OIM 11g R2 - AD provisioning based on Role and Access Policy

Similar Messages

• Defining roles and access for OWB Designer

  Hi,
  Can i Define roles and access rights to different on 1 OWB Designer repository?
  I want to send my mappings for code review but i dont want them to log into the OWB designer with write access.
  How can i achieve this in the same OWB designer repository as the one i am using?
  I am using OWB 10.1.
  I found some table - WMP_USER_ROLES,WMP_GROUP_ROLES,WMP_GROUP_REPOSITORIES
  when i logged into the designer schema through sqlplus
  Thanks
  Sagar

  Hi Sagar,
  Yes you can do that. Basically you can create a db user, and then register the user with a repository. By default that user has all privileges, however it now is audited per user as to what he/she did. How to do this look at the doc (find SecurityHelper)
  To enable you to protect metadata there are a couple of strategies (implemented via a simple PL/SQL API). For an example (this one works with policies on the module level) take a look here (http://www.oracle.com/technology/sample_code/products/warehouse/files/Dev_Status_Policy.SQL)
  This would work as follows:
  - Create user REVIEW
  - Register user REVIEW to repos QA
  - For a module you want review for, set the status to QA
  Now the REVIEW user logs in and he can look at QA but cannot touch.
  Hope this helps,
  Jean-Pierre
  In your situation

• Query user roles and access

  hi,
  How can query user roles and access in whole database? I want to list username, status, rights, and role
  thanks
  P

  Hi,
  The data dictionary view dba_users has one row per user.
  The data dictionary view dab_role_privs has one row for every distinct combination of user and role that actually occurs ion your database,
  Are you interested in system privileges? See dba_sys_privs.
  Are you interested in individual grants, like the privilege to UPDATE a given table, or the privilege to execute a given stored procedure? See dba_tab_privs. (Don't be fooled by the name; it's not just for tables.)
  I hope this answers your question.
  If not, post some CREATE statements, that create tables, roles, and whatever else you want, and some GRANT statmeents that grant privileges on those objects. Pos the results that you would want to get from those objects and grants.

• OIM 11g - Limiting support users to assign roles to correct users

  We have OIM 11.1.1.5.0 and support a couple of third party organizations with delegated administration.
  Admins in OrgA have an admin role AdminRoleA which allows them to assign UserRoleA to their users. Similarly, admins in OrgB are given AdminRoleB that gives them the ability to assign UserRoleB to their users.
  We have support groups that can help these organizations. I have defined the Support role to inherit from AdminRoleA and AdminRoleB. The problem that I'm finding is that the support user can assign UserRoleB to a user in the other organization OrgA.
  I could probably solve this by writing custom code in a validation handler but I just wondered if I was missing something and should have configured these roles and auth policies differently.
  Thanks.

  Thanks, I was afraid of having to do mess with the backend like that. What if I removed the the "all users" role from people I didn't want to have that access? How would that affect the user?
  EDIT- It appears as though you cannot revoke that role. I guess I had never tried to do it before.
  Edited by: 970312 on Jan 28, 2013 7:52 PM

• OIM 11g R1 (11.1.1.5.0) Restricting access to Modify resources by field.

  Is there a way to restrict the access to modify specific fields on a resource, based on roles? In design console you have the options of, "Allow Insert", "Allow Update", "Allow Delete" on the form associated with different roles. Is there any way you can restrict this access specifically to fields in the way you can restrict access to user attributes based on authorization policies?

  You are failing to utilize the product then.  You don't have to utilize a soa-composite for this.  They can be set to auto-approve anyway.  But you should not just grant admin access to the user and all their resources so easily.
  Not sure what kind of event handler you can even use.  You could try and explicitly deny access to those roles by adding them to the form permissions and unchecking all the values.
  -Kevin

• Unable to automatically provision users in AD via Access Policy

  Hello,
  I can connect to AD and provision a user manually to AD via OIM. Goes through just fine. However, if I use an Access Policy to do the same thing, it's stuck in the 'Provisioning' stage. All values are the same in the form.
  Any suggestions on why it works manually but not automatically? I have all values including AD server filled in my form. Is there additional configuration in the Access Policy that I'm missing?

