OIM 11g - Reconciliation of Target Resource Status

Hi,
We're working with OIM 11.1.1.5.2 and connectors DBUM 9.1.0.4 and MSAD 9.1.1.7.
Provisioning and reconciliation seem to be working correctly, but we found that the status of the resource is not getting reconciled on OIM console.
For example, if we provision an user with an Oracle Database account, and then lock the account on the database, when we run reconciliation the event is generated and finished with "update succeded", we go to the UD_DB_ORA_U table and find that the field UD_DB_ORA_U_LOCK has a "LOCKED" value, then if we check the logs we can see that the connector is correctly mapping the resource status with the OIM object status:
prepareTargetUsersRecordInOIMFormat : record value : LOCKED
prepareTargetUsersRecordInOIMFormat : map : {OPEN=Enabled, 1=Disabled, YES=Disabled, 0=Enabled, EXPIRED & LOCKED=Disabled, NO=Enabled, LOCKED=Disabled}
prepareTargetUsersRecordInOIMFormat : roValue : TEMPORARY_TABLESPACE_QUOTA
prepareTargetUsersRecordInOIMFormat : Temp RO value : null
prepareTargetUsersRecordInOIMFormat : reconData : [{Default Tablespace=27~USERS, Authentication Type=PASSWORD, Password=Dummy, Default Tablespace=27~USERS, Authentication Type=PASSWORD, Password=Dummy, Default Tablespace Quota=, Profile Name=27~USUARIOS, IT Resource=Oracle, User Name=USPRUEBA65, Temporary Tablespace=27~TEMP, Account Status=LOCKED, Status=Disabled, Global DN=, Privilege List=[], Role List=[{Role Admin Option=NO, Role Name=}], Temporary Tablespace Quota=}]
prepareTargetUsersRecordInOIMFormat:: FINISHED
But, even though the reconciliation has succeded the administrative console shows the account on "Enabled" status, and when I check the OIU table i can see that the OIM object status is still enabled.
I found some threads related to this issue, the most similar was this one: Reconciliation for the deleted user accounts on Target Resource but everything there do not seem to be of much help because all tasks described are already done by the connector installation (at least in msad and dbum connectors).
This problem is happening both for Active Directory and Oracle Database Users, maybe we're missing something but based on the documentation for both connectors we thought it was an OOTB functionality. Is there some system property or connector parameter we need to configure to make this work?
Thanks.
Edited by: fmc on Jul 26, 2012 12:53 PM

Hi Pallavi,
Well, you were right after all, we were mixing 2 totally different problems here and it got us confused.
The problem with the DBUM connector was exactly what you said, a bug in the connector, just needed to modify the connector task object to status mapping. We were checking the Reconciliation Update Received task on AD and we thought it would be the same, and it was obviously not. Well, in this case teh recon event was being generated but nothing happened, after we changed the process task it worked like a charm.
On the other hand, the problem with the AD reconciliation was that our search filter on the recon job was configured to ommit accounts with the disabled status (!(userAccountControl=66050)), it was certainly a silly problem, never thought we had that in the filter (it's a huge filter and we didn't pay attention to that clause the first time around) but everything is working now, thanks!

Similar Messages

OIM 11g+Database Application Tables Resource Connectors+ MS SQL Server 2008

Hello Experts:
I installed DBAT 9.1.0.5.0 Resource Adapter on Linux 64 bit server using OIM 11g, I try to create Generic Connectors to configure Target Resource for MS SQL Server 2008 and after entering all the information on the second screen and click continue the screen gets stuck. This does not throw any kind of error nor any error msg are written to Log files. It's been difficult to debug the problem or know the root cause since there is no error msg thrown. No data is written from the sql server.
I can ping to the sql server and port are open.
Do we have to do any kind of setting on sql server to make this work?
Does any one have ideas? Did any one face any issues like this before?
Has any one worked with OIM connections with SQL server?
Just throwing all these question as I am running out of ideas.
Much help appreciated.
Thanks.
Edited by: 886912 on Dec 8, 2011 5:09 PM

Thanks Rajiv for the quick reply.
I did try local oracle server and there was no issue. And i even tried all kinds of browsers for SQL server and still the same issue.
And also can you explain a bit more on the these enabling logs
Also enable your logs like XELLERATE.WEBAPP and GTC related logs like
Xellerate.GC.StartUp
Xellerate.GC.ProviderRegistration
Xellerate.GC.ImageGeneration
Xellerate.GC.FrameworkProvisioning
Xellerate.GC.Provider.ProvisioningFormat
Xellerate.GC.Provider.ProvisioningTransport
Xellerate.GC.FrameworkReconciliation Xellerate.GC.Provider.Reconciliation
Format
Xellerate.GC.Provider.Validation
Xellerate.GC.Provider.Transformation
Xellerate.GC.Model
Xellerate.GC.Server
I have done it the DBAT. How to do on these?
Thanks

OIM 11g R1 - Modifying a Resource Erases Custom Process Task ???

