OIM 11g - User Management Authorization policy issues

Hello,
1) Created an organization -> Human Resource
2) Created an Role -> HR_Admins
3) Assigned HR_Admins roles as administrative role of Human Resource organization
4) Created user1 with organization as Human Resource & Assigned HR_Admins role to this user.
5) Created authorization policy for user management with following selections
Permission -> Create User.
Data Constraints -> Selected "Users that are members of selected Organizations" & selected above Human Resource organization.
Assignment -> HR_Admins role .
now when i log into user1 i am not able to see Administration tab where i can select Create user.
I am working on this issue for couple of days ,but not able to find the solution & have i missed some configurations ?
Thank-You
Rahul Shah

Hi Rahul,
I have tested your scenarion.. with below clause
1) Created an organization -> Human Resource
2) Created an Role -> HR_Admins
3) Assigned HR_Admins roles as administrative role of Human Resource organization
4) Created user1 with organization as Human Resource & Assigned HR_Admins role to this user. : default role All Users
5) Created authorization policy for user management with following selections
Permission -> Create User. :- *"Select ALL"*
Data Constraints -> Selected "Users that are members of selected Organizations" & selected above Human Resource organization.
Assignment -> HR_Admins role .
In data constraints
Organization Security Setting Hierarchy Aware (include all Child Organizations)
Now I am able to see the create user tab and, I can create user in Human Resource org only.
If it doesn't work for you. Just assign "REQUEST ADMINISTRATOR" IN AUTH POLICY. Test the result.
Also what is your OIM version?
Test it with fresh data like new role name, org and user,
-kuldeep
Edited by: Kuldeep on May 22, 2012 4:19 AM

Similar Messages

OIM as user management

Hi All,
I am using OIM as user management for managing target systems AD and Oracle database.
I have some common fields like email and telephone number for both the accounts of AD and database.
When I get a request for creating account in AD (with set of attributes which include email and telephone number) in the form of feed, first I need to find out if already user is present in OIM with the given email and telephone number that present in given feed, if exist I just need to go and create account in AD if not I need to first create a user then provision that user to AD.
Can any one explain how to achieve this in OIM and I need all this to be performing automatically, I will get account creation request in the form of feed.
Regards,
Poorna

You have written
When I get a request for creating account in AD (with set of attributes which include email and telephone number) in the form of feed, first I need to find out if already user is present in OIM with the given email and telephone number that present in given feed, if exist I just need to go and create account in AD if not I need to first create a user then provision that user to AD.+
I have confusion in your requirement.
From where you are getting request for AD. And if it doesn't present in OIM then you'll have to first create that user in OIM then provision to AD.
Just create an entity adapter and attach with User Form which will validate that any user with given email and number ia already present in USR table or not. If no then it will create the user in OIM otherwise it will throw error.
And you can create one group and move that user into that group using some rule realated to your requirement and put access policy on that group.
otherwise you can put accee policy on All User group too if it doesn't affect your other functionality..
Re: Auto provision based on rule

OIM 11g authorization policy issue

Hi ALL,
We have created one authorization policy.
which will give the following permissions for the users.
1.search users
2.view user details
3.Modify a single attribute in user profile
it has been assigned to a role.
Now we assigned this role to a user and he is able to search the users and view the details but he is able able to edit all the attributes besides the specified one. Please let me know where iam going wrong.

In the Modify User, check for which all attributes are selected...if all are selected, then just select only one which you require.
J

Error Installing OIM - Ebiz User Management connector

Hi all,
I am trying to install ebusiness suite user management connector 9.1.0.1.0.
But, while installation, I am getting an exception
Invalid Connector Installation Directory
Ensure that the connector installation files are in the specified directory.
From the server log, I have seen this error.
ERROR,01 Jun 2010 11:29:19,153,[XELLERATE.WEBAPP],Class/Method: ConnectorInstallProcessAction/CopyJarFilesForInstallation encounter some problems: IO exception while copying jar files
java.io.IOException: FileCopy: destination file is unwriteable: /g03/oim/xellerate/JavaTasks
at com.thortech.xl.webclient.actions.ConnectorInstallProcessAction.copy(Unknown Source)
at com.thortech.xl.webclient.actions.ConnectorInstallProcessAction.copyJarFilesForInstallation(Unknown Source)
at com.thortech.xl.webclient.actions.ConnectorInstallProcessAction.completeInstallation(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)
at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(Unknown Source)
at com.thortech.xl.webclient.actions.tcActionBase.execute(Unknown Source)
at com.thortech.xl.webclient.actions.tcAction.execute(Unknown Source)
at com.thortech.xl.webclient.actions.ConnectorInstallProcessAction.execute(Unknown Source)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at com.thortech.xl.webclient.security.SecurityFilter.doFilter(Unknown Source)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3496)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
But, before this, I have done the ebusiness suite employee reconciliation 9.1.0.1.0 in the same way.
Please let me know, if any one has faced this kind of error earlier.
Regards
Vicky

