OIM 11g Roles/Groups

Dear All,
I noticed that 11g version has the ability for end-user to request Roles. What is the difference between Role and Group in OIM 11g?

In 11g the new definition of an OIM Group = Role.
-Kevin

Similar Messages

  • OIM 11g R2 Group Membership

    Hi All,
    In OIM 11g R2, when i try to manually add a user to a group (custom or OOTB), i do not see the "Assign" button active and with the absence of the assign button, i could not assign a new user to the group. But, I can see that the Create Rule option is active.
    Does this mean that the group membership in OIM 11g can only happen through Group membership rule satisfaction?
    Please help.
    Thanks,
    Srini

    You can manually add an user to a role in OIM 11gR2. Open identity console --> Click on Roles--> Search
    You will get all the roles listed. Select the role to which you want to add a member. Assign tab will be visible under the Members panel layout in the bottom frame.
    When you click on assign the request catalog opens with the selected target user and the role. You can change the target user or add another target user.
    Then click on submit.
    If this process is done through sysadmin login then directly the member is assigned to the role
    Else it will create a request and after approval is completed the member will be assigned to the role.

  • OIM 11g Role creation error

    Hi All,
    While creating the role on screen we are getting the following errors . there are no event handlers defined for any operation on roles.
    oracle.iam.identity.rolemgmt.utilsIAM-3056030An exception occurred while performing the operation.
    oracle.iam.platform.kernel.EventFailedException: An error occurred while executing the kernel event handler.
    at oracle.iam.platform.kernel.impl.DefaultActionHandler.execute(DefaultActionHandler.java:48)
    at sun.reflect.GeneratedMethodAccessor1370.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:616)
    at oracle.iam.platform.kernel.impl.EventHandlerDynamicProxy.invoke(EventHandlerDynamicProxy.java:30)
    Caused By: oracle.iam.platform.entitymgr.InvalidDataTypeException: Role Display Name
    at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.checkDataType(EntityManagerImpl.java:1487)
    at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.createEntity(EntityManagerImpl.java:265)
    at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.createEntity(EntityManagerImpl.java:240)
    java.util.MissingResourceException: Can't find resource for bundle java.util.PropertyResourceBundle, key IAM-0080001
    at java.util.ResourceBundle.getObject(ResourceBundle.java:402)
    at java.util.ResourceBundle.getString(ResourceBundle.java:362)
    at oracle.iam.platform.utils.OIMMessageResourcesUtil.getMessage(OIMMessageResourcesUtil.java:726)

    Hi ,
    How to set that parameter? please find the other system params which has been set in our env below.
    User Region : US
    User Language : en
    User Variant : no value provided
    Thanks,
    Power.

  • OIM 11G - Roles, revoke when policy no longer applies behaviour

    When two roles share one or more common resources, will the "revoke resources when policy no longer applies" behaviour preserve the common resources of the other existing role, when the other role is revoked?
    Regards
    Hanif

    As mentioned above, they will keep the resource as long as they are a member of a role that has that resource on the access policy.
    If the access policy has a deny resource listed on it though, that will automatically revoke any instance regardless of other access policy the user has.
    -Kevin

  • Not able to add groups to the user ODSEE via OIM 11g R2

    Hi,
    I have created some groups in ODSEE and ran the recon job to sync these groups in OIM 11g R2.
    Groups are populated in OIM 11g R2 and while raising the request for ODSEE Application Instance I can see these groups.
    Now following are the issues I am facing :
    1. ODSEE groups are not getting displayed in Catalog ( I have ran the Entittlement-List job also)
    2. When I request for a group while creating the request, the group is not getting assigned to the user in ODSEE, wherein user is getting created in ODSEE successfully.
    Please help.
    Thanks

    Please let me know what could be the reason of not adding the groups to the user in ODSEE.
    I was able to add the groups successfully to user by assigning the groups while raising the request in OIM 11g R1.
    But the same is not working in OIM 11g R2, if I check the OIM logs it is calling the function ADDUSERTOGROUP but the groups are not getting assigned to user.
    Thanks

  • How to obtain Role name in OIM 11g using API's

    Hello,
    I have a scenario in which I create Role/Group in OIM 11g & it gets provisioned in AD [=works fine] & other part is when i delete role in OIM 11g then it should
    get deleted from AD.I have written postprocess event handler to achieve this.
    In role creation part i get all parameters using "orchestration.getParameters();" , but when i delete role then "orchestration.getParameters();" is empty,so i am
    not able to get role name.
    Is there a way to get role name while deleting roles using API ?
    Thanks,
    Rahul Shah