  All fields are prepopulated.
  How do I enable autosave? It's doing the same thing with eDirectory too.
  If I go 'Edit' the task I see all values prepopulated. But they're not getting pushed out to the resource. So if I click 'View' all fields are blank.

• Provision to target system via access policy

  I am attempting to provision to Active Directory via an access policy and membership rule in OIM11gR2.  I have a couple different issues associated with this process. 
  First,  I have a membership rule that works fine.  All members of a certain organization are automatically assigned a certain role.  My access policy is set to provision an AD account to any member that is assigned the same role from the membership rule.  This access policy does not seem to get triggered.  The access policy is set to run with no approval, retrofit access policy is enabled, and it is set as priority 1 with "revoke if no longer applies" checked.  It is also assigned the Active Directory Users process form.  I cannot determine why this access policy is not being triggered to provision the role members to AD.  I have manually run the Evaluate Users Policies several times with no affect. 
  I believe this may be happening because the default prepopulate adapters are not working or are not configured correctly.   The 5 mandatory fields each have a prepopulate adapter assigned to them with the Default rule.  Correct me if I am wrong, but I believe the mandatory fields user id, first name, last name, common name, and user principal name?  The Org name and IT Resource are set as static values within the access policy.  Can anyone assist me in determining (1) why the access policy is not working and (2) why the prepopulate adapters such as ADIDC Populate Form Field for User ID and ADIDC Prepopulate UserPrincipalName for User Principal Name are not working?  Is there additional configuration that must take place with these out-of-the box adapters so they know which values to populate?

  Just verify whether following are check in AD prcess Defn:
  Auto Save Form
  This check box is used to designate whether Oracle Identity Manager should suppress display of the custom form associated with this provisioning process or display it and allow a user to supply it with data each time the process is instantiated.If you select this check box, it designates that Oracle Identity Manager should automatically save the data in the custom process form without first displaying the form. If you select this checkbox, you must supply either system-defined data or ensure that an adapter is configured to populate the form with the required data (since the user will not be able to access the form).If you clear this check box, it designates that Oracle Identity Manager should display the custom process form and allow users to enter data into its fields.
  Auto Pre-Populate
  This check box designates whether the fields of a custom form that:
  Are associated with the process
  Contain fields that have pre-populated adapters attached to them
  Also, while running "Evaluate User Policy" , clear the old time stamp and populate it with current time. Sometime I have seen people are doing mistake.
  ~J

• [OIM 9.1.0.2] RESOURCE NOT REVOKED BY ACCESS POLICY WHEN USER DISABLED

  Hi Experts,
  OIM Build Number: 1866.62 ( BP15 )
  IHAC that faced an unexpected behavior on User disabling.
  Some users were associated to groups that had access policies applied.
  When those users were disabled, they didnt lose their associated groups and also the resource and permission associated thru access policy applied to those groups.
  I saw that there was a bug reported to that issue. So I performed the action plan and set up the XL.EvaluateMembershipForInactiveUser System Property as TRUE. Now after disabling the users are properly removed from groups.
  Customer problem: For those users, almost 1000, I did a recon just to estimule the identity, so the membership rule was applied and the groups were removed, but OIM didn't evaluate the access policies and didn't revoke the resources.
  I ran the Evaluate User Policies task, and it seems to be stuck. Should the Evaluate User Policies schedule task work for that scenario? Should the resource after running that task be revoked?
  Any help would be very appreciated.

  Hi Nishith,
  I ran the task, but it seems really stuck. It displays the RUNNING status, but any effect is observed. I have to change task status to INACTIVE in the Design Console.
  This task has 2 attributes: Batch Size= 500 and Number of Threads=20.
  But I have noticed this task in another environment (w/ BP 18 applied), it has 3 attributes: Batch Size= 500 ; Number of Threads=20 and Time Limit in mins=1.
  Is it any enhancement for this task in order to improve its performance, or something like that?
  What else I can check?
  Thanks in advance.

