OIM 11gR2 : Regarding GTC

Similar Messages

• OIM 11gR2 : Regarding AD recon scheduled jobs

  Hi,
  I have configured OIM 11gR2 with AD.
  1. What all fields can i use for making a filter condition for running the various recon scheduled jobs.
  2. Also, the default field on which sort is there is samAccountName. What all fields can we use apart from this ?
  Kind Regards,

  Yes, I have tried that but that didn't work as in AD you just have a name of an element in CN. Beside that OU doesn't have a CN.

• OIM 11gR2: GTC logical cancellation

  Hi all,
  in our OIM environment (OIM 11gR2) we have installed and configured a GTC that provisions and reconciliates to and from an Oracle Database Application Table.
  The GTC works fine and when we try to revoke an account, it deletes the account from target system.
  What we would like to implement is the "logical cancellation" functionality. Upon account revocation, the GTC should sets the value "1" to one of the target system fields (named "IS_DELETED") instead deletes it from target system.
  Is it possible to achieve this?
  Thanks in advance,
  Daniele

  Is it possible to achieve this?You can modify the process definition at any point of time. Remove the existing adapter and attach your own adapter which will do the logical cancellation.
  If you are looking for some configuration in GTC itself then I don't think it is possible.

• Pre populate adapter in OIM 11gr2 not triggered in database

  Hello,
  Folowing is the steps for creation of pre populated adapter in OIM
  ** we have created one form in OIM which is provisioned to Database**
  Steps
  · Installed GTC connector for Database Web App 9.*
  · Created new user and Table in Database
  · Created IT resource for Database
  · Created Sandbox, App Instance and Form, published sandbox
  · Started catalog synchronization job scheduler
  · Created user and and request account to app instance.
  * select application instance to catalog and checkout.
  ** we have created adapter as per the following link
  http://idmrockstar.com/blog/2009/08/how-to-create-a-prepopulate-adapter-in-oim/
  create a pre populated adapter that will populate the firstname of user in email using java class
  source code:
  public class AdapterClass{
  public String email( String fname )
  return fname;
  Steps:
  1) In the design console I have open the Adapter Factory and create a new adapter name :firstname
  adapter type: pre-populate rule generator
  click on save
  2) select variable list tab:
  variable name:Firstname
  type:String
  Map to : Resolve at runtime
  click on save
  3) select Adapter Task tab
  * click add and select logical task
  * select SET VARIABLE and click continue
  * Operand Type:variable
  * Operand Qualifier : FIrstname
  click save and save the adapter
  4) compile the java class into jar file and move the jar file into OIM_HOME\server\JavaTasks
  5)Create a new Adapter with the following"
  Adapter name:Email
  Adapter type: Pre-populate rule Generator
  click save
  6) select variable list tab:
  variable name: var1
  Type:String
  Map to:Resolve at runtime and click save
  7) select Functional Task tab:"
  select java click continue
  select the following information:
  Task name:email
  Api source: JavataskJar:Adapterclass.jar( the jar file which you have create)
  application api: adapteclass
  click save
  8) In the Application method parameters,select the first input: String
  Cange Map to:Adapter variables
  Set the name to:var1 and click save
  9) select the output:STring
  change map to:Adapter variables
  set name to: return variable
  10) click save and save the adapter and click on Build
  Adapter is now build the next step isto join it to the form
  ** join the adapter to the form**
  Steps:
  1) click on form designer and search the related form which we have created
  2) In the respective form click on create a new version and create a new version
  3) and then click on Pre populate tab and click on ADD
  4)select adapter field to firstname
  Rule : default
  Adapter : Firstname
  and click on save
  5) In the adapter variable field click on firstname and fill the following
  map to: Process data
  Qualifier : firstname
  6) Repeat steps 3 to 5 to map the email adapter
  7) click on save.
  Now we have done with all the steps and now we have created one User submit the user
  we have click on request acounts ---> search the catalog and select the application instance (select the app instance "database provisioning") ---> add to cart ---> and check out ---> fill the form leaving email field --> ready to submit ---> submit
  now we have check this user in database but still pre populated fields are not reflected. since this not working so we have found the other three links
  Re: OIM 11gR2 - Prepopulate Field Empty Problem
  http://fusionsecurity.blogspot.in/2013/01/populating-request-attributes-in-oim.html
  http://identityandaccessmanager.blogspot.in/2011/07/prepopulate-adapter-in-oim-11g.html
  according to these links they mention to implements the prepopulationadapter interface into the java class and create the plugin.xml for the class which we have used in jar.
  so we prepared a plugin.xml
  <?xml version="1.0" encoding="UTF-8" ?>
  <oimplugins xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <plugins pluginpoint="oracle.iam.request.plugins.PrePopulationAdapter">
  <plugin pluginclass= "com.oracle.demo.iam.prepop.plugin.UserLoginPrePop" version="1.0" name="UserLoginPrePop">
  <metadata name="PrePopulationAdapater">
  <value> My_users::email</value>
  </metadata>
  </plugin>
  </plugins>
  </oimplugins>
  and the java class which implements "PrePopulationAdapter".
  they mention to put that jar into one directory named "lib"and paste the xml and lib folder into the OIM_HOME\server\plugin
  BUt we stuck on how to configure the adapter or what is the next steps for the above process. or there is something that we have missed in the process
  please do reply its urgent
  Regards,
  Tushar Palekar