    Hi Raghav,
    Following is my code :
    tcRODetails = orgOpInterface.getObjects(organizationKey);
    for(int i = 0;i < tcRODetails.getRowCount();i++){
    tcRODetails.goToRow(i);
    // resourceName=AD Group
    if(resourceName.equalsIgnoreCase(tcRODetails.getStringValue("Objects.Name"))&&
    tcRODetails.getStringValue("Objects.Object Status.Status").equalsIgnoreCase("Provisioned")||
    tcRODetails.getStringValue("Objects.Object Status.Status").equalsIgnoreCase("Enabled")) {
    System.out.println("<<<FOUND>>>");
    processKey = tcRODetails.getLongValue("Process Instance.Key");
    provisionObjectKey = tcRODetails.getLongValue("Objects.Key");
    tcProcessSet = oimFormUtility.getProcessFormData(processKey);
    for(int j=0;j<tcProcessSet.getRowCount();j++){
    tcProcessSet.goToRow(j);
    if(grpName.equalsIgnoreCase(tcProcessSet.getStringValue("UD_ADGRP_NAME"))){
    System.out.println("MATCH FOUND!!!!!");
    orgOpInterface.removeObjectAllowed(organizationKey,provisionObjectKey);
    break;
    & i get following error :
    <Mar 22, 2012 1:54:43 PM IST> <Error> <XELLERATE.APIS> <BEA-000000> <Class/Method: tcOrganizationOperationsBean/removeObjectAllowed encounter some problems: Object with key=7 is not already set as an allowed object for Organization with key=1>
    Thanks
    Rahul Shah

  • Reconcile user groups to OIM (11g)

    I would appreciate it if someone may let me know how to reconcile the organization and leadership structure information from an Oracle DB based identity vault into OIM (11g) to create organizational roles, for example, into the user group and user group membership tables, i.e. the UGP and USG table series. Many thanks.

    yesy, I have defines correct search value but its again and again throwing error. I change the search values too. But its not working.

  • OIM 11g R2 - Creating a new role using API

    Hi,
    I am trying to create a new role in OIM 11g R2 using RoleManager API.The requirement is to provide "Role Owner" also while creating the role.May I know how to do that?.Thanks in advance.

                        HashMap <String, String> groupMap = new HashMap <String, String> ();
                        groupMap.put("Groups.Group Name", groupName);
                        groupMap.put("Groups.Role Description", "Just for testing");
                        long groupKey = -1L;
                        try {
                                groupKey = goi.createGroup(groupMap);
                                logger.info("RESULT: Group with group_key '" + groupKey
                                                + "' has been successfully created");
                        } catch (tcAPIException e) {
                                logger.info("Creating client...."+e);
                        } catch (tcDuplicateGroupException ex) {
                             return getGroupKey(goi, groupName);
                                //logger.info(""+ex.toString());
                        } catch (tcInvalidAttributeException er) {
                                logger.info(""+er.toString());
    I hope this really helps you,
    Thiago Leoncio.
    (Blog: thiagoleoncio)

  • OIM 11g R1 - Container for Roles

    Hi,
    is it possible to create container for roles?
    For Example:
    Container1: RoleA, RoleB, RoleC
    Container2: RoleV, RoleY, RoleZ
    The reason is, i want to create authorization policies, which allows the user to assign specials roles. The problem is, that a lot of roles will be added during the operation. This means, if a new role will be created, i have to edit the authorization policy
    The best way is, i assign a Role-Container to the authorization policy. If i create a new role, i add the role to the special container.
    Is this possible in OIM 11g R1?
    Edited by: 960944 on Apr 3, 2013 5:18 AM

    Yes, you can do that using authorization policy.
    Try this:
    Create a Role called 'X'
    Create a Authorization Policy of Role Management Entity Type called 'X Role Authz Policy' and under the Permission tab:
    Grant Modify Role Membership, Search for ROle, View Role Detail and View Role Membership
    Under Data Constraints: Add all the roles that a user can self assign except SYS ADMIN role.
    Under Assignemnt: Add Role 'X'
    Save and apply to test it.
    You can have a look at the default Role Management All Users Policy for reference.
    Regards,
    Sunny

  • Role management in OIM 11g.