Figured out the error,
When I have installed Ebiz HRMS Employee recon connector, it has imported all the files with root privileges. (Dont know why importing was done with root privileges).
Becuase of EBSCommon.jar and Common.jar having root as the owner, EBIZ UM connector is unable to replace those files. After modifying the owner and group of these two files to oracle.
I am able to succesfully install the UM connector.
Regards
Vicky

OIM - EBusiness User Management Connector

Hello there,
Can anybody please tell me within the Ebusiness connector i.e. provided in 9.1 version connector pack, which one needs to be installed? there are 3 different categories within the same -
1.) For the User Management connector:
Oracle EBS User Management 9.1.0.0
2.) For the User Management with HR Foundation connector:
Oracle EBS HR Foundation User Management 9.1.0.0
3.) For the User Management with TCA Foundation connector:
Oracle EBS TCA Foundation User Management 9.1.0.
I don't know which one resembles to which operations that OIM can perform. Can anybody please throw some light and explain which connector does what?
thanks,
- oidm.

An FND_USER record represents an Oracle E-Business Suite account. This record is the main component of the account data whose management is enabled by the connector. *(Oracle EBS User Management 9.1.0.0)*
Depending on your configuration of the target system, there may be other user data components that must be managed by the connector:
Some applications in Oracle E-Business Suite require a user to have a person record in Oracle E-Business HRMS. *(Oracle EBS HR Foundation User Management 9.1.0.0)*
These users are either full-time employees of the organization or users (such as contract or part-time employees) who have been provided with access that is similar to the access provided to full-time employees. iExpense is an example of an application that requires users to have person (HRMS) records.
Some applications in the Oracle E-Business Suite require a user to have a record in Oracle E-Business TCA. *(Oracle EBS TCA Foundation User Management 9.1.0.)*
Typically, these users are representatives or employees of customers and vendors of your organization. iStore and iProcurement are examples of applications that require users to have TCA records.
For more info
http://download.oracle.com/docs/cd/E11223_01/doc.910/e11203/intro.htm#CHDJCHDC
Thanks
Suren

Not able to see the users in Authorization Policy Manager

I have configured a OID provider in the myrealm of weblogic for OES Server. I also added the following lines to jps-config.xml
<serviceInstance provider=”idstore.ldap.provider” name=”idstore.ldap”>
<property value=”oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider” name=”idstore.config.provider”/>
<property value=”oracle.security.idm.providers.stdldap.JNDIPool” name=”CONNECTION_POOL_CLASS”/>
<property name=”idstore.type” value=”OID”/>
</serviceInstance>
Even then I cannot see any of the users from the OID through application policy manager.
Anybody aware of any other settings that need to be done ?
oes server version is 11.1.1.6. and OID is 11.1.1.5.
Any help will be appreciated.
Edited by: ssarkar on May 10, 2012 1:15 PM

externalize the users.

