete a particular role from a set of users (say more than 600 users)
    is it possible with su10 you to  remove the role from the users  at a stretch or is it the right way to get it removed from the user tab in PFCG and get the user- master record adjusted?
    Please Suggest

    Hi,
    Preferably, you should use PFCG for your need...
    It will be a easiest way to perform this task...
    After that dont forget to do "user comparison"...
    Regards.
    Rajesh Narkhede

  • Role Removal for users

    Hi Guys
    How do we remove the  role Y.R3.IS-XX.xxxxxx from all test users (T-) and assign the role Y.R3.IS-XX.RPT_FI_XXXX to all test users (T-) in Q
    Any input on this is highly appreciated
    Thanks
    SV

    Hi,
    I am just sending you a sample of how to delete role using SCAT. you can modify to delete User from Role.
    Use T-Code SCAT.
    You will be prompted with initial screen
    Test case      enter some name ex: Z_MASS_ROLE_DELETION
    Click on Create (Blank page icon)
    In the initial screen on left corner button TCD click on this for recording a transaction.
    Enter T-code in PFCG
    Click on -> arrow button to continue
    In the next screen you will be displayed with PFCG screen
    Enter the role Name which you want to delete
    Click on the Delete button (Bin icon)
    You will be prompted with message box with yes or no and cancel
    Click on Yes
    You will be prompted with information acknowledge it by click on continue
    Now the role is deleted.
    Click on Back button (F3)
    You will prompted with Intial screen where you have enter T-code in the pop-up box (PFCG)
    Click on RED small button to stop of recording the transaction
    You will be prompted with next screen for Title.
    Enter the Title ex: Mass Role Deletion
    Click on SAVE button
    Save as local object (click local object button)
    Go Back by click F3 (Back arrow button on the menu)
    Pop up box with save option appears save
    Click on YES
    You are ready with recording of T-Code PFCG
    To create a variable click on the edit (Pencil icon)
    In the next screen you will be prompted with
    C Funct.      Object               Text
    TCD           PFCG                 Role Maintenance
    Double click on TCD column
    In the next screen you will have the following information
    Test case       Z_MASS_ROLE_DELETION           PFCG Role Maintenance
    Transaction     PFCG                           Role Maintenance
    Permitted msg.
    Processing Mode
    In the above screen click on FILED LIST button which is on top left menu bar.
    In the next screen you will find the list of values check for the Variable part (ie role name what we have mentioned at the time of recording (TEST123 ROLE)
    Role                     AGR_NAME_NEU                  030 TEST123
    Replace TEST123 with & (this is done for the variable to be replace in future for new values)
    Go back (F3) twice into initial screen and save
    In the initial screen SCAT first screen
    Go to the menu
    GOTO -> Variant -> Export
    Export will create a Text file (Z_MASS_ROLE_DELETION.TXT) save it on your desktop for easy editing
    Open with EXCEL above text file (Z_MASS_ROLE_DELETION.TXT)
    You will find below values
    [Variant ID]     [Variant Text]     &AGR_NAME_NEU
    -->     Parameter texts     Parameter contents
    -->     Default Values     TEST123
    Changes to the default values displayed above not effective          
    Place the list of roles which you have decided to delete under the column TEST123
    Just Save file for any message just click on yes button.
    Come back to SCAT initial screen click on execute (F8) clock icon on the right corner of menu tab.
    In the next screen you will have option to choose
    Log Type     Processing Mode   Variants
    Long            Errors              External From file Choose     
    Choose the file (Z_MASS_ROLE_DELETION.TXT) which was edited with new values
    Then Execute all the roles which are in file will be deleted.
    I hope this helps
    Try this with test roles first then on the Actual roles
    If you have any problems let me know
    Cheers
    Soma

  • Exchange server 2010 Hub-Cas server role remove from organization

    Dear all,
    I am going to remove my one of my hub-cas(both the roles installed in same server)server from my organization.
    Cas server configured into cas array. So anyone please guide me to remove safely.
    Parthiban selvaraj