  hii i have followed all your steps regarding the pre populated adapter ,but no luck.
  java code :
  package com.oracle.demo.iam.prepop.plugin;
  import java.io.Serializable;
  import oracle.iam.request.plugins.PrePopulationAdapter;
  import oracle.iam.request.vo.RequestData;
  public class Userfname implements PrePopulationAdapter {
  public Serializable prepopulate(RequestData requestData){
  String fname = "xyz";
  System.out.println("Returning fname ==== " + fname );
  return fname ;
  2)i have create a jar for this code and paste it into lib folder.
  3) i have create a plugin.xml
  <?xml version="1.0" encoding="UTF-8" ?>
  <oimplugins xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <*plugins pluginpoint="oracle.iam.request.plugins.PrePopulationAdapter">*
  *<plugin pluginclass= "com.oracle.demo.iam.prepop.plugin.Userfname" version="1.0" name="Userfname">*
  *<metadata name="PrePopulationAdapater">*
  *<value>register::LAST_NAME</value>*
  *</metadata>*
  *</plugin>*
  *</plugins>*
  *</oimplugins>*
  4)i register the plugin using ant -f  pluginregistration.xml register
  5)i have restartthe oim server and then i create a user using the same app instatnce in which i have create the form(ie.register),and
  request acount-->select app instance ---> add to cart
  but the last name xyz as per the java code is not reflected in the dadbase table.
  please help
  tushar palekar

• OIM 11GR2 UNIX Connector Reconcile users from UNIX inquiry

  Good Day!
  I would like to ask whether there is a way in OIM that when I reconcile all new users from my UNIX server, OIM will also create the resource which this user is provisioned upon?
  Here is my scenario:
  1.) Freshly installed OIM 11GR2.
  2.) Installed UNIX connector on OIM 11GR2.
  3.) Configured UNIX TRUSTED Resource
  4.) Reconciled all the UNIX users into OIM. (New users are created since my OIM doesn't have any user)
  5.) The problem is when the new users are now created in OIM, they don't have entitlements or accounts linked to the UNIX server which they have been pulled upon.
  I would like to ask whether I need to configure something to have the entitlements/accounts linking possible?
  If not, what are the ways I can achieve this?
  The only way I can think of is have the UNIX users be created in a flat file first then load via GTC then have reconciliation to have OIM to link these users to UNIX which I believe should be able to do the scenario I am asking upon.
  Thanks in advance!
  Regards,
  Jeff

  By the way, checking target resource recon by default will not create new users when OIM is not able to establish a link.
  In my case, OIM doesn't have any users since this is a fresh install hence even running target resource at start will won't create the new users in OIM right?
  based from this:
  "You configure application (AD, OID, OVD, HR) etc in Target Resource Mode if that OIM is source of truth for user provisioning (All users are created in OIM and OIM then provision accounts in Application. Any changes in Application are reconciled back to OIM)."

• Webservice Client is not working in OIM 11gR2

  Hi,
  We have created a web client using Axis 1.6.2 and using it in OIM 11gR2 for Request Validator Plugin. But we are getting issue that org.apache.axiom.om.OMAbstractFactory. getOMFactory() is not found. When we checked the JARs in class path we found that OIM Already has lower version of axiom1.2.5 in its class path under oim.ear which doesn't contain this method however Axis1.6.2 contains the newer version which contain this method. Does anybody has any idea how to override OIM default classpath JAR file and force it to read the library files available under plugin?