• SAP Roles and Access for SAP Implementation team members

  Hi,
  Is it correct practice to give SAP_ALL role access for all SAP Implementation team members in Dev and QA?
  If not, what is the correct practice?
  Kindly let me know

  Madhu,
  It is NOT correct practice to give anyone SAP_ALL in any of the systems; not DEV, not QAS, and certainly not PRD. However, many implementation teams (and particularly consultants from SIs) insist that they cannot possibly do their jobs without it. This is completely incorrect as there are specific roles for them to use for that purpose. The only circumstance where it could be justified is if you require a special "firefighter" role - and even then, I would still be a bit doubtful.
  You should also consider that once you have given someone SAP_ALL, they will fight tooth and nail to keep it. It also means that they probably are not testing the user roles correctly. Most of those that insist they need it simply do not understand the security issues and probably don't care.
  Just think; if they have access to do soemthing that they shouldn't and then cause a big problem, are they the ones that will have to fix it or are they going to expect you to do it? If they expect you to clear up after them, then you have the right to insist on restricting their access to cause issues in the first place.
  But I know just how demanding they can be....
  Best of luck
  Tony

• OIM 11g R2 Auto Provisioning Issue

  I have reconciled around 9K records into OIM and ran the evaluate user policies to provision them to LDAP.
  Around 8.5K records got provisioned to LDAP, but the others are not getting provisioned.
  I tried running the retry failed orchestrations and the orchestration cleanup and a few more got provisioned.
  Now there are around 300 records which still need to get provisioned. I tried running the evaluate policies again but it is no working.
  Am I missing something that should be done?
  Please suggest what can be done to resolve this

  please make sure that all the required fields / attributes that are needed for the provisioning are filled for the users not getting provisioned. Also check the status of the Account to be provisioned for any unprovisioned user does it state "provisioning"? if so check its history and try to find out the reason.

• OIM 11g: Issue while evaluating rule for Role Membership

  Hello All,
  I have configured few General Rules using 2 of our User Defined Fields, these general rules are used to determine role membership.
  What we observed that once "Identity Status" attribute is set to "Disabled" for OIM User Profile then OIM stops evaluating these configured General Rules for Role Membership.
  Env Details:
  Product Version: Oracle Identity Manager 11.1.1.5.0
  App Server: WebLogic Server Version: 10.3.5.0
  OS: Red Hat Enterprise Linux Server release 5.5
  Database: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64 bit
  Please let me know if any of you have encounter this issue and if there is any workaround available for it.
  Thanks,
  Shyam

  Re: OIM11g: Resource not revoked if the Identity Status is DISABLED
  XL.EvaluateMembershipForInactiveUser
  Workaround:
  You can make you of Event Handler and assign that group with APIs.

• OIM 11g R2 -AD Provisioning -Connector Server side Error

  Hi,
  Following error is thrown on the connector server side when we attempt to provision an AD resource:
  11/15/2012 7:28:50 PM <VERBOSE>: Class-> ActiveDirectoryConnector, Method -> TranslateObjectClass, Message -> Returning the object class: ObjectClass: __ACCOUNT__ and exiting the method
  11/15/2012 7:28:50 PM <INFORMATION>: Class-> ActiveDirectoryConnector, Method -> Create, Message -> Committing the changes and creating the directory entry.
  11/15/2012 7:28:50 PM <ERROR>: Class-> ActiveDirectoryConnector Method -> Create, Message -> Encountered Excetion: Access is denied.
  11/15/2012 7:28:50 PM <ERROR>: Class-> ActiveDirectoryConnector Method -> Create, Message -> Stack Trace: at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo()
       at System.DirectoryServices.DirectoryEntry.CommitChanges()
       at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line 256
       ConnectorServer.exe Error: 0 : Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: Access is denied.
       at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line 368
       at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.CreateImpl.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 388
       at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object proxy, MethodInfo method, Object[] args) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 244
       at ___proxy1.Create(ObjectClass , ICollection`1 , OperationOptions )
       at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest request) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:line 609
  Am i missing any connector side configurations here?
  Thanks

  please perform these tests,
  1- check if the reconciliation is working with the same user provided in the connector configurations?
  2- check if the user reconciled can be updated modified through the IDM Admin console?
  after this
  check that you are providing the proper OU for the user to be provisioned?
  check the the Resource History and see where it is failing maybe some required information is missing.
  have you applied the patch 14190610 for AD connector?