I've created a Generic Resource in OIM that uses the Database Applications Table connector 9.1.0.5.0.
Then I add my own process tasks through Design Console under "Process Management -> Process Definitions". On each custom process task I've attached my own custom adapters, which I created through "Development Tools -> Adapter Factory" in Design Console. These custom adapters use methods from my Java code. My Java jar file is located in "Oracle_IDM1/server/JavaTasks".
Now here is the issue:
Whenever I modify this resource in OIM under "Configuration -> Manage Generic Connector" (E.g Changing reconciliation type from Full to Incremental), all my custom process tasks get deleted.
What is the reason for this? Is there a solution for this problem?

This is indeed a major flaw for GTC. Below I found this issue in a Oracle doc.
Doc Link: http://docs.oracle.com/cd/E14571_01/doc.1111/e14309/aptrouble.htm
Below is a description of this issue from the Oracle documentation
Summary:
Customization work done on objects of a generic technology connector would be overwritten if you perform a Manage Generic Technology Connector operation.
Description:
You can use the Design Console to customize connector objects that are automatically created during generic technology connector creation. However, after you customize connector objects, if you perform a Manage Generic Technology Connector operation, then all the customization done on the connector objects would be overwritten. Therefore, Oracle recommends that you to apply one of the following guidelines:
Do not use the Design Console to modify generic technology connector objects.
The exception to this guideline is the IT resource. You can modify the parameters of the IT resource by using the Design Console. However, if you have enabled the cache for the GenericConnector and GenericConnectorProviders categories, then you must purge the cache either before or after you modify IT resource parameters. See "Purging the Cache" in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for information about running the PurgeCache utility.
If you use the Design Console to modify generic technology connector objects, then do not use the Manage Generic Technology Connector feature to modify the generic technology connector.
Connector objects that are automatically created are not deleted even if the generic technology connector creation process fails.

OID OIM 11g reconciliation

Hello,
I am looking in the design console at the OID User Resource Object (11g), and in the previous version for 'Reconcilation Action Rules' we had 'assign to group' for 'No user found' rule condition, however, this no longer seems to exist in 11g.
Where can this condition and action be found (note: I have tried adding a rule, but still can't see the condition)

You'll need to identify an AD Recon then. This is from the Reconciliation Insert task. This event is inserted on every creation through a recon. Next, you'll need to identify on the user profile when this happens because you'll need to integrate it into your access policy. I would suggest a user defined field as a checkbox. In your group membership rule that adds the user to a group for OID provisioning, add an AND rule into it that requires the checkbox = 0. When the reconciliation insert happens, trigger a task that updates the UDF on the user profile to make the checkbox = 1. Now when the user is reconciled and the Reconciliation Insert event happens, it will update the User Profile, and the user will no longer qualify for the OID access policy. If you have it configured to revoke if no longer applies, OID will get revoked.
-Kevin

OIM 11g R2: Setting target attribute dependend on process type (create, update, disable)

Hi,
I try to set an attribute ("Action") of users on a target system (Lotus Notes) dependend on the type of process that was carried out:
When the user is created in Lotus Notes by oim, "Action" should be set to the value "create".
When the user is updated in Lotus Notes by oim, "Action" should be set to the value "update".
When the user is disabled in Lotus Notes by oim, "Action" should be set to the value "disable".
What would be the easiest way to achieve that? And how exactly would I have to set that up? (I have tried reading the documentation on Adapter Tasks, however I wasn't able to get that to working...).
Thank you!
M