    Hi All,
    I am working on OIM 11g PS1.
    In this I want to give some of the users in OIM ability to manage the roles in OIM and view and modify the role and role membership.
    For this the simplest way is to add the user to role 'Role Administrators'.
    Now when I login with user, then this user is able to modify the role, view hierarchy, view and modify membership rule, Data Object permissions but when clicks on 'Members' tab then it throws the error and does not show the members and same error comes when it tries to assign new users in role.
    The same behavior happens for the role owner as well. When the role owner of a role logs in and try to view the members of its own role the same things happens. I have pasted the error below:
    Please suggest if anyone else has come across this issue and is there any step that I may be missing in my configuration.
    The error that comes on GUI:
    "ADF_FACES-60097: For more information, please serr the server's error log for an entry beginning with: ADF_FACES-60096:Server Exception during PPR, #8"
    Error in Weblogic logs:
    "<Dec 1, 2011 10:34:48 AM EST> <Warning> <oracle.adfinternal.view.faces.lifecycle.LifecycleImpl> <BEA-000000> <ADF_FACES-60098:Faces lifecycle receives unhandled excepti
    ons in phase INVOKE_APPLICATION 5
    javax.el.ELException: java.lang.NullPointerException
    at com.sun.el.parser.AstValue.invoke(Unknown Source)
    at com.sun.el.MethodExpressionImpl.invoke(Unknown Source)
    at org.apache.myfaces.trinidad.component.UIXComponentBase.broadcastToMethodExpression(UIXComponentBase.java:1300)
    at org.apache.myfaces.trinidad.component.UIXShowDetail.broadcast(UIXShowDetail.java:154)
    at oracle.adf.view.rich.component.rich.layout.RichShowDetailItem.broadcast(RichShowDetailItem.java:192)
    at oracle.adf.view.rich.component.fragment.UIXRegion.broadcast(UIXRegion.java:148)
    at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:102)
    at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92)
    at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361)
    at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96)
    at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:96)
    at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.broadcastEvents(LifecycleImpl.java:902)
    at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:313)
    at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:186)
    at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
    at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.help.web.rich.OHWFilter.doFilter(Unknown Source)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:106)
    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
    at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271)
    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177)
    at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.iam.platform.auth.web.PwdMgmtNavigationFilter.doFilter(PwdMgmtNavigationFilter.java:121)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.iam.platform.auth.web.OIMAuthContextFilter.doFilter(OIMAuthContextFilter.java:107)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:175)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
    at java.security.AccessController.doPrivileged(Native Method)
    at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
    at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
    at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
    at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
    at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
    Caused By: java.lang.NullPointerException
    at oracle.iam.consoles.rolemgmt.utils.PagingUtils.addPagedRoleMembersData(PagingUtils.java:199)
    at oracle.iam.consoles.rolemgmt.tf.details.RoleDetailsBean.initializeRoleMembers(RoleDetailsBean.java:652)
    at oracle.iam.consoles.rolemgmt.tf.details.RoleDetailsBean.loadRoleMembersTab(RoleDetailsBean.java:521)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.sun.el.parser.AstValue.invoke(Unknown Source)
    at com.sun.el.MethodExpressionImpl.invoke(Unknown Source)
    Thanks,
    Sneha

    Hi,
    I found the resolution for this, so I thought I would share it here with everyone.
    I role owners or any user in role "Role Administrators" were not able to view the members of the role though they had the authorization policies enabled and everything setup.
    To enable the view of role membership please follow the steps below:
    1. Login as XELSYSADM
    2. Goto Administration and search for the org which the users are assigned to
    3. Open the org details
    4. Click "Administrative Roles"
    5. Click "Assign"
    6. Choose either "ALL USERS" or your role which you created, set the permissions as you wish and click "Assign"
    This will really solve the issue.
    Thanks,
    Sneha.

