OIM 11g - Approval workflows for disabled user accounts
Hi,
We have a scenario wherein a user will be created in OIM with a future start date resulting in a Disabled Untill Start Date user status. Once the user is created, we should let anyone submit a New Hire form for the user and the submitted form needs to be approved by the Manager. Once the Manager approves the form, the target accounts should get created with disabled status. These accounts should get enabled on the start date.
As submission of New Hire Form is not a straightforward process, we came up with the following design.
A dummy resource object corresponding to the New Hire Form will be created and can be requested for a newly hired person by anyone who has OIM access. An approval workflow will be configured for the New Hire Form Resource object and provisioning of target accounts will be based on Manager's approval for this resource object.
However the challenge that we see with this design is, it wasn't possible to place a request for New Hire Form dummy resource object for a disabled user. But the requirement is to complete the New Hire Form submission process befor the user becomes active.
How can these workflows be invoked for a disbaled user? Is there any other way to implement this requirement?
Any kind of help/guidance is greatly appreciated.
Thanks and Regards
Deepa
911709 wrote:
If I create a dummy resource, called "Group Membership" for example, and use this to show the groups that are available in AD, how can I have the request be routed to different approvers? For example, group cn=HR Users,cn=Users,dc=company,dc=com needs to be routed to HR for approval. Group cn=IT,cn=Users,dc=company,dc=com needs to be routed to IT for approval. How can I change the approvers dynamically?
Re: Spawning multiple approval tasks in parallel in OIM11g SOA Composite
You can have dynamic task assignment in BPEL; where you defne a variable in the task assignment and update the variable with the approver group name before triggering the task assignment task. Check BPEL docs for same.
If every group needs a different approver, and there are 5000 groups, can I make 5000 resources and use the built-in routing of approvals? Or, use the dummy resource approach and handle the management of the approvals in some other way.Just make one resource with one field attached to it which takes in the group name and handle approval in SOA by reading a lookup which has AD group to Approval Group mapping.
>
Thank you.-Bikash
Edited by: Bikash Bagaria on Feb 18, 2012 1:00 AM
Similar Messages
-
OIM 11g Approval Workflow Notification questions
Hello.
I am working with an OIM 11g approval workflow. The workflow will flow from one group to another, and if one user in each group approves it, it is approved. Because I assigned it to groups, the notifications are going to every user in each group.
Is it possible to send a notification to only a single user within a group, instead of everyone? Does auto claim do this?
Is it possible to send a different notification if the ApprovalTask is rejected versus approved?
Thanks.If I understand correctly, you want to send the notification only to the user who has approved the request and not to all in the group. You can do it by NOT using the notification tab in the .task but by using EmailNotificationService after the .task in BPEL. There you can read the data from payload on who approved the request and can send the notification only to that user. Same way for rejects. You can configure that.
1. After your .task completion you can have a decision box which can check the value for 'outcome' and then direct it to appropriate path for appropriate notification.
or
2. Based on outcome you can set the template in a variable and then in the notificationservice use that variable.
-Bikash -
OIM 11g Approval Workflow Notification Configuration
Dear All,
Is there any documentation guide or tutorial or step by step guide about how to configure approval workflow notification in oim 11g?
In my case, a request must be approve by 3 (three) level of approver, "Requester Manager" --> "Application Business Owner" --> "Application Administrator". On each level, a notification need to be sent to the approver contains all information about the requester and the resource that requested.
How can i configure the notification since approval processes are in SOA composite and the development of the workflow is using JDeveloper?
Many Thanks for your help.Hi
Please go through the link, You can configure notification any time based on you requirement. You have to get emails to whom you want to sent, just set this mail in a variable. Use this variable as to ,..
http://docs.oracle.com/cd/E23943_01/dev.1111/e10224/bp_notif.htm#BABEDFCC
Thanks,
Kuldeep -
Workflow SharePoint 2010 -Approval workflow for multiple users
Want to create a 2010 SharePoint server workflow which will allow me to send email once item is added > Start approval process > if approved then mark workflow status as approved and then send email to reviewer 2 and again start the process of approving
> and approved then again mark status to approved and send email to reviewer 3 and mark status to approved if approved by reviewer 2 and end the workflow.Also, if the item is not approved by any user, then it should directly log a comment and go to end
of the workflow.