Hi J,
thanks for your reply. I had some troubles trying to follow your description, but this is what I did:
1) Create one field in your process form as "Action".
I used the pre-existing field "RoamSubdir"
2) Create a new Process Task in Lotus Notes Process Defn for "Action Updated" (You can use OOTB adapter for mapping purpose)
DesignConsole: Process Management > Process Definition > "Lotus User", Add: "RoamSubdir Updated"
3) Create a new Process Task Adapter which populates which takes input as input1 and return the input.
Development Tools: Adapter Factory > Adapter Name "RoamSubdirAction", Adapter Type: "Process Task" > Tab "Variable List", Add "Name: input1, Type: String, Mapped As: Resolve at runtime", Tab "Adapter Tasks" > Add "Logic Task", "Set Variable", Variable Name "Adapter return value", Operand Type "Variable", Operand Qualifier "input1"; Click "Build".
4) Create 3 Process Tasks in Lotus Notes Process Defn . One for each action. For example: Update Action As Enable, Update Action As Disable, Update Action As Create. In each process tasks, pass input as Enable,Disable and Create respectively.
Process Management > Process Definition > "Lotus User", Add: Task Name: "Update SubRoamdir As create", Tab "Integration", Add, "Adapter", adpROAMSUBDIRACTION. Edit "2|N|input1|input", Map To: Literal, String, create; Edit "1|N|AdapterReturnValue|ReturnVariable", Map To: Process Data, Qualifier: RoamSubdir
5) Map each tasks created at step 4 to success of Create User, Enable User, Disable user respectively.
Process Definition > Edit "Create User" > Task Dependency, Dependent Tasks, Assign "Update RoamSubdir as create"
However, this does NOT work. When provisioning a new user on Lotus, looking into the resource history I can see that "Update RoamSubdir as create" is NEVER called.
Did I do something wrong?
Thanks for your help,
M

Custom tabs under userprofile - resources in OIM 11g

Currently in OIM 11g user's available resource accounts are shown as a list under resources tab.
Is there any way we can customize this page to display one more layer of tabs below it, and fliter the resource accounts to be disaplyed under each sub-tab?

For OIM 11g R2, we don't have any composer and all. You need to understand the OIM UI then you need to proceed with Customization.
Steps:
http://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/oim/oim_11g/customize_oim_ui_selfservice_tabs/customize_oim_ui_selfservice_tabs.htm
Pointers: http://docs.oracle.com/cd/E23943_01/doc.1111/e14309/uicust.htm#BABIGCJA

SJSDS recon issue with oim 11g

I got the following logging message while reconciling SJSDS (sun directory server) with oim 11g. All the recon statuses were success (group, role, user, trusted user), but no data was from SJSDS.
Did anyone has any idea about it?
Thanks
John
[2011-06-19T10:01:47.352-05:00] [oim_server1] [NOTIFICATION] [IAM-0080013] [oracle.iam.platform.kernel.impl] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 0000J2cQzfw5qYWFLzfP8A1DzNVx0000A0,0] [APP: oim#11.1.1.3.0] [arg: 194] [arg: 0] [arg: JobDetails] [arg: UPDATE] Kernel executing default validation with process id, event id, entity and operation 194.0.JobDetails.UPDATE
[2011-06-19T10:01:47.376-05:00] [oim_server1] [NOTIFICATION] [IAM-1020024] [oracle.iam.scheduler.impl.quartz] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 0000J2cQzfw5qYWFLzfP8A1DzNVx0000A0,0] [APP: oim#11.1.1.3.0] [arg: 194.242.JobDetails.UPDATE.entityId=null] Execute default action handler with 194.242.JobDetails.UPDATE.entityId=null
[2011-06-19T10:01:47.447-05:00] [oim_server1] [NOTIFICATION] [] [oracle.iam.platform.kernel.dao] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 0000J2cQzfw5qYWFLzfP8A1DzNVx0000A0,0] [APP: oim#11.1.1.3.0] Inserting records for orchestration cleanup
[2011-06-19T10:01:47.475-05:00] [oim_server1] [NOTIFICATION] [IAM-0080046] [oracle.iam.platform.kernel.impl] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 0000J2cQzfw5qYWFLzfP8A1DzNVx0000A0,0] [APP: oim#11.1.1.3.0] [arg: Done] Completed orchestration with action result - Done
[2011-06-19T10:01:47.705-05:00] [oim_server1] [NOTIFICATION] [] [oracle.iam.platform.authz.impl] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 0000J2cQzfw5qYWFLzfP8A1DzNVx0000A0,0] [APP: oim#11.1.1.3.0] [[
*---Stack Trace Begins[[This is not an exception. For debugging purposes]]---*
oracle.iam.platform.authz.impl.OESAuthzServiceImpl.doCheckAccess(OESAuthzServiceImpl.java:212) oracle.iam.platform.authz.impl.OESAuthzServiceImpl.hasAccess(OESAuthzServiceImpl.java:190)
oracle.iam.platform.authz.impl.OESAuthzServiceImpl.hasAccess(OESAuthzServiceImpl.java:182)
oracle.iam.platform.authz.impl.AuthorizationServiceImpl.hasAccess(AuthorizationServiceImpl.java:173)
oracle.iam.scheduler.impl.util.SchedulerAccessUtils.checkOperationAccess(SchedulerAccessUtils.java:22)
oracle.iam.features.scheduler.agentry.operations.LookupActor.prepare(LookupActor.java:1555)
oracle.iam.features.scheduler.agentry.operations.LookupActor.refresh(LookupActor.java:2969)
oracle.iam.features.scheduler.agentry.operations.LookupActor.receiveEvent(LookupActor.java:2807)
oracle.iam.consoles.faces.mvc.canonic.Model.handleIntent(Model.java:922)
oracle.iam.consoles.faces.mvc.canonic.Controller.doHandleIntent(Controller.java:528)
oracle.iam.consoles.faces.mvc.canonic.Controller.doSelectAction(Controller.java:203)
oracle.iam.consoles.faces.event.NavigationListener.processAction(NavigationListener.java:97)
... 34 lines skipped..
oracle.iam.platform.auth.web.PwdMgmtNavigationFilter.doFilter(PwdMgmtNavigationFilter.java:115)
... weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
oracle.iam.platform.auth.web.OIMAuthContextFilter.doFilter(OIMAuthContextFilter.java:100)
... 15 lines skipped..
weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
---Stack Tracefor this call Ends---
]]