    Hi,
    From your description, I would like to clarify the following thing:
    If you use NLB, you need to remove the CAS server from your NLB cluster and then remove this CAS&Hub server. If you use other sort of load balancer, you need to use it to remove the server from the CAS array and then remove the server.
    Hope it helps.
    Best regards,
    Amy Wang
    TechNet Community Support

  • OIM 11g-How to restrict the role administrator from seeing "other" roles

    Dear All,
    How to restrict Administrator from seeing roles he is not suppose to administer?
    My administrator is suppose to assign only Role A. When he logs in He can see every single role. How to correct it so that he can see only Role A?
    Thank you for your time
    Maria

    Modify "All User Role Management Policy"

  • OIM 11G-prepop adapters not able to read from User form

    When I try to auto provision ldap account for users after creation of OIM record using GTC, the ldap provisioning doesnt happen. Basically the prepop adapters not able to read from Xel user form. I am stuck with this issue for a while now .
    I tried remapping..ect etc..ntng helped.
    None of the process form fields are getting prepopulated, when I hard coded avlue in prepop adapters for all the reqd fields in process form, proviosioning gets completed successfully.
    Pls. help me with this.
    Thanks.
    ~VSN
    I get the below errorr:
    <BEA-000000> <Class/Method: tcAdapterExecuter/executeRuleGenerators encounter some problems: java.lang.Exception: Error retrieving user info: User Login
    java.lang.Exception: java.lang.Exception: Error retrieving user info: User Login
    at java.lang.Throwable.<init>(Throwable.java:67)
    at com.thortech.xl.dataobj.rulegenerators.tcAdapterExecuter.executeRuleGenerators(tcAdapterExecuter.java:205)
    at com.thortech.xl.dataobj.util.tcPrePopulateUtility.setDataFromAdapter(tcPrePopulateUtility.java:1020)
    at com.thortech.xl.dataobj.util.tcPrePopulateUtility.prePopulate(tcPrePopulateUtility.java:346)
    at com.thortech.xl.dataobj.util.tcOrderPackages.computeProcessFormData(tcOrderPackages.java:901)
    at com.thortech.xl.dataobj.util.tcOrderPackages.createOrder(tcOrderPackages.java:423)
    at com.thortech.xl.dataobj.util.tcOrderPackages.orderPackageForUser(tcOrderPackages.java:177)
    at com.thortech.xl.dataobj.tcOIU.provision(tcOIU.java:563)
    at com.thortech.xl.dataobj.tcOIU.eventPostInsert(tcOIU.java:303)
    at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
    at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
    at com.thortech.xl.dataobj.tcTableDataObj.save(tcTableDataObj.java:2905)
    at com.thortech.xl.dataobj.tcUserProvisionObject.insertImplementation(tcUserProvisionObject.java:283)
    at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:591)
    at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
    at oracle.iam.accesspolicy.impl.handlers.provisioning.ProvisionAccountActionHandler.execute(ProvisionAccountActionHandler.java:104)
    at oracle.iam.accesspolicy.impl.handlers.provisioning.ProvisionAccountActionHandler.execute(ProvisionAccountActionHandler.java:35)
    at sun.reflect.GeneratedMethodAccessor1831.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:600)
    at oracle.iam.platform.kernel.impl.EventHandlerDynamicProxy.invoke(EventHandlerDynamicProxy.java:30)
    at $Proxy284.execute(Unknown Source)
    at oracle.iam.platform.kernel.impl.OrchProcessData.runActionEvents(OrchProcessData.java:1035)
    at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:644)
    at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
    at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:669)
    at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeChildProcess(OrchestrationEngineImpl.java:751)
    at oracle.iam.platform.kernel.impl.OrchProcessData.handleAdditionalChanges(OrchProcessData.java:537)
    at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:802)
    at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
    at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:669)
    at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:686)
    at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.notifyParentProcess(OrchestrationEngineImpl.java:828)
    at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:771)
    at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
    at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:669)
    at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeChildProcess(OrchestrationEngineImpl.java:751)
    at oracle.iam.platform.kernel.impl.OrchProcessData.handleAdditionalChanges(OrchProcessData.java:537)
    at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:802)
    at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
    at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:674)
    at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:705)
    at oracle.iam.platform.kernel.impl.OrhestrationAsyncTask.execute(OrhestrationAsyncTask.java:108)
    at oracle.iam.platform.async.impl.TaskExecutor.executeUnmanagedTask(TaskExecutor.java:100)
    at oracle.iam.platform.async.impl.TaskExecutor.execute(TaskExecutor.java:70)
    at oracle.iam.platform.async.messaging.MessageReceiver.onMessage(MessageReceiver.java:68)
    at sun.reflect.GeneratedMethodAccessor2150.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:600)
    at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
    at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
    at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:148)
    at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
    at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
    at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
    at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
    at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
    at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
    at $Proxy382.onMessage(Unknown Source)
    at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:466)
    at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:371)
    at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:327)
    at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4659)
    at weblogic.jms.client.JMSSession.execute(JMSSession.java:4345)
    at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3821)
    at weblogic.jms.client.JMSSession.access$000(JMSSession.java:115)
    at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5170)
    at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