  Hi
  I am facing similar issue but with Custom Adapter . I copied the axis jars under the JavaTasks folder but it does not help.
  I then copied them under the oim.ear/APP_INF/lib and restarted the OIM managed server but somehow even that does not help.
  I get following error.
  Caused by: java.lang.NoSuchMethodError: org/apache/axiom/om/OMAbstractFactory.getMetaFactory()Lorg/apache/axiom/om/OMMetaFactory;
          at org.apache.axiom.om.OMXMLBuilderFactory.createOMBuilder(OMXMLBuilderFactory.java:150)
          at org.apache.axiom.om.OMXMLBuilderFactory.createOMBuilder(OMXMLBuilderFactory.java:133)
          at org.apache.axiom.om.OMXMLBuilderFactory.createOMBuilder(OMXMLBuilderFactory.java:104)
          at org.apache.axis2.util.XMLUtils.toOM(XMLUtils.java:590)
          at org.apache.axis2.util.XMLUtils.toOM(XMLUtils.java:575)
          at org.apache.axis2.deployment.DescriptionBuilder.buildOM(DescriptionBuilder.java:97)
          at org.apache.axis2.deployment.AxisConfigBuilder.populateConfig(AxisConfigBuilder.java:90)
          at org.apache.axis2.deployment.DeploymentEngine.populateAxisConfiguration(DeploymentEngine.java:857)
          at org.apache.axis2.deployment.FileSystemConfigurator.getAxisConfiguration(FileSystemConfigurator.java:116)
          at org.apache.axis2.context.ConfigurationContextFactory.createConfigurationContext(ConfigurationContextFactory.java:64)
          at org.apache.axis2.context.ConfigurationContextFactory.createConfigurationContextFromFileSystem(ConfigurationContextFactory.java:210)
          at org.apache.axis2.client.ServiceClient.configureServiceClient(ServiceClient.java:151)
  Any pointer on how I can try to resolve it.
  Regards
  Abhinav

• Replicating the app functionality from OIM 10g to OIM 11gR2

  Hi,
  I have a resource object with an object form and a process form and approval, provisioning configured in OIM 10g design console. Provisioning is manual provisioning assigned to a particular group based on a task assignment adapter. For replicating the same in OIM 11gR2 i followed the following steps.
  1. Created a Resource object in Design console.
  2. Created a dummy IT Resource ( Since while creating app instance it is having IT Resource as Mandatory field. * Is there any way to skip this as i do not have any IT resource in my original app as it is going for manual provisioning?)*
  3. Created a process form in Design Console with the same fields as present in my 10g app process form.
  4. Now i need to Create an app instance and select the created resource object and IT resoource. Also i need to create a form associated with the app instance in which i will add the fields as present in the object form in my 10g app. ( Here i am not understanding how data will flow from object form to process form since there is no data flow mapping here)
  5. Other steps like creating the SOA composite with human tasks and deploying it and after that creating approval policies is pretty much clear.
  Please clarify whether the steps are correct and also the queries which i have posted in between. Thanks in advance.
  Regards,
  Durgaprasad
  Edited by: Durgaprasad on Jan 17, 2013 3:38 AM

  Thanks Gyanprakash. Wll disconnected resource trigger our custom approval process if we select the resource name properly in scope in operational level approval policy. Have you tried a disconnected resource with your custom approval process. Because i read the following lines in admin guide
  Oracle Identity Manager supports provisioning of disconnected resources by using the SOA worklist for manual provisioning of disconnected resources. After the role-based provisioning decision or SOA request approval is complete and the corresponding application instance is determined to be a disconnected application instance, a new SOA workflow is started. This new SOA workflow is assigned to the manual provisioning administrator.
  So i thought disconnected app instance will have its own approval process configured during the creation and it will route accordingly. So just wanted to clarify how to make disconnected app instance to trigger our approval. will approval policay take care of it as i am going to select the name of the disconnected app in the scope field.

• OIM 11gR2- Approved Requests remain in Operation Initiated Status

  Hi,
  We are using OIM 11gR2 and we are seeing the following behaviour whenver we request for Application Instance
  1) End User logs in and requests for Application Instance.
  2) The request is created and assigned to the manager for approval.
  3) Manager logs in and approves the request.
  4) The Requested resource is assigned to the user and the status of the resource is Provisioned. All the tasks in the Resource History are in Completed status.
  5) If we see the status of the request, it remains in Operation Initiated status.
  We expect the status of the Request to be Request Completed and not remain in Operation Initiated. We are sending a mail notification to the manager once resource is provisioned.
  If we remove the notification part, the status of the Request is coming as Request Completed as expected. However with notification getting triggered we are getting problem.
  Please suggest a solution.
  Thanks and Regards,
  Mayuri
  Edited by: 943112 on Mar 11, 2013 7:09 AM

  Usually after the request is approved and if there is any pending task in provisioning it goes to 'Post Operation Processing Initiated' status. If 'Task to Object Status' mapping is not done properly the request stays in the same status even though all the tasks are completed.
  check this link for various request status
  http://docs.oracle.com/cd/E27559_01/user.1112/e27151/req_mangmnt_user.htm#BGBGIIDH
  In your case it is going to 'Operation Initiated' status when notification is attached. Can you tell where have you triggered notification? In SOA approval task or in Provisioning process? If it is in SOA check whether proper status is returned to the callback webservice after that. Else if it is in provisioning check for task object status mapping.