OIM 11g AD Connector Access Policy Based Provisioning Issue

Hi,
I created Approval Policy for Access Policy Based Provisioning request type for request level (autoapproval) and operational level (used standart beneficiaryManagerApproval process), but when the resource must assigned to User,- throws exception when running setAdDn adapter of Process Definition Form:
Running ISADAM
Target Class = java.lang.String
Running Get Attribute Map
Running AD Create User
Running ISADAM
Target Class = java.lang.String
Running GETUSESSL
Target Class = java.lang.String
Running CheckUserStatus
Running GETATTRIBUTEHASH
Target Class = com.thortech.xl.util.adapters.tcUtilHashTableOperations
Running Set User Attribute
Running Set User Expiration Date
Running ISADAM
Target Class = java.lang.String
Running CheckUserStatus
Running GETPWDEXPIRESATTRIBUTEHASH
Target Class = com.thortech.xl.util.adapters.tcUtilHashTableOperations
Running Set Pwd Expires Attribute False
Running GETATTRIBUTEHASH
Target Class = com.thortech.xl.util.adapters.tcUtilHashTableOperations
Running SETADDN
[2012-07-19T16:15:52.281+03:00] [oim_server1] [ERROR] [] [XELLERATE.SERVER] [tid: [STUCK].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-00000000000000bb,0] [APP: oim#11.1.1.3.0] Class/Method: tcDataObj/save Error :Insertion of dataobject into database failed
[2012-07-19T16:16:34.375+03:00] [oim_server1] [WARNING] [] [XELLERATE.DATABASE] [tid: [STUCK].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-00000000000000bb,0] [APP: oim#11.1.1.3.0] Exception while trying to get the connection count : 0
[2012-07-19T16:16:55.422+03:00] [oim_server1] [WARNING] [] [XELLERATE.DATABASE] [tid: [STUCK].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-00000000000000bb,0] [APP: oim#11.1.1.3.0] Exception while trying to get the connection count : 1
[2012-07-19T16:17:12.750+03:00] [oim_server1] [ERROR] [] [XELLERATE.APIS] [tid: OIMQuartzScheduler_Worker-10] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-0000000000000003,0] [APP: oim#11.1.1.3.0] Class/Method: tcLookupOperationsBean/getLookupValuesFilteredData encounter some problems: The LookupCode 'Lookup.ESSOMFONumbers' does not exist.
[2012-07-19T16:17:14.703+03:00] [oim_server1] [ERROR] [] [XELLERATE.APIS] [tid: OIMQuartzScheduler_Worker-10] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-0000000000000003,0] [APP: oim#11.1.1.3.0] Class/Method: tcLookupOperationsBean/getLookupValuesFilteredData encounter some problems: The LookupCode 'Lookup.ESSOMFONumbers' does not exist.
[2012-07-19T16:17:15.203+03:00] [oim_server1] [ERROR] [] [XELLERATE.APIS] [tid: OIMQuartzScheduler_Worker-10] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-0000000000000003,0] [APP: oim#11.1.1.3.0] Class/Method: tcLookupOperationsBean/getLookupValuesFilteredData encounter some problems: The LookupCode 'Lookup.ESSOMFONumbers' does not exist.
[2012-07-19T16:17:15.703+03:00] [oim_server1] [ERROR] [] [XELLERATE.APIS] [tid: OIMQuartzScheduler_Worker-10] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-0000000000000003,0] [APP: oim#11.1.1.3.0] Class/Method: tcLookupOperationsBean/getLookupValuesFilteredData encounter some problems: The LookupCode 'Lookup.ESSOMFONumbers' does not exist.
[2012-07-19T16:17:16.469+03:00] [oim_server1] [WARNING] [] [XELLERATE.DATABASE] [tid: [STUCK].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-00000000000000bb,0] [APP: oim#11.1.1.3.0] Exception while trying to get the connection count : 2
[2012-07-19T16:17:37.516+03:00] [oim_server1] [WARNING] [] [XELLERATE.DATABASE] [tid: [STUCK].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-00000000000000bb,0] [APP: oim#11.1.1.3.0] Exception while trying to get the connection count : 3
[2012-07-19T16:17:58.562+03:00] [oim_server1] [WARNING] [] [XELLERATE.DATABASE] [tid: [STUCK].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-00000000000000bb,0] [APP: oim#11.1.1.3.0] Exception while trying to get the connection count : 4
[2012-07-19T16:17:58.562+03:00] [oim_server1] [ERROR] [] [XELLERATE.DATABASE] [tid: [STUCK].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-00000000000000bb,0] [APP: oim#11.1.1.3.0] Class/Method: DirectDB/getConnection encounter some problems: Error while retrieving database connection.Please check for the follwoing[[
Database srever is running.
Datasource configuration settings are correct. java.sql.SQLException: Unexpected exception while enlisting XAConnection java.sql.SQLException: Transaction rolled back: Event handler ApprovalInitiation is asynchronous but orchestration is configured as synchronous.
     at weblogic.jdbc.jta.DataSource.enlist(DataSource.java:1616)
     at weblogic.jdbc.jta.DataSource.refreshXAConnAndEnlist(DataSource.java:1503)
     at weblogic.jdbc.jta.DataSource.getConnection(DataSource.java:446)
     at weblogic.jdbc.jta.DataSource.connect(DataSource.java:403)
     at weblogic.jdbc.common.internal.RmiDataSource.getConnection(RmiDataSource.java:364)
     at oracle.iam.platform.utils.vo.OIMDataSource.getConnection(OIMDataSource.java:57)
     at com.thortech.xl.util.DirectDB.getConnection(DirectDB.java:200)
     at com.thortech.xl.util.DirectDB.getConnection(DirectDB.java:148)
     at com.thortech.xl.dataaccess.tcDataBase.getConnection(tcDataBase.java:3198)
     at com.thortech.xl.dataaccess.tcDataBase.readPartialStatement(tcDataBase.java:705)
     at com.thortech.xl.dataobj.tcDataBase.readPartialStatement(tcDataBase.java:271)
     at com.thortech.xl.dataobj.tcDataBase.readStatement(tcDataBase.java:221)
     at com.thortech.xl.dataobj.tcDataBase.getError(tcDataBase.java:700)
     at com.thortech.xl.dataobj.tcDataObj.handleError(tcDataObj.java:1197)
     at com.thortech.xl.dataobj.tcDataObj.handleError(tcDataObj.java:1140)
     at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:487)
     at com.thortech.xl.dataobj.tcORC.insertNonConditionalMilestones(tcORC.java:844)
     at com.thortech.xl.dataobj.tcORC.completeSystemValidationMilestone(tcORC.java:1159)
     at com.thortech.xl.dataobj.tcOrderItemInfo.completeCarrierBaseMilestone(tcOrderItemInfo.java:735)
     at com.thortech.xl.dataobj.tcOrderItemInfo.eventPostInsert(tcOrderItemInfo.java:171)
     at com.thortech.xl.dataobj.tcUDProcess.eventPostInsert(tcUDProcess.java:234)
     at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
     at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
     at com.thortech.xl.dataobj.tcTableDataObj.save(tcTableDataObj.java:2906)
     at com.thortech.xl.dataobj.tcORC.autoDOBSave(tcORC.java:2995)
     at com.thortech.xl.dataobj.util.tcOrderPackages.createOrder(tcOrderPackages.java:526)
     at com.thortech.xl.dataobj.util.tcOrderPackages.orderPackageForUser(tcOrderPackages.java:177)
     at com.thortech.xl.dataobj.tcOIU.provision(tcOIU.java:527)
     at com.thortech.xl.dataobj.tcOIU.eventPostInsert(tcOIU.java:303)
     at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
     at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
     at com.thortech.xl.dataobj.tcTableDataObj.save(tcTableDataObj.java:2906)
     at com.thortech.xl.dataobj.tcUserProvisionObject.insertImplementation(tcUserProvisionObject.java:283)
