OIM 11g - Limiting support users to assign roles to correct users

We have OIM 11.1.1.5.0 and support a couple of third party organizations with delegated administration.
Admins in OrgA have an admin role AdminRoleA which allows them to assign UserRoleA to their users. Similarly, admins in OrgB are given AdminRoleB that gives them the ability to assign UserRoleB to their users.
We have support groups that can help these organizations. I have defined the Support role to inherit from AdminRoleA and AdminRoleB. The problem that I'm finding is that the support user can assign UserRoleB to a user in the other organization OrgA.
I could probably solve this by writing custom code in a validation handler but I just wondered if I was missing something and should have configured these roles and auth policies differently.
Thanks.

Thanks, I was afraid of having to do mess with the backend like that. What if I removed the the "all users" role from people I didn't want to have that access? How would that affect the user?
EDIT- It appears as though you cannot revoke that role. I guess I had never tried to do it before.
Edited by: 970312 on Jan 28, 2013 7:52 PM

Similar Messages

Oim 11g r2: data access restriction using roles instead of organisations

can i implement data access restriction using roles instead of organisations in oim 11g r2?

in my use case a particular user can be member of more than one organisation. as far as i know oim does not suoport this use case using organisation, so i decide to use roles to represent my "organizations", but now i loose all the data access restrictions (scope).

Table to find the assigned Roles with my User ID

Hello Experts,
1.Is there any specific table to find out the assigned roles to my User ID?
If there is no table, let me know is there any transaction to find out the assigned roles to my User ID?
2. When I assigned Marketing Pro role to my user id in Organization Unit, I am not able to see in webui screen.
when I click on webui transaction, it is displaying some selection screen, there it is not displaying the role I have assigned?
Could you help me to sort out these two queries?
Thanks and Regards
Madhu

Hi Madhu,
1.Is there any specific table to find out the assigned roles to my User ID?
If there is no table, let me know is there any transaction to find out the assigned roles to my User ID?
Sol'n : You have so many Class Methods for finding your requirement else FM aslo.
Go to SE84 there u will find search ClassMethods. There u type getuserRole or userRole* and press F8. Pick the one which you feel it may give you the result
ie you have to execute the class...if it showing instance on the tool bar click on that then press execute the method which you feel relevant to you, and give input parameters.
Sol'n for 1 point is: CL_CRM_UI_ROLE_ASSIGN->GET_BUSINESSROLES_FOR_USER.
2. When I assigned Marketing Pro role to my user id in Organization Unit, I am not able to see in webui screen.
Sol'n: Go and check in T-code : BP. Dispay Ur BP and check for Employee Meantaied -- Identification Tab..Did u maintained ur Userid over there or not
when I click on webui transaction, it is displaying some selection screen, there it is not displaying the role I have assigned?
Sol'n: Need clarification on this point.
Regards,
Lokesh
Edited by: Lokesh on Mar 8, 2010 7:37 AM

Assigning Roles for a user programatically in E-Business Suite

Hi All,
How can I assign roles to a user programatically (may be using PL/SQL) in E-Business Suite.
Thanks,
Iceman513

Please see these docs.
How to Assign and Revoke Role/Responsibility to a User using a Standard API? [ID 373369.1]
Api To Assign Responsibility To A Role In Bulk. [ID 458072.1]
How Does One Using API add Users to a Role? [ID 794538.1]
Thanks,
Hussein

Assigning roles to LDAP users through BIP API

Hi.
My customer has BIP 11g and OIM 9.1.0.2 running on the same weblogic server (11g). Both authenticate against the same LDAP server.
One of our desired next steps is to provision from OIM the BIP roles to each LDAP user so every user gets the correct roles (and access to the correct reports) according to the groups he has on OIM.
I've been searching for info regarding this without success. The BIP API doc does not show any info about assigning roles to users.
We don't need to manage LDAP users, BIP roles, etc... through OIM. We only need to assign BIP roles to LDAP users.
Is it possible to make that assignments through BIP API?
If not, any other ideas? New ideas or different approaches are welcome.
Thanks in advance.

In OBIEE 11g which includes BIP the application roles are applied to LDAP users and groups using the Enterprise Manager Fusion Control.
During the upgrade process from OBIEE 10g to OBIEE 11g the groups do get assigned to these roles transparently so there must be some API to leverage this functionality.
I would start there, http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10541/admin_api.htm
There are no specific instructions on accomplishing what you seek but if you have some WLST or Java Skills you should be able to get something prototyped.
Let me know if that helps.