• OIM 11gR2 : User groups not visible on UI

  Hello Experts,
  I have a requirement in which i need to assign the user provisioned to AD to some group(s) depending upon certain conditions like BU, Location etc. I created a Process Task adapter for the same and am able to successfully assign the users to the desired groups.
  But i am able to check for this validity from the Backend only.
  Ideally the groups assigned to the user must be visible after following these steps:
  *1. Search for a user provisioned to AD.
  2. Go the the Accounts tab.
  3. Click on the AD account (to which the user has been provisioned)
  4. A process form is displayed in the lower half of the webpage which also shows the information regarding the groups assigned to the User. But the groups are not getting displayed.*
  Kindly Help.
  Edited by: IDM_newbie on Jan 24, 2013 11:24 PM

  But sir, the groups are listed under the Accounts tab. Is there any schedule job provided by OIM 11gR2 which results in the display of Groups assigned to the user as well under the Accounts tab ?
  Edited by: IDM_newbie on Jan 25, 2013 1:51 AM

• Request dataset in OIM 11gr2

  Hi Experts,
  I have integrated OIM 11gR2 with Siebel and able to provision by xelsysadm. My requirement is End User will be raising request for siebel resource and approval workflow associated with is triggered.
  1. End user raising the request is able to view the process form, I need to restrict few attributes i.e. position and responsiblity should not be visible to end user
  2. Position and Responsibility should be provided by approver (this is specified in request data set of provision resource)
  3. As per Oracle document there is no request data set for PROVISION and MODIFY resource. What is the replacement for this?
  4. After Request is raised it has been assgined to xelsysadm, how do i control the approval ?
  Regards
  A Abhinay

  1. End user raising the request is able to view the process form, I need to restrict few attributes i.e. position and responsiblity should not be visible to end userEnd user will see Application Instance Form and you can customize the UI to hide attributes
  2. Position and Responsibility should be provided by approver (this is specified in request data set of provision resource)
  Make your Java Code/Beans/Expression to show/hide attributes conditionally.
  3. As per Oracle document there is no request data set for PROVISION and MODIFY resource. What is the replacement for this?Application Instance Form
  4. After Request is raised it has been assgined to xelsysadm, how do i control the approval ?Approval Policies

• OIM 11gR2 - unable to suppress display of iPlanet process form

  OIM 11gR2 or 11.1.2
  SJSDS Connector 9.0.4
  I have configured the SJSDS connector, it resource, etc and am able to manually/directly provision iPlanet User to an OIM user through the identity interface.
  I have configured the process form to pre-populate all necessary fields.
  I have checked the Auto Save Form checkbox within the iPlanet User Process Definition.
  It is my expectation that when an administrator directly assigns the resource to a user they will not be presented with the process form. However, when we directly assign the resource, the process form is displayed causing the administrator to submit the form.
  I have double checked the documentation regarding Auto Save Form within the Developer's Guide for Oracle Identity Manager 11g Release 2 (11.1.2) - E27150-03 and the Oracle® Identity Manager Connector Guide for Sun Java System Directory Release 9.0.4 - E10446-12 and I believe my expectations are correct.
  1) Has anyone successfully suppressed the process form while direct or manually provisioning SJSDS through the identity interface?
  2) Could the Auto Save Form be only related to request-based provisioning?
  Thank you in advance.

  These are also good questions but I'll give details :-)
  1) Does that make the "Auto Save Form" checkbox useless? -
  NO, If you don't do this then your Provisioning will stuck into System Validation.
  2) Can you "Auto Save" the Application Instance form?
  NO, as per Oracle either hide these attributes or delete these attributes but there's no clean way to delete such things.
  Question For You:
  If you don't want to Auto Save your Application Instance Form then why did you create that.
  Workaround:
  If you don't want Application Instance then create one more Application Instance without any form

• OIM 11gR2 Active Directory integration issue

  Hi,
  I am trying to install AD connector on OIM 11gR2 and have successfully performed all the necessary and relevant steps according to the deployment guide.
  When i am trying to test the connector though, by running the "Active Directory Organization Lookup Recon" scheduled job i am getting the following error:
  Exception Message oracle.iam.connectors.icfcommon.exceptions.Integration
  Exception: The value for a key [Host] is not defined in the provided map.
  Kindly help me out with this
  Best Regards,
  Varun