I had started as something like :
Send Email to rev1
Start approval process for current item with rev1
if approval status is approved
set workflow status to approved
send email to rev2 and so on...everything works but when rev1 rejects the item, then workflow does not go to end of the workflow. One difficult thing is we don't have go to a step option like in 2013 workflows.
I don't know how to move on as when I try to execute the logic, all three approval process(for 3 reviewers) run even if item is rejected .....Please helpCheck these links
https://slingeronline.wordpress.com/2013/02/27/setting-cancel-on-first-rejection-on-an-spd-workflow/
http://sharepointduffbert.com/2014/06/17/getting-an-spd-approval-workflow-to-cancel-on-rejection-or-change/
https://social.msdn.microsoft.com/Forums/office/en-US/c212e5d7-f7bf-4f17-be16-374e02652dbb/reject-stop-workflow-not-working?forum=sharepointcustomizationprevious
https://social.msdn.microsoft.com/Forums/sharepoint/en-US/a2d0a259-f8ca-48cf-b9ab-0c9387329502/sharepoint-designer-workflow-how-to-jump-back-to-previous-workflow-step?forum=sharepointcustomizationprevious
Please 'propose as answer' if it helped you, also 'vote helpful' if you like this reply. -
OIM 11g Approval Workflow - Error
Hi All,
I have created a approval workflow (Operational) in OIM11g. Have deployed it as a soa-composite and registered with OIM. Till here everything went fine.
I have created an apporval policy, to assign to requests of a specific type of resource .
When the resource is requested, the approval workflows is gettign triggered,but the request goes to failed state.
I am getting any exceptions in the logs / on the console.
Has anyone encountered this kind of issue.
Vickyvicky wrote:
Hi All,
I have created a approval workflow (Operational) in OIM11g. Have deployed it as a soa-composite and registered with OIM. Till here everything went fine.
I have created an apporval policy, to assign to requests of a specific type of resource .
When the resource is requested, the approval workflows is gettign triggered,but the request goes to failed state.
I am getting any exceptions in the logs / on the console.
Has anyone encountered this kind of issue.
VickyCheck your SOA server through the em and that should show you your request and the fault states and everything .. that should give you an idea on what is going wrong ... -
Is there any way to query the database to show approvals / status for OIM 11g approval workflows? The goal is a report in BI Publisher.
Thank youYou can query SOA table, WFTASK and WFTASKHISTORY
-
Create approval request for Delete User operati with oim api -11g Release2
Hi,
How I can create an approval request for a User Delete operation usin API? Can anyone quide me? Any help is strongly appreciated..
BR,
AliyeYou can use the exact same technique for any of the other requests submissions through APIs that have been posted on this message forum. Just supply the template name for your request template you plan to use.
Here is a page of sample code for requests. http://java.net/projects/openptk/sources/svn/show/branches/Oracle/OIM11g/examples/java/OIMClient/src/oim/client/request?rev=1402
-Kevin -
Create an Approval Workflow for User Creation in AD
Hi
Anyone, tell me how to create an approval workflow to create users into AD. For example, before provisioning user into AD resouce the request should go to the Manager of the user for approval.
P.S: I am using OIM 9.1
Thanks
SireeshaHi Sireesha
You want to create a new Process definition, selecting "Approval" as the process type.
Then associate it with the AD User Resource Object. Add a "Manager Approval" process task and use a Task Assignment Adapter to to assign the task to the manager of the request target.
In order for the Approval Process to fire, you need to ensure that you provision the AD User Resource Object via a Request, rather than directly.
HTH
Cheers
Rob -
Approval workflow for creation of organization
Hi,
I need to configure an approval workflow for the creation of organization. When the admin tries to create a new org, the approval should go to a admin group. The org should get created only once approval is done. I have configured an approval workflow for the Xellerate Organization resource object. I have created an unconditional task where the assignment tab has the admin group. When I test it, the org gets created without going through the approval process. Could someone please tell me what am I missing?