Creation of auto approval process for assigning role for a user in oim11g

currently i'm doing a scenario like a user must be automatically assigned to a role by using approval policy where the user is already there in oim and then we use csv file in that we take 2 columns like userlogin and role name so by running this scheduled task user must be automatically approved to that role.But i have to use the default auto approve policy in oim without creating any bpel process for that so can any one suggest me how to proceed with this scenario.
Thanks in Advance for quick response.

If I understand correctly, You have users and their respective roles in csv file. Users are present in OIM. You want to assign those roles in csv file to respective users?
If this is the scenario, you need to write a custom code for schedule task which will read data from your csv file, create roles and assign them to respective users.
to create custom schedule task in OIM 11g, you may refer to:
http://docs.oracle.com/cd/E21764_01/doc.1111/e14308/scheduler.htm
regards,
GP

SAP Employee Reconciliation ConnectorRelease 9.1.2.2 --OIM 11g R2 support

Hi All
We want to reconcile SAP HRMS users to OIM 11g R2 . Does SAP Employee Reconciliation ConnectorRelease 9.1.2.2 support for OIM 11g R2.
In Connector Documentation ---Certified Components it shows support for
Oracle Identity Manager 11g release 1 (11.1.1)
Thanks
Darshan

I have some problem 9.1.2.2 which is bug actually. It is batter if you use OIM SAP Employee Reconciliation Connector Version 9.1.2.5 Patch 12710600. which is the last patch of SAP Employee Reconciliation Connector.
Thanks
Tamim Khan

Assigning roles to 10000 users

Hi Guru's,
I need your solution regarding role assignment to 10000 users.My client is having 10000 users.
My perception for this is
[Role]
Roleid = Path;
user = user1;user2;user3;...............user10000;
Writing above code in text document and importing then exporting in user administration.....
Is there any approach to assign a role to 10000 users in one go.
Please share the solution for this issue.
Regard's,
Prashanth

You can use the Import functionality of User Administration.
Use Groups as principal.
Example
[group]
gid=Z_GRP_HR_ESS
gdesc=HR Group for Employee Self-Service
user=DHANZ1;DHANZ2;.......
Import utility times out for huge user base....so split 10000 in 2 batches...eg first load with 7000 users and second with 3000 users.
Second run do it in overwrite mode
Once the loads are complete you can manually assign the corresponding Roles to the Group. It is best practise to assign
Users -> Group -> Role.
Also you get a detailed log after import with errors -> You can fix that in your import file and run the utlity again.
Good luck ~ Dhanz

Assigning roles to different users in GP

Hello,
We have developed a small application using CAF.The UI part is done using Webdynpro module which is a part of CAF project. Now we have to apply Guided procedures to this application .
I have followed steps in this link to create a process (My First Process), and got result.
http://help.sap.com/saphelp_nw04s/helpdata/en/4a/d78041a17e060de10000000a1550b0/content.htm.
Now I have to do the same for our application.For eg: In "My First Process" , the role of Applicant is assigned to one user, and the role of HR Manager is assigned to another user.
In our application, many people has done modules.I want to create different roles (like applicant ,HR Manager in My Process) and assign each role to the user who has developed that module.
Actually we are not using NWDI . But we integrated all modules into one application manually.Is it possible to achieve the above mentioned goals ?
Please any one give me a suggestion or link.
With Thanks,
Vivek
With Thanks,
Vivek

Hi Ashutosh,
Thanks for response and providing link.
I have followed the documents provided by you.
Now I have to do the same for our application as in "My First Process" , the role of Applicant is assigned to one user, and the role of HR Manager is assigned to another user.
Do I require to follow the steps,
step1 :In GP design time and choose Create Callable Object Type Process Control, and select Visual Approval.
step2 :For the purposes of the process that you create, define the same input parameters as the output parameters that you have defined for the data input form.
In our application already created views(webdynpro views) are there.Still we need to create data input form and define input and output parameters ?.
In our application, many people has done modules.I want to create different roles (like applicant ,HR Manager in My Process) and assign each role to the user who has developed that module.
Please any one give me a suggestion or link.
With Thanks,
Vivek

OIM 11g R2 - AD provisioning based on Role and Access Policy

Hi, for Active Direcotry integration i used some prepopulation plugin for populationg resource form (based on http://fusionsecurity.blogspot.sk/2013/01/populating-request-attributes-in-oim.html).
It's work fine - requested account was fully provisioned.
Can i use this plugins for Role based provisioning?
I try to create access policy and associated role but when attached the role to the user and run Evaluate User Policies Job, account can't be provisioned.
In diagnostic.log i found.....
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Immediate consequences are returned with event - InitiatePolicyEvaluationAndProvisioning
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Next Waiting child process is ..........6380 sync = false
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] First Waiting child process is ..........6380
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel executing default validation with process id, event id, entity and operation 6,380.0.Resource.ACCESS_POLICY_BASED_PROVISION
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel completed the child orchestration - 6380.6379
[oracle.iam.platform.kernel.dao] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Inserting records for orchestration cleanup
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Completed orchestration with action result - 113

Hi, all
I try to fill Access policy Process Form. Account request was created and provisioned when field AD Server and Organization Name was filled in, but pre-population plugin doesn't fired
The question is.... How can i use pre-population plugin for populating request dataset used with request generated by access policy....
Is it possible to use plugins for requests generated based on access policy?
a.