     at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:591)
     at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
     at oracle.iam.accesspolicy.impl.handlers.provisioning.ProvisionAccountActionHandler.execute(ProvisionAccountActionHandler.java:104)
     at oracle.iam.accesspolicy.impl.handlers.provisioning.ProvisionAccountActionHandler.execute(ProvisionAccountActionHandler.java:35)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at oracle.iam.platform.kernel.impl.EventHandlerDynamicProxy.invoke(EventHandlerDynamicProxy.java:30)
     at $Proxy250.execute(Unknown Source)
     at oracle.iam.platform.kernel.impl.OrchProcessData.runActionEvents(OrchProcessData.java:1035)
     at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:644)
     at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
     at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:669)
     at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:716)
     at oracle.iam.platform.kernel.impl.OrhestrationAsyncTask.execute(OrhestrationAsyncTask.java:108)
     at oracle.iam.platform.async.impl.TaskExecutor.executeUnmanagedTask(TaskExecutor.java:100)
     at oracle.iam.platform.async.impl.TaskExecutor.execute(TaskExecutor.java:70)
     at oracle.iam.platform.async.messaging.MessageReceiver.onMessage(MessageReceiver.java:68)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
     at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
     at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
     at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
     at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
     at $Proxy311.onMessage(Unknown Source)
     at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:574)
     at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:477)
     at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:379)
     at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4659)
     at weblogic.jms.client.JMSSession.execute(JMSSession.java:4345)
     at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3821)
     at weblogic.jms.client.JMSSession.access$000(JMSSession.java:115)
     at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5170)
     at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
     at weblogic.jdbc.jta.DataSource.refreshXAConnAndEnlist(DataSource.java:1522)
     at weblogic.jdbc.jta.DataSource.getConnection(DataSource.java:446)
     at weblogic.jdbc.jta.DataSource.connect(DataSource.java:403)
     at weblogic.jdbc.common.internal.RmiDataSource.getConnection(RmiDataSource.java:364)
     at oracle.iam.platform.utils.vo.OIMDataSource.getConnection(OIMDataSource.java:57)
     at com.thortech.xl.util.DirectDB.getConnection(DirectDB.java:200)
     at com.thortech.xl.util.DirectDB.getConnection(DirectDB.java:148)
     at com.thortech.xl.dataaccess.tcDataBase.getConnection(tcDataBase.java:3198)
     at com.thortech.xl.dataaccess.tcDataBase.readPartialStatement(tcDataBase.java:705)
     at com.thortech.xl.dataobj.tcDataBase.readPartialStatement(tcDataBase.java:271)
     at com.thortech.xl.dataobj.tcDataBase.readStatement(tcDataBase.java:221)
     at com.thortech.xl.dataobj.tcDataBase.getError(tcDataBase.java:700)
     at com.thortech.xl.dataobj.tcDataObj.handleError(tcDataObj.java:1197)
     at com.thortech.xl.dataobj.tcDataObj.handleError(tcDataObj.java:1140)
     at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:487)
     at com.thortech.xl.dataobj.tcORC.insertNonConditionalMilestones(tcORC.java:844)
     at com.thortech.xl.dataobj.tcORC.completeSystemValidationMilestone(tcORC.java:1159)
     at com.thortech.xl.dataobj.tcOrderItemInfo.completeCarrierBaseMilestone(tcOrderItemInfo.java:735)
     at com.thortech.xl.dataobj.tcOrderItemInfo.eventPostInsert(tcOrderItemInfo.java:171)
     at com.thortech.xl.dataobj.tcUDProcess.eventPostInsert(tcUDProcess.java:234)
     at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
     at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
     at com.thortech.xl.dataobj.tcTableDataObj.save(tcTableDataObj.java:2906)
     at com.thortech.xl.dataobj.tcORC.autoDOBSave(tcORC.java:2995)
     at com.thortech.xl.dataobj.util.tcOrderPackages.createOrder(tcOrderPackages.java:526)
     at com.thortech.xl.dataobj.util.tcOrderPackages.orderPackageForUser(tcOrderPackages.java:177)
     at com.thortech.xl.dataobj.tcOIU.provision(tcOIU.java:527)
     at com.thortech.xl.dataobj.tcOIU.eventPostInsert(tcOIU.java:303)
     at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
     at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
     at com.thortech.xl.dataobj.tcTableDataObj.save(tcTableDataObj.java:2906)
     at com.thortech.xl.dataobj.tcUserProvisionObject.insertImplementation(tcUserProvisionObject.java:283)
     at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:591)
     at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
     at oracle.iam.accesspolicy.impl.handlers.provisioning.ProvisionAccountActionHandler.execute(ProvisionAccountActionHandler.java:104)
     at oracle.iam.accesspolicy.impl.handlers.provisioning.ProvisionAccountActionHandler.execute(ProvisionAccountActionHandler.java:35)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at oracle.iam.platform.kernel.impl.EventHandlerDynamicProxy.invoke(EventHandlerDynamicProxy.java:30)
     at $Proxy250.execute(Unknown Source)
     at oracle.iam.platform.kernel.impl.OrchProcessData.runActionEvents(OrchProcessData.java:1035)
     at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:644)
     at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
     at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:669)
     at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:716)
     at oracle.iam.platform.kernel.impl.OrhestrationAsyncTask.execute(OrhestrationAsyncTask.java:108)
     at oracle.iam.platform.async.impl.TaskExecutor.executeUnmanagedTask(TaskExecutor.java:100)
     at oracle.iam.platform.async.impl.TaskExecutor.execute(TaskExecutor.java:70)
     at oracle.iam.platform.async.messaging.MessageReceiver.onMessage(MessageReceiver.java:68)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
     at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
     at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
     at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
     at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
     at $Proxy311.onMessage(Unknown Source)
     at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:574)
     at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:477)
     at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:379)
     at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4659)
     at weblogic.jms.client.JMSSession.execute(JMSSession.java:4345)
     at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3821)
     at weblogic.jms.client.JMSSession.access$000(JMSSession.java:115)
     at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5170)
     at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
But when I try to provision this Resource through Access Policy, but without approving it works fine!!!
Please, Help.
Edited by: user13830503 on 19/7/2012 6:39