• OIM 11g R2 -AD Provisioning Error

  Hi,
  We have configured AD connector server. When we try to provision the user with AD account we get:
  Target Class = oracle.iam.connectors.icfcommon.prov.ICProvisioningManager
  <Nov 14, 2012 10:05:40 PM PST> <Error> <ORACLE.IAM.CONNECTORS.ICFCOMMON.PROV.ICPROVISIONINGMANAGER> <BEA-000000> <oracle.iam.connectors.icfcommon.prov.ICProvisioningManager : createObject : Error while creating user
  java.lang.IllegalArgumentException: Parameter 'name' must not be blank.
  at org.identityconnectors.common.Assertions.blankCheck(Assertions.java:90)
  at oracle.iam.connectors.icfcommon.service.oim9.OIM9Configuration.getConfiguration(OIM9Configuration.java:139)
  I can see that all the mandatory fields are pre-populated except the Unique ID attribute -is this could be the issue, if yes then how do we handle this. I can see there are no events logged at the connector server end for this provisioning process attempt.
  We have reconciled Groups, Organization successfully using connector server.
  Can anyone help on this asap..!
  Thanks

  Unique ID attribute is ObjectGUID which I think would be autogenerated. I can see that my user id , OU and other mandatory attributes are populated on the process form, but still I am facing this issue.
  it is throwing this error soon after CREATEOBJECT is invoked.
  Thanks again

• OIM 11g plugin libraries - Axis2 based integration

  Hi all,
  I'm trying to use Axis with one of my plugins. if I bundle the Axis jars in the plugin it sort of works (there are other issues to solve but the libs are picked up) however if I deploy Axis seperately as an application the plugin doesn't seem to be able to find the classes NoClassDefFoundError's all over the place.
  Surely this should work right?
  Appreciate any and all help.
  Wayne.
  Edited by: wblacklock on 11-Apr-2011 01:49
  Edited by: wblacklock on 11-Apr-2011 02:57

  Right... turns out you need to use the domain lib folder for anything like this. Just pop your libs in their and everything should have access to them.