  Hi,
  i hope you are using the AD New connector(i.e. ICF based ) and your connector server key is not set properly. Most of the cases this is arises because of connector parameters. So verify the connector parameters and also have you put the AD connector jars on connector server side.
  _Saurabh                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

• Problem handling SMTP address with OIM 11gR2 Exchange connector

  Hello,
  I have a problem in regarding the primary SMTP address with the Exchange connector. The connector doesn't seem to be able to update it. Changing a user's primary SMTP address from its account details in OIM creates a new secondary address in Exchange. It does not change the current primary SMTP address. This does not look like a normal behavior... Any ideas on how to fix this?
  I'm using OIM 11gR2 with BP10 with AD 11.1.1.5.0A and Exchange 11.1.1.5.0.
  Thanks,
  --jtellier

  Yes, you can try out few things suggested in below thread
  Re: Exchange Provisioning
  The error looks like form exchange server side but still not sure about it.
  Meantime open Service Request with oracle about the same as I can see other developers are also facing same issue.

• Undeploying a SOA composite in OIM 11gR2

  I have two versions of approval processes deployed in SOA. What are the steps to undeploy the older version SOA composite which is not in use. Thanks in advance

  Hi karthik,
  Thanks. Is registering a workflow using the registerworkflows-mp.xml still necessary in OIM 11gR2. Because i saw this step skipped in 11gR2 developer's guide. My custom workflow was not working anywaz. Is it because i did not register the workflow first hand. I thought this step is not necessary as it was not given in OIM 11gr2 developer's guide.
  Regards,
  Durgaprasad

• Organization Admin control in OIM 11gR2

  Hi,
  I was trying to configure Organization Admin control in OIM 11gR2. Our requirement is to configure roles having read access of organization (members of this role can only see the members of the organization but cannot update it), roles having admin control on organization (where members of this roles can read/write/execute member access). There should be different set of roles having access on different organization where members from one role cannot access the members of the other organization. I tried to configure these security models but the only thing i could find in organization is Admin Roles which also i couldn't able to configure very well :(. Can someone point me to the correct documentation or procedure/tool which we should use to achieve such functionality (These functionalities are very easily available in OIM 10g but couldn't find in 11gR2 :( )

  If you add the members of a role to the Admin Roles of a given Organization (Specifically OrclOIMOrgViewer Admin Role). The users will be able to see the users in that organization.
  A few things to consider:
  Only xelsysadm or a users in the System Administrator Admin Role can assign users to Admin Roles within the scope of an Organization.
  Here is a piece of code that you can use to programmatically add users to the Admin Role OrclOIMOrgViewer:
  public List getScopedAdminRoleMemberships() {   // This one gets the list of all admin roles scoped by Organization
  Hashtable env = new Hashtable();
  env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,"weblogic.jndi.WLInitialContextFactory");
  env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3://<oim server host>:<oim port>");
  OIMClient oimClient = new OIMClient(env);
  try {
  oimClient.login("xelsysadm", "<XELSYSADM Password>".toCharArray());
  } catch (LoginException e) {
  throw new RuntimeException(e.getMessage(), e);
  AdminRoleService adminRoleSvc = oimClient.getService(AdminRoleService.class);
  return adminRoleSvc.getScopedAdminRoles();
  public AdminRoleMembership addAdminRoleMembershipFor(String userId, AdminRole role, String scopeId) {  // This method adds the user identified by userId (pass usr_key not usr_login) to the Admin Role in Org whose key (act_key) is
  // passed as a parameter in the scopeId.
  AdminRoleMembership membership = new AdminRoleMembership();
  membership.setAdminRole(role);
  membership.setUserId(userId);
  membership.setScopeId(scopeId);
  Hashtable env = new Hashtable();
  env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,"weblogic.jndi.WLInitialContextFactory");
  env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3://<oim server host>:<oim port>");
  OIMClient oimClient = new OIMClient(env);
  try {
  oimClient.login("xelsysadm", "<XELSYSADM Password>".toCharArray());
  } catch (LoginException e) {
  throw new RuntimeException(e.getMessage(), e);
  AdminRoleService adminRoleSvc = oimClient.getService(AdminRoleService.class);
  return adminRoleSvc.addAdminRoleMembership(membership);
  This should give you what you need. Remember, the API's work with act_key and usr_key values don't use Org Names or User Logins.
  Hope this helps.
  Regards
  Alex Lopez