2e0e6e14:1389f3fa30b:-8000-0000000000000003,0] [APP: oim#11.1.1.3.0] Class/Method: tcLookupOperationsBean/getLookupValuesFilteredData encounter some problems: The LookupCode 'Lookup.ESSOMFONumbers' does not exist.
Make sure the lookup table exists and is spelled correctly in your process task.

OIM 11g R1 Managed Server Falied to Start

Hi Experts,
I have configured Weblogic, OIM and OAM with 11.1.1.5 Version -- Complete Full Version Download.
I haven't applied any patches after that. Once after changing the Policy Store to LDAP from File based. I am gettin the below error.
From the below error, i am able to find that there is some mismatch in the versions between Policy Store and OPSS. Help me in rectifying this Issue..
========================================================================
<22-Jan-2013 10:09:57 o'clock GMT> <Notice> <Log Management> <BEA-170019> <The server log file E:\Oracle\Middleware\user_projects\domains\base_domain\servers\oim_server2\logs\oim_server2.log is opened. All server side log events will be written to this file.>
oracle.security.jps.service.policystore.PolicyStoreIncompatibleVersionException: JPS-06100: Policy Store version 11.1.1.6.0 and Oracle Platform Security Services Version 11.1.1.4.0 are not compatible.
at oracle.security.jps.internal.policystore.ldap.LdapPolicyStore.initial(LdapPolicyStore.java:402)
at oracle.security.jps.internal.policystore.ldap.LdapPolicyStore.<init>(LdapPolicyStore.java:365)
at oracle.security.jps.internal.policystore.ldap.LdapPolicyStoreProvider.getInstance(LdapPolicyStoreProvider.java:153)
at oracle.security.jps.internal.policystore.ldap.LdapPolicyStoreProvider.getInstance(LdapPolicyStoreProvider.java:73)
at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.findServiceInstance(ContextFactoryImpl.java:139)
at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:170)
at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:191)
at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:132)
at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:127)
at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:850)
at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:844)
at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:844)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:291)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:285)
at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:270)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
========================================================================
Thanks in Advance,
VA.