Thanks,
Supreetha
Edited by: Supreetha on Jan 22, 2011 8:38 AMYou'll have to raise request for Dummy Organization. It's Order for Organization so will not appear for user.
I am not sure the full flow/complete requirement of your.
APMU, you want approval while creating Organization into OIM.
This is not possible OOTb when you create ORg in OIM.
You'll create 1 dummy Org
1 Dummy RO "OFO".
Attach one Object Form with this RO.
Raise request for Dummy Org and Give the name of Org on the object form for which you want approval.
In the provisioning workflow, use OIM API to create Org into OIM.
Done !!! -
Disabling User Account Control - CUBAC
Installing Cisco Unified Business Attendant Console. Documentation says that on server 2003 / sever 2008 installations, disabling of the user account control is required. It gives a procedure to do this on Server 2008.
The install I'm working on is on Server 2003. I cannot find anything like this. Googling on the subject has led me to believe that this is likely a documentation bug, as I can find no reference to Server 2003 having this feature.
Has anyone else run into this? The documentation appears to have been written by someone who speaks english as a second language, and not thoroughly vetted for correctness.Hi Clifford,
This would just be for Windows server 2008
CSCtc77367 Bug Details
CUBAC 3.1.1.5 docs need to say "disable User Account Contol" in win2008w.
It appears UAC (user account Control) a new feature found in Windows Server 2008 will block license files from being properly applied in CUBAC 3.1.1.5.
The installation and requirement docs should reflect that UAC needs to be disabled before installing CUBAC on Windows Server 2008.
Observations:
Go to webadmin, licensing
When you look at that page, you will not see any licensing info; no eval.
It says, no licensing info.
When we turned off UAC, the licensing page showed the eval info for 5 days.
At which point we were able to add the license
Status
Fixed
Severity
2 - severe
Last Modified
In Last Year
Product
Cisco Unified Attendant Consoles
Technology
1st Found-In
3.1(1.5)
Fixed-In
Release-Pending
Cheers!
Rob -
Approval Workflow for Self Registration
Hi ,
I have a requirement where I have to develop an approval workflow for self registration.
My requirement is If the user type is Employee the user must not go through approval, but if the user type is contractor they must go to some admin user for approval.
How can I achieve this.
RegardsHi,
You can refer this link "Create a Custom Approval Process for Self Registration" it might clear your doubts. Also you can create rule as said in below post. For that you can refer "http://codigoctm.files.wordpress.com/2012/11/lab-06-access-policy.pdf".
Regards,
Sunil -
Disable Inbox Rules for Disable Users
I have found that when our helpdesk disables an AD user account (terminated employee) that has an Outlook inbox rule to forward the email to an email address outside the organization, emails sent to the former employee are still forwarded to that outside
email address. I would like to run a script each day that queries AD for all disabled accounts, removes any forwarding SMTP adresses, then removes all mailbox inbox rules. I have been trying to use get-aduser against a DC and export the list of
disabled users, this works fine. I then take that csv, import it and use -foreach-object to set the forwarding smtp address to null. I would then like to use the same csv file to run the -removeinbox rule command against the list. I am having
a hard time time combining the commands I need into a PS script that works against both AD and Exchange.
Anyone have some powershell kung fu to assist me? Thank you!
~EricHi Eric,
According to your description, I understand that you want a script to get a list of disabled AD user, then removes any forwarding SMTP addresses, then removes all mailbox inbox rules.
We can run following command to get a list of disabled AD user in PowerShell:
Get-ADUser -Filter 'Enabled -eq "false"' | select name,userprincipalname
More details about “How Can I Get a List of All the Disabled User Accounts in Active Directory? “, for your reference:
http://blogs.technet.com/b/heyscriptingguy/archive/2005/05/12/how-can-i-get-a-list-of-all-the-disabled-user-accounts-in-active-directory.aspx
Also, run below command to disable forwarding SMTP address and inbox rule:
Get-Mailbox -Identity xxxx | Set-Mailbox -DeliverToMailboxAndForward $false
Get-InboxRule –Mailbox xxxx | remove-InboxRule
However, we recommend use this disable AD user to disable mailbox.