As the log says thats not an exception. Anyway why dont you enable the connector logs and see what does the connector complaint about. Refer the Enable Logging section in the connector PDF
Thanks
SRS

Trusted Reconciliation in OIM 11g

Hi
I have written custom scheduler task in OIM 11g which will retrieve values from database and call recon API's to create users in OIM.
Database Table contains the following sample values
FIRSTNAME:RECON
LASTNAME:USER1
USERLOGIN:RUSER1
ORGANIZATION:Xellerate Users
EMPLOYEE-TYPE:Full-Time
I created Resource Object with the above recon attributes and mapped these attributes to OIM User Attributes and made userlogin as key attribute.
I created Recon Rule as USER LOGIN equals userlogin and action rule as No Matches Found -> Create User
Now I ran the job from UI and status is showing as Data Recieved only. It is not creating users.
Below are the logs for the same.
*<Jul 20, 2011 7:47:55 AM EDT> <Error> <oracle.iam.reconciliation.impl> <IAM-5010000> <Generic Error/Information: {0}*
oracle.iam.platform.utils.SuperRuntimeException: java.sql.SQLIntegrityConstraintViolationException: ORA-02291: integrity constraint (OIM11GDB.FK_RECON_EVENTS_USR) violated - parent key not found
ORA-06512: at "OIM11GDB.OIM_SP_RECONBLKUSERCRUD", line 759
ORA-06512: at "OIM11GDB.OIM_SP_RECONBLKUSRMLSWRAPPER", line 71
ORA-06512: at line 1
     at oracle.iam.reconciliation.dao.DBCall.execute(DBCall.java:24)
     at oracle.iam.reconciliation.dao.ReconActionDao.processSPCall(ReconActionDao.java:1316)
     at oracle.iam.reconciliation.dao.ReconActionDao.executeBulkUserMatchCRUD(ReconActionDao.java:686)
     at oracle.iam.reconciliation.impl.UserHandler.executeBulkCUD(UserHandler.java:568)
     at oracle.iam.reconciliation.impl.BaseEntityTypeHandler.process(BaseEntityTypeHandler.java:34)
     at oracle.iam.reconciliation.impl.ActionEngine.processBatch(ActionEngine.java:129)
     at oracle.iam.reconciliation.impl.ActionEngine.execute(ActionEngine.java:90)
     at oracle.iam.reconciliation.impl.ActionTask.execute(ActionTask.java:73)
     at oracle.iam.platform.async.impl.TaskExecutor.executeUnmanagedTask(TaskExecutor.java:100)
     at oracle.iam.platform.async.impl.TaskExecutor.execute(TaskExecutor.java:70)
     at oracle.iam.platform.async.messaging.MessageReceiver.onMessage(MessageReceiver.java:68)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
     at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
     at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
     at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
     at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
     at $Proxy364.onMessage(Unknown Source)
     at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:466)
     at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:371)
     at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:328)
     at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4659)
     at weblogic.jms.client.JMSSession.execute(JMSSession.java:4345)
     at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3822)
     at weblogic.jms.client.JMSSession.access$000(JMSSession.java:115)
     at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5170)
     at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Pls Help.