    Kevin,
    For manual Proviosioning - It works fine.
    It fails when I create user in OIM using flat file GTC . I have an access policy to auto proviosion that user with ldap.
    As mentioned before, I notice none of the prepops on Ldap process form are able to read value from Xel user form.
    Steps I tried Already:
    1- Checking access policy
    2-remapping process form adapters
    Pls. let me know ur thoughts.
    ~VSN

  • Traffic-shape removed from intrface automatically

    Hi all,
    I came a cross issue on one of my Csico 1841 router.
    We have configured more than 10 traffic shapes on both fastethernet0/0 and fastethernet0/1 . When I tried to removed a one traffic shape line it'll remove all the othe traffic shapes. Is any one faced this same issue ???
    no traffic-shape group 140 512000 12800 12800 1000
    c1841-advipservicesk9-mz.124-12.bin

    Any help !!!!

  • OIM 9.1.0.2 Group Membership Removal for Disabled Users

    Hello
    In OIM 9.1.0.2, when a user is disabled, they are removed from the groups they are a member of within 24 hours. i was wondering if this is a set time and if so, can this be extended to a specified time so membership can be left for a week before it is removed from the user. If you can let me know on this I would appreciate it.
    Thanks
    Nick

    Today, when accounts are disabled, within 24 hours all the group memberships are removed on the OIM side. I would like to change the interval for the cleanup so that when an account is disabled, all the existing group (role) memberships stay assinged to the account then after 30 days of the account being disabled, the group (role) memberships are removed. Not sure if this would be an ORM thing or OIM, but I think it would be OIM since ORM still has the role mappings for users when they are disabled.
    Thanks
    Nick

  • Email removed from inbox

    I am having an issue with one of my email accounts where email are being removed from inbox automatically.  They go to the inbox and then they just disappear.  If i forward the email to another user the mail is not deleted....
    Any ideas?

    From the Mail menu bar, select
    Mail ▹ Preferences ▹ Accounts ▹ Advanced
    and from the popup menu labeled Keep copies of messages for offline viewing, select
    All messages and their attachments
    If there's no improvement, you may have to switch from IMAP to POP access.

  • GRC 10.0 Mass Role removal

    Hello all,
    we are using GRC AC 10.0 (SP14). Today I found out that the access removal for multiple user is not working. The role removal for one User is working fine. But for multiple user who all have the same role it is not possible to select this existing role. Is it a standard in GRC AC or did I miss some config parameters?
    The  button "ADD" (yellow) is not working, and there is no button "Existing assignements". Please let me know, whether this settings are standard or not.
    Many thanks,
    regards
    Sabrina

    Sabrina,
    Multi user requests have been quite problematic. I encourage you to search for corrections; we had to implement numerous corrections for multi-user requests. Right now, though, multi user requests for role removal using the "Existing Assignment" function are working for us (SP12 with a lot of corrections from  SP13 and SP14).
    I should mention that our Provisioning Log in the closure notification only lists the first user, but all three accounts in my test request just now had the role removed as requested. We have treated that as a training issue with our request submitters for the time being. We implemented Note 1727135 to correct that issue and it made matters worse, so we had to revert.
    Good luck!
    Gretchen