• OIM 11g AD Connector Provisioning Issue

  Hi Guys
  i have this problem which just came from nowhere as everything used to work before. Please see below the stacktrace. I have to increase the timeout values on my datasources etc but it keeps failing. My database and everything is in good condition but this problem keeps occurring.
  Running ISADAM
  Target Class = java.lang.String
  Running Get Attribute Map
  Running AD Create User
  Running ISADAM
  Target Class = java.lang.String
  Running GETUSESSL
  Target Class = java.lang.String
  Running CheckUserStatus
  Running GETATTRIBUTEHASH
  Target Class = com.thortech.xl.util.adapters.tcUtilHashTableOperations
  Running Set User Attribute
  Running Set User Expiration Date
  Running ISADAM
  Target Class = java.lang.String
  Running CheckUserStatus
  Running GETPWDEXPIRESATTRIBUTEHASH
  Target Class = com.thortech.xl.util.adapters.tcUtilHashTableOperations
  Running Set Pwd Expires Attribute False
  Running GETATTRIBUTEHASH
  Target Class = com.thortech.xl.util.adapters.tcUtilHashTableOperations
  Running Set User Attributes
  <May 16, 2011 9:23:53 AM WAT> <Warning> <XELLERATE.DATABASE> <BEA-000000> <Exception while trying to get the connection count : 0>
  <May 16, 2011 9:24:14 AM WAT> <Warning> <XELLERATE.DATABASE> <BEA-000000> <Exception while trying to get the connection count : 1>
  <May 16, 2011 9:24:35 AM WAT> <Warning> <XELLERATE.DATABASE> <BEA-000000> <Exception while trying to get the connection count : 2>
  <May 16, 2011 9:25:17 AM WAT> <Error> <XELLERATE.DATABASE> <BEA-000000> <Class/Method: DirectDB/getConnection encounter some problems: Error while retrieving database connection.Please check for the follwoing
  Database srever is running.
  Datasource configuration settings are correct.
  java.sql.SQLException: Unexpected exception while enlisting XAConnection java.sql.SQLException: Transaction rolled back: Transaction timed out after 29 seconds
  BEA1-6F7499AA29E6D0A2F599
  at weblogic.jdbc.jta.DataSource.enlist(DataSource.java:1609)
  at weblogic.jdbc.jta.DataSource.refreshXAConnAndEnlist(DataSource.java:1496)
  at weblogic.jdbc.jta.DataSource.getConnection(DataSource.java:439)
  at weblogic.jdbc.jta.DataSource.connect(DataSource.java:396)
  at weblogic.jdbc.common.internal.RmiDataSource.getConnection(RmiDataSource.java:355)
  at oracle.iam.platform.utils.vo.OIMDataSource.getConnection(OIMDataSource.java:57)
  at com.thortech.xl.util.DirectDB.getConnection(DirectDB.java:200)
  at com.thortech.xl.util.DirectDB.getConnection(DirectDB.java:148)
  at com.thortech.xl.dataaccess.tcDataBase.getConnection(tcDataBase.java:3198)
  at com.thortech.xl.dataaccess.tcDataBase.readPartialStatement(tcDataBase.java:705)
  at com.thortech.xl.dataobj.tcDataBase.readPartialStatement(tcDataBase.java:271)
  at com.thortech.xl.dataaccess.tcDataSet.executeQuery(tcDataSet.java:935)
  at com.thortech.xl.dataobj.tcDataSet.executeQuery(tcDataSet.java:1523)
  at com.thortech.xl.dataaccess.tcDataSet.executeQuery(tcDataSet.java:903)
  at com.thortech.xl.dataobj.tcDataSet.executeQuery(tcDataSet.java:1490)
  at com.thortech.xl.cache.CacheUtil.getSetCachedQuery(CacheUtil.java:250)
  at com.thortech.xl.dataobj.tcDataObj.eventPostUpdate(tcDataObj.java:2262)
  at com.thortech.xl.dataobj.tcScheduleItem.eventPostUpdate(tcScheduleItem.java:742)
  at com.thortech.xl.dataobj.tcDataObj.update(tcDataObj.java:662)
  at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:508)
  at com.thortech.xl.adapterfactory.events.tcAdpEvent.updateSchItem(tcAdpEvent.java:188)
  at com.thortech.xl.adapterfactory.events.tcAdpEvent.finalizeProcessAdapter(tcAdpEvent.java:3529)
  at com.thortech.xl.adapterfactory.events.tcAdpEvent.finalizeAdapter(tcAdpEvent.java:3711)
  at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADCSCREATEUSER.implementation(adpADCSCREATEUSER.java:105)
  at com.thortech.xl.client.events.tcBaseEvent.run(tcBaseEvent.java:196)
  at com.thortech.xl.dataobj.tcDataObj.runEvent(tcDataObj.java:2492)
  at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(tcScheduleItem.java:2936)
  at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(tcScheduleItem.java:554)
  at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
  at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
  at com.thortech.xl.ejb.beansimpl.tcProvisioningOperationsBean.retryTasks(tcProvisioningOperationsBean.java:3704)
  at Thor.API.Operations.tcProvisioningOperationsIntfEJB.retryTasksx(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
  at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
  at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
  at $Proxy482.retryTasksx(Unknown Source)
  at Thor.API.Operations.tcProvisioningOperationsIntfEJB_4xftoh_tcProvisioningOperationsIntfRemoteImpl.retryTasksx(tcProvisioningOperationsIntfEJB_4xftoh_tcProvisioningOperationsIntfRemoteImpl.java:2683)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:84)
  at $Proxy160.retryTasksx(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
  at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
  at $Proxy481.retryTasksx(Unknown Source)
  at Thor.API.Operations.tcProvisioningOperationsIntfDelegate.retryTasks(Unknown Source)