Hi Rajiv,
Please see my comments below.
Where is Design Console Access attributes ?I think no need to set value for this attribute as the default value will be End-User only. Correct me if I am wrong.
Have you created Recon Rule properly ?yes
Have you created Reconciliation Profile ?yes
Call teh API porcessReconciliationEvent after createReconciliationEvent API.Is it mandatory to call processReconciliationEvent after createReconciliationEvent? The reason why I am asking is when I wrote scheduler for target recon I didn't used processReconciliationEvent.
Thanks

Reconciliation for the deleted user accounts on Target Resource

Hi,
I am trying to run reconciliation on a DB Table as the target resource. It is linking the user accounts that are present in the target resource.
But for the user accounts that are deleted on the target resource Reconciliation is not showing any action on the IdM user accounts under resource profile. The resource object link still shows the status "Provisioned".
Ideally when the users are deleted on the target resource User's profile, Does it require any customizations to make the resource assignment status to "revoked" instead of "Provisioned".
Any response would be of great help.
Thanks in advance.

See there could be two possibilities only:
*1) User Status Recovery via trusted Reconciliation*
Associated field in OIM responsible for it - Status field of OIM User Profile -> Check Process Definition for Xellerate User or any Trusted resource in "Reconciliation Field Mappings" section
Valid values are : Active, Disabled and Deleted
*2) Account Status Recovery via target Reconciliation*
Associated field in OIM responsible for it - OIM_OBJECT_STATUS field from Process Data Field -> Check Process Definition for Your custom resource of DB App Table in "Reconciliation Field Mappings" section
Valid values are : Enabled, Disabled and Revoked
So you are trying to achieve the second part.
Hope its clear.
Thanks
Sunny

Getting Error - Cause: Status of the batch is not 'Completed' in OIM 11g R2 during Trusted Recon

Hi All
I am new to OIM 11g R2. I am trying to create custom connector for trusted recon. The case is to migrate the users from 10g to 11g R2. The recon event is created but it is in Event Recieved status and when I re-evaluate the event, its giving error - Cause: Status of the batch is not 'Completed'.
I saw in some posts to change the recon batch size parameter to 0 and restart the server. I have done that but still I am facing the same issue.
There is no child data in the attribute mapping and user login is set as key.
Any inputs are welcome on how to get rid of this error.
Regards
Vinay

J_IDM@ I am not passing any OID IT Resource as parametere. Yes I have checked but no entries were thr.
Prakash bAJIYA@ i was running Job fro Web console & didnt find any such object. it may be diff from design console.
810444@ Thanks.
Dear All,
In Web Console Job Scheduler, I had one Recon "LDAP FULL Recon" which has a property
"OIM Employee Type" which was before "Full-TYpe" i changed it to * & it worked.Now I am able to generate events.
It seems like value of Employee Type has an Issue in OID, please correct me ?
Thanks a lot for you guys contribution.

OIM 11g - How to get modified data on a reconciliation event

Hi,
We're running OIM 11.1.1.5.2 with Ad (9.1.1) , exchange ( 9.1.1.7), dbum (9.1.0.4) and dbat (9.1.0.5) connectors.
When we run reconciliation we can get the recon data on the event management tab of the advanced administration console, but, update succeded events show all fields mapped on the reconciliation with the new values only. For example, for AD, if an account on the target resource has its "TelephoneNumber" field updated, we can see the event, but, we cannot identify what was changed on that event was the telephone number, as the event shows all fields on the Ad account...
Our requirement is to inform th customer as soon as the reconciliation has ocurred for each particular updated account, in a manner that is fast and easy to understand.
We have the audit on OIM on Resource Form (XL.UserProfileAuditDataCollection) and we can see the upa tables being populated.
Now, the question is, what is the recommended or most used way to process the information on upa tables? Is there any ootb report that maybe we're missing that shows this info? Are there api's documented to work with audit data (i just couldn't find them)?
Having in consideration our requirement, I'm thinking on creating a new task for each process form to be triggered by "Reconciliation Update Succeeded" that executes a pl/sql to find events on upa tables related to the user and resource, then parse the generated xml and send an email with old and new values, but I want to be sure there's no ootb or simpler way to do it.
Thanks.