  • Issue with deleting a group using Request APIs in OIM 11g R1

    Hi,
    I am facing an issue with Request Based provisioning in OIM 11g R1.
    I am currently testing a scenario where i have imported a data set for 'Modify Provisioned Resource' and am able to add a group/entitlement to an already provisioned resource by using the following code :
            RequestBeneficiaryEntityAttribute childEntityAttribute= new RequestBeneficiaryEntityAttribute();
            childEntityAttribute.setName("AD User Group Details");
            childEntityAttribute.setType(TYPE.String);
            List<RequestBeneficiaryEntityAttribute> childEntityAttributeList=new ArrayList<RequestBeneficiaryEntityAttribute>();
            RequestBeneficiaryEntityAttribute attr = new RequestBeneficiaryEntityAttribute("Group Name", <group>,                                                                       RequestBeneficiaryEntityAttribute.TYPE.String);
            childEntityAttributeList.add(attr);
            childEntityAttribute.setChildAttributes(childEntityAttributeList);
            childEntityAttribute.setAction(RequestBeneficiaryEntityAttribute.ACTION.Add);
            beneficiaryEntityAttributeList = new ArrayList<RequestBeneficiaryEntityAttribute>();   
            beneficiaryEntityAttributeList.add(childEntityAttribute);
            beneficiarytEntity.setEntityData(beneficiaryEntityAttributeList);
    This works fine for adding a group but if i try to remove a group by changing the action to Delete in the same code, the request fails. The only change made is in the following line:
    childEntityAttribute.setAction(RequestBeneficiaryEntityAttribute.ACTION.Delete);
    Could you please suggest where can this possibly be wrong.
    Thanks for your time and help

    Hi BB,
    I am trying to follow up your response.
    You are suggestng to use prepopulate adapter for to populate respource object name, that means We have to just use an sql query from obj tabke to get the resource object name. right ?? it could be like below, what should I have entity-type value here ??
    <AttributeReference name="Field1" attr-ref="act_key"
    available-in-bulk="false" type="Long" length="20" widget="ENTITY" required="true"
    entity-type="????"/>
    <PrePopulationAdapter name="prepopulateResurceObject"
    classname="my.sample.package.prepopulateResurceObject" />
    </AttributeReference>
    <AttributeReference name="Field2" attr-ref="Field2" type="String" length="256" widget="lookup-query"
    available-in-bulk="true" required="true">
    <lookupQuery lookup-query="select lkv_encoded as Value,lkv_decoded as Description from lkv lkv,lku lku
    where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.xxx.BO.Field2'
    and instr(lkv_encoded,concat('$Form data.Field1', '~'))>0" display-field="Description" save-field="Value" />
    </AttributeReference>
    Then I need think about the 'Lookup.xxx.BO.Field2' format.
    Could you please let me know if my understanding is correct?? What is the entity-type value of the first attribute reference value?
    Thanks for your all help.

  • Regarding Authorization policy and Roles in OIM 11g

    Hi,
    In OIM 11g Admin interface, is there a way to find out what all authorization polices, a role has been assigned to ?.
    I am asking this because, if you search for a user, you will know what all roles he is a member of, and similarly if you search for a role, you will know who all users are members of that role.
    Similarly, if you search for a Authorization policy, you will know what are roles are assigned to this policy. But if I search for a role, I am not able to find what all authorization policies has been assigned to this role.
    Looking forward to hearing from you,
    Many thanks in advance

    I understand your concern. But, this feature has not been available
    --nayan                                                                                                                                                                                   

  • OIM 11g support for Temporary roles with expiration date

    Dear All,
    Is there a support provided for temporary roles in OIM 11g?
    If not, what is the recommendation as for implementation?
    Kind regards
    Maria Adair

    I'm also interested if someone has any recommendation as for how to implement such a feature. Anyone has any ideas?

  • OIM 11g-configure SoD so that it works for direct provisioning of the roles

    Dear All,
    page 23-3 of Developer's Guide (OIM 11g) provides information regarding configuration of the SoD for Direct provisioning of the resources. How to configure SoD so that it works for direct provisioning of the roles?
    Thank you for your time
    Maria

    Rajiv,
    I did not find the documentation regarding this. But I hoped I will.
    In my project we assign roles directlly, not resources.
    I suspect the integration with Role Manager is required in this case. SoD module in OIA should be used then.
    Maria

  • Oim 11g r2: data access restriction using roles instead of organisations

    can i implement data access restriction using roles instead of organisations in oim 11g r2?

    in my use case a particular user can be member of more than one organisation. as far as i know oim does not suoport this use case using organisation, so i decide to use roles to represent my "organizations", but now i loose all the data access restrictions (scope).

Maybe you are looking for