  at com.thortech.xl.webclient.actions.ResourceProfileProvisioningTasksAction.retryTasks(ResourceProfileProvisioningTasksAction.java:698)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:269)
  at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(tcLookupDispatchAction.java:133)
  at com.thortech.xl.webclient.actions.tcActionBase.execute(tcActionBase.java:894)
  at com.thortech.xl.webclient.actions.tcAction.execute(tcAction.java:213)
  at org.apache.struts.chain.commands.servlet.ExecuteAction.execute(ExecuteAction.java:58)
  at org.apache.struts.chain.commands.AbstractExecuteAction.execute(AbstractExecuteAction.java:67)
  at org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
  at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
  at org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:305)
  at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
  at org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
  at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
  at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
  at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
  at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
  at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
  at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at com.thortech.xl.webclient.security.CSRFFilter.doFilter(CSRFFilter.java:61)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.iam.platform.auth.web.PwdMgmtNavigationFilter.doFilter(PwdMgmtNavigationFilter.java:115)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.iam.platform.auth.web.OIMAuthContextFilter.doFilter(OIMAuthContextFilter.java:100)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.dms.wls.DMSServletFilter.doFilter(DMSServletFilter.java:330)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3684)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
  at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
  at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
  at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  Caused by: weblogic.transaction.TimedOutException: Transaction timed out after 29 seconds
  BEA1-6F7499AA29E6D0A2F599
  at weblogic.jdbc.jta.DataSource.enlist(DataSource.java:1607)
  ... 111 more
  at weblogic.jdbc.jta.DataSource.refreshXAConnAndEnlist(DataSource.java:1515)
  at weblogic.jdbc.jta.DataSource.getConnection(DataSource.java:439)
  at weblogic.jdbc.jta.DataSource.connect(DataSource.java:396)
  at weblogic.jdbc.common.internal.RmiDataSource.getConnection(RmiDataSource.java:355)
  at oracle.iam.platform.utils.vo.OIMDataSource.getConnection(OIMDataSource.java:57)
  at com.thortech.xl.util.DirectDB.getConnection(DirectDB.java:200)
  at com.thortech.xl.util.DirectDB.getConnection(DirectDB.java:148)
  at com.thortech.xl.dataaccess.tcDataBase.getConnection(tcDataBase.java:3198)
  at com.thortech.xl.dataaccess.tcDataBase.readPartialStatement(tcDataBase.java:705)
  at com.thortech.xl.dataobj.tcDataBase.readPartialStatement(tcDataBase.java:271)
  at com.thortech.xl.dataaccess.tcDataSet.executeQuery(tcDataSet.java:935)
  at com.thortech.xl.dataobj.tcDataSet.executeQuery(tcDataSet.java:1523)
  at com.thortech.xl.dataaccess.tcDataSet.executeQuery(tcDataSet.java:903)
  at com.thortech.xl.dataobj.tcDataSet.executeQuery(tcDataSet.java:1490)
  at com.thortech.xl.cache.CacheUtil.getSetCachedQuery(CacheUtil.java:250)
  at com.thortech.xl.dataobj.tcDataObj.eventPostUpdate(tcDataObj.java:2262)
  at com.thortech.xl.dataobj.tcScheduleItem.eventPostUpdate(tcScheduleItem.java:742)
  at com.thortech.xl.dataobj.tcDataObj.update(tcDataObj.java:662)
  at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:508)
  at com.thortech.xl.adapterfactory.events.tcAdpEvent.updateSchItem(tcAdpEvent.java:188)
  at com.thortech.xl.adapterfactory.events.tcAdpEvent.finalizeProcessAdapter(tcAdpEvent.java:3529)
  at com.thortech.xl.adapterfactory.events.tcAdpEvent.finalizeAdapter(tcAdpEvent.java:3711)
  at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADCSCREATEUSER.implementation(adpADCSCREATEUSER.java:105)
  at com.thortech.xl.client.events.tcBaseEvent.run(tcBaseEvent.java:196)
  at com.thortech.xl.dataobj.tcDataObj.runEvent(tcDataObj.java:2492)
  at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(tcScheduleItem.java:2936)
  at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(tcScheduleItem.java:554)
  at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
  at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
  at com.thortech.xl.ejb.beansimpl.tcProvisioningOperationsBean.retryTasks(tcProvisioningOperationsBean.java:3704)
  at Thor.API.Operations.tcProvisioningOperationsIntfEJB.retryTasksx(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
  at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
  at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
  at $Proxy482.retryTasksx(Unknown Source)

  Hi Rajiv
  I tried that..but eventually the error comes occurs.
  The problem occurs when the connector executes Set User Attributes task. Im not sure what exactly it is setting that causes and where i can look to investigate this.
  Any ideas?