  • SCCM 2012 SP1 - SUP role removal or reinstall issue resolution

    Hello all,
    I just want to share a fix regarding SUP removal (re-install) issue.
    I think I found a bug  regarding SUP role removal/re-install.
    When I try to re-install secondary SUP on a site system, when I remove SUP via AdminUI – Administration – Site - Site Systems, it gets removed from the list but I get the following errors, which makes (re-)installation fail.
    Severity   
    Type        Site code
    Date / Time             
    System     Component             
    Message ID             
    Description
    Information              
    Milestone PS1        
    4/12/2013 10:28:09 PM          
    SMS02SS401.ICBCAGENT.NET             
    SMS_WSUS_CONTROL_MANAGER               
    1021        Site Component Manager detected that this component should be deinstalled from this site system. Site Component Manager will attempt to deinstall the component every 60 minutes. Site Component
    Manager will abort the deinstallation if it fails to succeed after 1440 minutes.
    Information              
    Audit        PS1        
    4/12/2013 10:27:58 PM          
    sms02ss401.icbcagent.net      
    Microsoft.ConfigurationManagement.exe  30038               
    User "ICBC\ll1v3" deleted the role of the Windows NT Server "\\SMS02SS401.ICBCAGENT.NET" as a Software update point in the site control file at site PS1.
    Error        
    Milestone PS1        
    4/12/2013 10:15:45 PM          
    SMS02SS401.ICBCAGENT.NET             
    SMS_WSUS_CONTROL_MANAGER      
    1020               
    Site Component Manager failed to reinstall this component on this site system.   
    Solution: Review the previous status messages to determine the exact reason for the failure. Site Component Manager will automatically retry the reinstallation in 60 minutes. To force Site Component Manager to immediately retry the reinstallation, stop
    and restart Site Component Manager using the Configuration Manager Service Manager.
    Error        
    Detail       PS1        
    4/12/2013 10:15:45 PM          
    SMS02SS401.ICBCAGENT.NET             
    SMS_WSUS_CONTROL_MANAGER      
    580               
    Could not delete the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SMS_EXECUTIVE\Threads\SMS_WSUS_CONTROL_MANAGER"
    on computer SMS02SS401.ICBCAGENT.NET. The operating system reported error 997: Overlapped I/O operation is in progress.
    Information              
    Milestone PS1        
    4/12/2013 10:15:40 PM          
    SMS02SS401.ICBCAGENT.NET             
    SMS_WSUS_CONTROL_MANAGER               
    1018        Site Component Manager is reinstalling this component on this site system.
    Error        
    Detail       PS1        
    4/12/2013 9:14:39 PM            
    SMS02SS401.ICBCAGENT.NET             
    SMS_WSUS_CONTROL_MANAGER      
    580               
    Could not delete the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SMS_EXECUTIVE\Threads\SMS_WSUS_CONTROL_MANAGER" on computer SMS02SS401.ICBCAGENT.NET. The operating system reported error 997: Overlapped
    I/O operation is in progress.
    In fact, the registry is under
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components\SMS_EXECUTIVE\Threads\SMS_WSUS_CONTROL_MANAGER
    When I trigger uninstall via AdminUI, it failed to remove, thus it think that it is already there when I try to re-install it.
    The fix was to manually remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components\SMS_EXECUTIVE\Threads\
    SMS_WSUS_CONTROL_MANAGER registry key then re-try.
    Thanks,
    Young-
    YPae

    Yes!!!  this worked for me.  I have SCCM set up with a number of untrusted forests with a firewall in between my SCCM servers and the untrusted forests.  The firewall went down and half of my site servers in the untrusted forests were giving
    the "operating system reported error 997: Overlapped I/O operation is in progress" on a number of their components. Finally found this, deleted the reg keys under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components\SMS_EXECUTIVE\Threads"
    and that allows SCCM to reinstall.