Thanks Kevin,
I think that we found an easier way though. By setting the system property XL.EnableExceptionReports to TRUE, the tables UPA_FORMS y UPA_FORMFIELDS get populated automatically.
This tables contain information of the fields that were modified an the reason (i.e. 'Reconciliation', 'API').
I have created a database job that executes a stored procedure that searches for new records on upa_ud_formfields and gets the resource name, resource key, field name, old and new values and then sends an email with all modified data to the corresponding administrators for each resource. I use an auxiliary table on a different schema to keep track of records already read on previous runnings of the job.
It takes sometime to get the info because we depend first on the running of the recon scheduled job, then the "issue audit message task" job, and finally our own job, but it works.

Lookup.USR_PROCESS_TRIGGERS not working with trusted reconciliation oim 11g

Hi,
I am facing one issue while running the trusted incremental reconciliation in OIM 11g.
In the bulkEvent of the event handler I am checking if the operation is MODIFY then I am comparing some attributes and based of that result I am performing some action.
Now the issue is that if the first name or last name of the users gets changed in OIM due to trusted reconciliation then the Change First Name or Change Last Name Process task should get execute on the resources provisioned to the user. This is not happening in my case.
I tried modifying the first name of the user via UI and then the Change First Name Process task got executed.
Please let me know if I need to do some thing extra to get this working.
Thanks

Hi,
Try creating a custom adapter and attach the adapter to the process task which you have created. This adapter should read the user profile value and populate in the AD provisioning form. Then test the flow for one attribute. As I am suspecting that there would be an issue with OOTB adapter.
Regards
Sai

OIM 11g - Mail Notification for multiple resources

User will be provisioned to 5 target system through access policies.So instead of sending 5 different mail notifications to the manager on the Create User task about the account creation, is it possible to send one consolidated mail about the provisioned resources in OIM 11g.

Hi,
How abt for the following requirement for sending single mail for multiple resources provisioned.
We have 3 Access Policies which is defined as follows.
1) Policy 1 -> R1,R2,R3 Resources
2) Policy 2 -> R3,R5 Resources
3) Policy 3 -> R1,R4 Resources
In such a case we will not be able to put dependencies on Resources and adding a task for sending email.

Reconciliation of "change password on next logon" from AD fails in OIM 11g

Hello,
We have a use case on our OIM 11g project where we create a user in Active Directory and check *"User must change password at next logon"* box in AD.
We have setup AD as Trusted and Target resource (using connector 9.1.1.7), where users coming from AD will be created in OIM and password changes in OIM will be sent to AD. Also we use the password synchronization module (9.1.1.5) to synchronize the passwords from AD to OIM when they are changed in AD.
What we noticed is the "User must change password at next logon" is synchronized to the "AD Resource", but unlike the regular attributes it is not accessible normally because it's a system attribute.
What we expect is the user logging in to OIM will be prompted to change the password, but nothing happens when the newly reconciled user logs in (i.e. normal self-service page is shown). Same thing applies when we set the flag on an existing user also.
Did anyone get this working properly?
P.S. In a previous version it used to be the opposite where the user was constantly prompted for the password, even though it was changed in AD already, after changing the password using Alt+Crtl+Delete the user was still prompted to change when logging in to OIM. Oracle suggested we upgrade to 11.1.1.5.1 (most recent patch set) but now the reverse happens - we never get change password prompt now.
Thanks,
-JP
Edited by: JacekP on Oct 17, 2011 8:10 AM

Yeah, you're right, unfortunately we have dual authorative password model, where a user can change the password from OIM when he is accessing a OIM through a web interface or from his Windows machine through the domain controller. We need the use case to work fully both ways ideally.
A plan-B solution is to use a directory synchronization mechanism outside of OIM that would connect OID and AD, but we would prefer not to.

Creation of users in OIM from OID, where OID is target resource

Hi,
I am new to OIM. We have a scenario where we have OIM and OID. The users are being created in OID. Now we need to get these users to the OIM system to use the Change Password, Forgot Password functionalities of OIM. Can we have OID as the target resource for OIM and have a reconciliation done to get all the users from OID and have them created in OIM.
Or this possible only when OID is the Trusted Source?
Thanks in advance,

Re: OIM's Trusted Source

OIM 11g - Reconciliation of Target Resource Status

Similar Messages

Maybe you are looking for