Hi Experts,
I have configured Weblogic, OIM and OAM with 11.1.1.5 Version -- Complete Full Version Download.
I haven't applied any patches after that. Once after changing the Policy Store to LDAP from File based. I am gettin the below error.
From the below error, i am able to find that there is some mismatch in the versions between Policy Store and OPSS. Help me in rectifying this Issue..
========================================================================
<22-Jan-2013 10:09:57 o'clock GMT> <Notice> <Log Management> <BEA-170019> <The server log file E:\Oracle\Middleware\user_projects\domains\base_domain\servers\oim_server2\logs\oim_server2.log is opened. All server side log events will be written to this file.>
oracle.security.jps.service.policystore.PolicyStoreIncompatibleVersionException: JPS-06100: Policy Store version 11.1.1.6.0 and Oracle Platform Security Services Version 11.1.1.4.0 are not compatible.
at oracle.security.jps.internal.policystore.ldap.LdapPolicyStore.initial(LdapPolicyStore.java:402)
at oracle.security.jps.internal.policystore.ldap.LdapPolicyStore.<init>(LdapPolicyStore.java:365)
at oracle.security.jps.internal.policystore.ldap.LdapPolicyStoreProvider.getInstance(LdapPolicyStoreProvider.java:153)
at oracle.security.jps.internal.policystore.ldap.LdapPolicyStoreProvider.getInstance(LdapPolicyStoreProvider.java:73)
at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.findServiceInstance(ContextFactoryImpl.java:139)
at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:170)
at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:191)
at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:132)
at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:127)
at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:850)
at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:844)
at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:844)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:291)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:285)
at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:270)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
========================================================================
Thanks in Advance,
VA.

OAM-OIM 11g User Lockout Question

All,
We have a OAM and OIM 11.1.1.3 installation and i am testing the invalid login attempt scenarios and came across teh following situation. I was wondering if you could give me steps or some pointers for resolving this:
1. created an account [email protected] as xelsysadm and reset the password on first login
2. Have the following OIM default parameters (these are the only configs that i could find are possibly related to this)
XL.UnlockAfter - 0
XL.MaxLoginAttempts - 10
3. Entered incorrect password and for the initial 4 times i got the OAM login screen back with an error message "An incorrect Username or Password was specified"
4. After 5th attempt i just got the error message "Error
An incorrect Username or Password was specified"
5. I go back the http://oimservername:oimport/oim i get the login screen again and enter [email protected] with an incorrect password next 4 times (total 9 now) I get login screen back with "An incorrect Username or Password was specified"
6. after the 10th attempt with incorrect password i get a different error message with no login screen "Error
The user account is locked. Please contact Administrator."
7. I logged into OIM as xelsysadm -> administration -> search user [email protected] and it doesn't show that the account is locked. I lock it anyways explicitly by clicking the button the user screen and click unlock immediately and now enter [email protected] and correct password everything works.
Few questions that i have are:
1. how do i get the OAM/OIM system to behave consistently, (give an incorrect username or password message until the first 9 attempts with a login screen back to the end user and give them an error message at the end that the accoutn is locked". I am okay with out of the box message text
2. How will our operations team understand that the user is really locked becuase they have nowhere to go find this information
3. what are all the places where i will look for this information in the above scneario when the user account is locked by himself. (OVD/OID, USR table in OIM_DEV schema etc)
4. Are there any other best practices that i should follow in setting up the system.
Thanks in advance for reviewing this.
Prasad.

It appears to be all happening in OAM. After researching some more, I found this piece at http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15740/idmint.htm#CACBBIDI.
But never the less it doesn't explain how to unlock the user other than the workaround that i found. Did anyone else had to deal with this.
x---------------------------------------------------------------x
2.8.4.4 Account Lock and Unlock
Oracle Access Manager keeps track of the login attempts and locks the account when the count exceeds the established limit.
When an account is locked, Oracle Access Manager displays the Help Desk contact information.
When contacted by the end user, the Help Desk unlocks the account using the Oracle Identity Manager administrative console. Oracle Identity Manager notifies Oracle Access Manager about the changes.
Account Lock and Unlock Flow
When the number of unsuccessful user login attempts exceeds the value specified in the password policy, the user account is locked. Any login attempt after the user account has been locked displays a page that provides information about the account unlocking process, which will need to be customized to reflect the process (Help Desk information or similar) that is followed by your organization.
Note:
Oracle Identity Manager does not support automatic locking of a user account after a specific period has elapsed.
The following describes the account locking/unlocking flow:
Using a browser, a user tries to access an application URL that is protected by Oracle Access Manager.
Oracle Access Manager Webgate (SSO Agent) intercepts the request and redirects the user to the Oracle Access Manager login page.
The user submits credentials that fail Oracle Access Manager validation. Oracle Access Manager renders the login page and asks the user to resubmit credentials.
The user's unsuccessful login attempts exceed the limit specified by the policy. Oracle Access Manager locks the user account and redirects the user to the Oracle Access Manager Account Lockout URL, which displays Help Desk contact information.
The user contacts the Help Desk over the telephone and asks an administrator to unlock the account.
Oracle Identity Manager notifies Oracle Access Manager of the account unlock event.
The user attempts to access an application URL and this event triggers the normal Oracle Access Manager single sign-on flow.