By the way, this question will related to the script of Exchange server, please contact relevant team so that you can get more professional suggestions. For your convenience:
http://technet.microsoft.com/en-us/scriptcenter/dd742246.aspx
Best Regards,
Allen Wang -
Approval workflow for external requirement
Hi,
My company already implements Project System and Plant Maintenance, in which we generate PR from those modules, and the PR will be subject to release strategy.
At the moment we want to implement SRM 7.0 and we're planning to use Plan Driven Procurement scenario for the requirement generated automatically from PS or PM. As we can have a release strategy for PR generated from module PM and PS, can we have approval workflow for external requirement in SRM?
JoshYes you can but not by standard (Since itu2019s not out of box functionality), on the other hand itu2019s real simple to do an RFC call to your external system and get the agentu2019s information...
All SRM need is only agent ID (User ID) to which the work item need to be assigned...
We too have same scenario i.e. business want to use R/3 release group determination which they have already... we implemented it and working real good...
Let me know if you have any questions...
Thanks!!
Bharath -
Hi,
According to the FIM licensing guide:
"For each user for whom the Forefront Identity Manager software issues or manages identity information, a CAL is required."
So is a CAL required for a user who has left the organisation, but for legal reasons, the account will remain in FIM/AD/etc for 5 years (as a disabled account).
Thanks,
SKOn Mon, 26 Jan 2015 11:03:34 +0000, Mann.Cool wrote:
I had the same confusion.
Am I correct in assuming that no CAL is required for disabled users?
No, that's not the deal here. The reason that no CAL is required in Shim's
case is that the disabled accounts are for users who are no longer employed
by the company in question.
If a disabled user account was associated with someone who is still
employed by the company then a CAL would be required.
The no CAL requirement is not tied to the fact that we're dealing with
disabled accounts, it is tied to the fact that the person with whom the
account is associated is no longer with the company. If the person to whom
the account is associated is no longer an employee, the account could be
active and no CAL would be required.
Paul Adare - FIM CM MVP
Programming is like sex: One mistake and you're providing support for
a lifetime. -- ? -
Disable user accounts on Unix, Linux resorces
Hi Everyone
I try to understand disable user account action on Unix, Linux systems
In Resource reference doc. I see the next:
Linux does not natively support Waveset enable and disable actions.
Waveset simulates enabling and disabling accounts by changing the
user password. The changed password is exposed on enable actions,
but it is not exposed on disable actions.
As a result, enable and disable actions are processed as update actions.
Any before or after actions that have been configured to operate on
updates will execute.
So what kind of commands waveset using for this action:
passwd -l <Username>
or just change password?
ThanksHi,
The out of the box adapter changes the user's Linux password on disable action.
To Implement locking of account by running "passwd -l username", you need to write a resource action and call it explicitly. Hope it helps
Regards
Arjun
Maybe you are looking for
-
I just need to know my best options to control the amount I pay in overages since I messed up. Been with Verizon for at least 15 years and I haven't really had this come up before. Not sure how I messed up this bad this time
-
How do I subtract two fields in a form?
I am working on an expense form and I have everything working except one thing. We have to subtract any over payments from previous expense reports on the current expense report. I am looking at the calculate tab of the Text Field Properties. But I
-
Deleted app store from computer. how do i get it back.
For some idiodic reason, I decided to delete the App Store from my mac. However, it didn't fully delete and is now corrupted. I cannot download Lion unless I have the App Store back. I tried to download the update combo, but I am running 10.6.8 and n
-
Hi All, we have done the application as send a mail in multiple languages. i am using IE 6.0. in default the browser encoding type is western European(ISO) [view->Encoding->Western European(ISO)]. Now i send a mail in portuguese language. in subject
-
I switched my music to a new computer and all the music doubled how can I get rid of 4500 duplicates
I switched my music to a new computer and all the music doubled how can I get rid of 4500 duplicates songs? Will Music Match get rid of the extras for me?