  • Approving a role removal

    Hi,
    I created a role and added an approver, I would like the same approver/approvers to be required to approve not only when the role is granted but also when the role is removed from a user, what is the easiest way to implement this?
    Thanks in advance

    Hi,
    thanks for your reply, I thought about that too but the remove button is pressed before the save, so the admin removing the role can still cancel the action.
    Any other idea? My idea is to create a subprocess called "approve removal" where I select the approvers and then call the native "approval" process (here though I still need to figure out the parameters values); once this is done I will add the subprocess to the "create user" and "update user" workflows (cloning and renaming them)
    Thanks
    Sergio

  • Initiater for Role removal.

    Hi,
       I need some update/input w.r.t Role removal Initiator. While configuring the role removal is it possible to use the role status in the initiator?    If not how to identify this role is only for the role removal.
    Normally we use to put only one stage for Role removal. In the config, no where we are having automatic check for the request is only for the Role removal. So we have to trust that particular stage owners. As per the CUP automation check is it possible to validate this?
    Thanks in advance.
    Regards,
    Vasantha Kumar.

    Hi Justin
    I'm assuming you are involved in or victim of a security access review. I'm usually one of those security guys asking for role or transaction removal and you are the main contact in the business coordinating the changes.
    The process of remediation will possibly consist of checking which transactions are causing segregation of duties conflict, if they are used or not and removing one side of the conflict by removing an unused transaction.
    It shouldn't require the entire contents of a role to be removed - rather swapping role A for role B without a transaction or two.
    Removing transactions that aren't used can have more subtle implications which hopefully are found during UAT but is usually missed until used in anger. This what support is for after go live.
    Saying all that and depending on your time and skills, you could ask for access to the security person's test user in dev or qas where they are working to run transaction SUIM on transaction for user following the proposed changes and compare that to the actual access of the real affected user in prod. If you can get access to the informer tab in virsa you can use the standard simulation reports to also check the resulting conflicts which will help you talk to the business and advise on actions available. There should be role owners involved in all this as they have to owner the result: expect a request for these for CUP later on
    If you can retain control and approval of the (controlled) changes being made to users you will have a better understanding of what is happening, catch potential errors and mediate between security and the business - you have an important task!
    Ask for some basic training in standard SAP reports - the security team should be more than grateful for your input
    Crikey that was hard typing on an iPhone!
    Cheers
    Edited by: David Berry on Jan 11, 2011 8:17 PM

  • Mass role removal

    Hi all,
    We have a new requirement to remove ALL roles from users in group TERMINATED.
    I have used SU10 in the past to remove a specific role X from a group of users.  But I cannot seem to simply remove all roles from every user in the group.  Is there a way to do this without using ECATT?
    There are about 2200 users in the group, as it was not previously maintained, and I would rather not do this manually if I can avoid it.
    Thanks

    Hi
    Run SUIM to give you a list of the user ID's in the TERMINATED user group.
    Record LSMW - you'll need to create a project/sub-project/object and then go to recordings, running tcode SU01, enter one user ID, go to the roles tab, select all roles icon and save.
    That will end your LSMW recording.
    Check the variables in the recording - all you need are the user ID - make sure you remove the default tested user ID or all you'll get wlll be a recording that does nothing but delete nothing from the same user
    Create a .txt file with another of user ID's from the user group (barring the one you just changed) and save it somewhere easy to find.
    Go back to your LSMW project and maintain each of the steps up to specify files - you'll need to browse for the saved .txt file and also change the delimiter section to tabular.
    Assign the files and work your way through the next steps until you generate a batch input session, run the batch input in foreground and step through the recording you are now running for real. Make damned sure it does only what you expected it to do!
    If the trial one works then mayby try a couple more unitl you feel confident before going for the big one.
    Oh - and don't forget to check that you aren't in the TERMINATED user group or you'll lose your access during the LSMW script. That bit is embarrassing but renaming 670 users to Theresa is worse (I did that once because I forgot to remove the default entry in the recording)

Maybe you are looking for