ISE Authorization Policy Issues

Hello Team,
I´m getting troubles during my implementation: The User PC never gets IP Address from Access VLAN after AuthZ Policy succeded.
I have two vlans in my implementation:
Vlan ID 802 for Authentication (Subnet 10.2.39.0)
Vlan ID 50 for Access Users (Subnet Y.Y.Y.Y)
When I start my User PC, I get IP for VLAN 802 (10.2.39.3) and After Posture process, ISE inform the switch to put the User PC port in VLAN 50.
Here I have my Switch Port Configuration:
interface GigabitEthernet0/38
switchport access vlan 802
switchport mode access
switchport nonegotiate
switchport voice vlan 120
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 50
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
And Here, I have outputs AuthZ Policy in Action:
Oct 7 09:22:01.574 ANG: %DOT1X-5-SUCCESS: Authentication successful for client (0022.1910.4130) on Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
Oct 7 09:22:01.582 ANG: %AUTHMGR-5-VLANASSIGN: VLAN 50 assigned to Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
Oct 7 09:22:01.591 ANG: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT APPLY
Oct 7 09:22:01.591 ANG: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-REQUEST
Oct 7 09:22:01.633 ANG: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-SUCCESS
Oct 7 09:22:01.633 ANG: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT IP-WAIT
SWISNGAC8FL02#
Oct 7 09:22:02.069 ANG: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0022.1910.4130) on Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
SWISNGAC8FL02#
Oct 7 09:22:02.731 ANG: %EPM-6-IPEVENT: IP 10.2.39.3| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
Oct 7 09:22:02.731 ANG: %EPM-6-POLICY_APP_SUCCESS: IP 10.2.39.3| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| RESULT SUCCESS
After that, I have:
SWISNGAC8FL02#sh auth sess int g0/38
Interface: GigabitEthernet0/38
MAC Address: 0022.1910.4130
IP Address: 10.2.39.3
User-Name: SNL\enzo.belo
Status: Authz Success
Domain: VOICE
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 50
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A022047000000F6126E9B17
Acct Session ID: 0x000001A7
Handle: 0x710000F7
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
Apparently, everything is OK, but NOT. The User PC never gets IP Address from Access VLAN 50.
If I do SWISNGAC8FL02#sh mac address-table | inc 0022.1910.4130
50 0022.1910.4130 STATIC Gi0/38
802 0022.1910.4130 STATIC Gi0/38
And
SWISNGAC8FL02#sh epm session summary
EPM Session Information
Total sessions seen so far : 17
Total active sessions : 1
Interface IP Address MAC Address VLAN Audit Session Id:
GigabitEthernet0/38 10.2.39.3 0022.1910.4130 802 0A022047000000F6126E9B17
My Switch is a Cisco IOS Software, C3560E Software (C3560E-IPBASEK9-M), Version 15.0(2)SE6, RELEASE SOFTWARE (fc2)
I am using ISE Version 1.2.1.198 Patch Info 2
Could you help me in this Case ?
Best Regards,
Daniel Stefani

It seems like the PC is operating in the VOICE-domain according to the cmd auth sess int you showed. Do you think that has something to do with your problem? I've experienced some PC's having problem with that.
If you could, try getting the PC to operate in the DATA-domain by not sending the voice-attribute from ISE after the authorization.

OIM 11g - User Not enabled After the job "enable user after start date"

Hi,
I have a future hired user in OIM whose start date is set in OIM. The status of the user in OIM is 'Disabled Until Start Date'.
After the start date has passed and the scheduled job 'enable user after start date' is run, I see that the user is still in the status 'Disabled Until Start Date'. I re-run the scheduled job 'enable user after start date', this time manually, still the state of the user remains unchanged.
Please help in troubleshooting as to find out the root cause of the issue and a workaround/solution, if possible.
This issue is intermittent and has happened with quite a number of user. Any pointer would be helpful.
Regards,
Sudipto S.

I agree with Nayan.
One alternative approach can be to write your own custom scheduler which can overcome the limitation of OOTB scheduled job 'enable user after start date'. Let the OOTB job get executed first. After it, your custom scheduler should fire a simple SQL Query:
SELECT USR_KEY, USR_STATUS FROM USR WHERE (USR_START_DATE > SYSDATE -1) AND USR_STATUS='Disabled Until Start Date';
//Means those users who are supposed to get enabled today and are still not yet enabled and are in 'Disabled Until Start Date'. May be 2-3 user keys at max will come...
As you said it happens only intermittently and not for all users... So, let the OOTB scheduled job take care of most of such users... And after it has finished, if any user still remains in 'Disabled Until Start Date', your custom scheduler should enable it via using tcUserOperationsIntf.enableUser(userKey);
Using API is always better than database update... Because APIs trigger downstream provisioning workflows as well and not just updates OIM Database...
Keeping your constraints in mind, I think it is the correct answer.