One CUP request for assigning role to multiple users

Hi,
We assign roles to users in production only through CUP requests.. We use GRC 5.3
Here we have a case where we need to assign one role to 60 users in production(each user may have different roles assigned in the back end) . I can raise one CUP request for all users using " multi-user" option in Copy request . But when we want to make a risk analysis , it will not show risks at user level as each user had different roles and may get different risks by adding new role.
Instead it will give risks if any for only that new role which want to assign. Our manager is not accepting as this is not giving complete picture of risks for each user when we add new role.
Please suggest me if there is any other way where I can make a risk analysis for each user when I created a CUP request for multiple users.
Or the only solution is to create 60 CUP requests ?? this would be too manual
Regards ,
jaags

Raghu,
thanks for the reply, you are right as per the audit .But suppose if it is for 200 users ,creating 200 CUP requests will be impractical right.
there should be some solution for this , because there will be many situations practically where we have to assign roles to N number of users.
Is this possible in GRC 10 ? any idea ?
Regards,
Jaags

Assign roles automatically when user gets created

Hello,
I want to know if there is a way to assign basic roles to all the users in the system when they get created in the back end as well in the portal.
Thanks in advance.

Hi Rahul,
There is no such way to assign automatically basic role to all users. You can go for tool sugested by Alex.
And also you can check one solution if this works for you that we have used in Past and proposed by business. In that if the Basic role is like end user role and needed for all portal users. Then you can create on Template users (Type dialog) . Then you can create the new users by copying the template user.

Create user and assign role in CUA context

Hi,
i'm in CUA context ; in ABAP, when i use the FM BAPI_USER_CREATE1 the new user is well created in all system now i want to assign new roles to this user. Which FM can i use and especially can i assign role to user in a client system ?
Thanks for help.
Regards

Hi,
Please check this BAPI.
BAPI_JOBROLE_CLONE
BAPI_USER_ACTGROUPS_ASSIGN
Regards,
Ferry Lianto

OIM 11g: Issue while evaluating rule for Role Membership

Hello All,
I have configured few General Rules using 2 of our User Defined Fields, these general rules are used to determine role membership.
What we observed that once "Identity Status" attribute is set to "Disabled" for OIM User Profile then OIM stops evaluating these configured General Rules for Role Membership.
Env Details:
Product Version: Oracle Identity Manager 11.1.1.5.0
App Server: WebLogic Server Version: 10.3.5.0
OS: Red Hat Enterprise Linux Server release 5.5
Database: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64 bit
Please let me know if any of you have encounter this issue and if there is any workaround available for it.
Thanks,
Shyam

Re: OIM11g: Resource not revoked if the Identity Status is DISABLED
XL.EvaluateMembershipForInactiveUser
Workaround:
You can make you of Event Handler and assign that group with APIs.

Error while assigning roles to java users

Hi Experts,
I am trying to create a user on a Java system ( databse not LDAP) and assign a role. I am able to create a user successfully but it fails with following error;
Pass: SetJavaRole&GroupForUser.
Error putNextEntry failed storingtestidm123
Exception from Add operation:com.sap.idm.ic.ToPassException: No such objectclass defined
Exception from Modify operation:com.sap.idm.ic.ToPassException: SPML exception: No valid id to modify defined
ACCOUNTD1U testidm123
MXREF_MX_PRIVILEGE 316
MX_ENTRYTYPE MX_PERSON
DISPLAYNAME test user
MX_LASTNAME idm
MX_FIRSTNAME test
ACCOUNTD1E testidm123%
TEMPACCOUNTD1E testidm123
MSKEY 6179
MSKEYVALUE testidm123
The pass reads as follows;
SPMLID : %MSKEYVALUE%
assignedrole : PRIV:ROLE:SID:idm.authenticated
Regards,
Shailesh
Edited by: Shailesh Deshpande on May 3, 2011 6:43 PM

Hi Shailesh,
Can you please take a look at note 1476301. I hope it helps.
Thanks,
Anderson

OIM 11g - Limiting support users to assign roles to correct users

Similar Messages

Maybe you are looking for