OIM 11G - Roles, revoke when policy no longer applies behaviour

When two roles share one or more common resources, will the "revoke resources when policy no longer applies" behaviour preserve the common resources of the other existing role, when the other role is revoked?
Regards
Hanif

As mentioned above, they will keep the resource as long as they are a member of a role that has that resource on the access policy.
If the access policy has a deny resource listed on it though, that will automatically revoke any instance regardless of other access policy the user has.
-Kevin

Java code to check connection to OIM 11g Remote Manager

Hi,
I need to check if the remote manager is running or not, for that I am making an API call:
What RMS data needs to be passed as argument to the below method?
RemoteManagerOperationsIntf rmObj = (RemoteManagerOperationsIntf)Platform.getService(RemoteManagerOperationsIntf.class);
rmObj.isRMRunning(+RMSData+);
Please help.

package com.thortech.xl.remotemanager;
import java.io.Serializable;
public class RMSData
implements Serializable
private String rmName;
private String serviceName;
private String url;
private boolean isRunning;
private boolean isITResource = true;
private RMRemote rmInstance;
public RMSData()
public RMSData(String serviceName, String url, RMRemote rmInstance)
this.serviceName = serviceName;
this.url = url;
this.rmInstance = rmInstance;
public boolean isITResource()
return this.isITResource;
public boolean isRunning()
return this.isRunning;
public RMRemote getRmInstance()
return this.rmInstance;
public String getServiceName()
return this.serviceName;
public String getUrl()
return this.url;
public void setITResource(boolean b)
this.isITResource = b;
public void setRunning(boolean b)
this.isRunning = b;
public void setRmInstance(RMRemote remote)
this.rmInstance = remote;
public void setServiceName(String string)
this.serviceName = string;
public void setUrl(String string)
this.url = string;
public String getRmName()
return this.rmName;
public void setRmName(String string)
this.rmName = string;
-Kevin

OIM 11g: UDF disappears from User Attributes page

Hi,
I was modifying a user defined attribute using the 11.1.1.3 User Attributes configuration page. All I did was change its category to move it to another section of the user profile page. The last remaining field in the category 'disappeared'. It just went from the list of fields in the category. The field still exists on the USR object and still contains all the values. But it's gone from the UI.
I exported the /file/User.xml from MDS and sure enough the missing attribute is not present in the User.xml file. It is there for the mapping to the back end column, and in another element. But the element that describes the field proper is not there. I've since added the attribute element back in manually and re-imported the metadata using the weblogic environment manager, but the field still does not appear.
So, my question is does anybody know where else OIM stores the attribute details? Is it in the DB somewhere and merely mirrored in the MDS? What do I need to do to restore the field? (I can't add it in because it says it already exists.)
Thanks

PeachEye,
I was unable to see the UDF's I had created on the user form until I set up a policy for them. Please check the policy around the UDF's.
I am hoping this can help you.
From Oracle documentation:
User's Guide for Oracle Identity Manager
11g Release 1 (11.1.1)
E14316-03
User-defined fields (UDFs) can be added by creating a policy and
adding attributes in the self service user management
administration policy in Oracle Identity Administration. To add
the User defined attributes for view or modification under the
Attributes tab, these UDFs need to be added to the modify user
data set for self-service. Also, a custom policy needs to be created
under self service user management to grant permission to view
and/or modify these attributes.
For details on authorization policies, refer "Creating and Managing
Authorization Policies" on page 15-2.

OIM 11g: How to remove rule requiring unique user email addresses

Use the OIM 11g Administrative and User Console to update a user's email address to be the same as another user's address and on save you get error message:
"The user with the attribute Email and value [email protected] already exists"
In OIM 9.1 we used to be allowed duplicate email addresses.
OIM 11g wants them to be unique (refer OIM 11g User Guide table 11-2 in section "11.2 User Entity Definition" which shows the email attribute properties with unique:yes).
How do you change this to "unique:no"?
The OIM 11g Admin Guide section "14 Configuring User Attributes" describes the User.xml file in MDS but doesn't mention unique properties.
The System Properties accessed via System Management->System Configuration doesn't show anything that looks like an option to enforce email address uniqueness.
Thanks

OIM 11g does not allow duplicate email addresses. We asked Oracle about this and they responded that the feature (duplicate email addresses) was "removed from OIM 11g due to sending mail notifications, security and other related
concerns". We think we can live with this restriction and did not make an enhancement request.
The user guide does show that email address is unique:
http://download.oracle.com/docs/cd/E14571_01/doc.1111/e14316/usr_mangmnt.htm#BGBDCDCH
but there's no way to override the rule.

OIM 11g - User Management Authorization policy issues

Similar Messages

Maybe you are looking for