OIM 11gR2 : User groups not visible on UI

Similar Messages

• Users/groups not visible in WGM after migration. (UIDs lower than 500)

  I have migrated from a 10.5 to a 10.6 server.
  Some of my user & groups are not visible in the WGM. However, the user can login to the system.
  I discovered that if I check Workgroup Manager > View > Show System Records, that I can see the missing users and groups. The users and groups all of UID/GID's from 100 to 130.
  All of the affected users & groups were created many versions ago, probably Mac OS X 10.1 Server. The accounts that are visible are newer and have UID's starting in either at 501 or 1025. So it looks like overtime OS X server has changed what ID's are used for system vs. users.
  What is the proper way to solve this problem? The WGM will let me to manually change the UID/GID, but I am worried about doing this will not change file ownerships.
  Thansk!

  You are correct, the ACL and or POSIX permissions will not update if you just change the UID of the group or user account. You will need to add the new UID to the directories in question. And be sure to propagate the permissions.
  I would take one each group and user account and use it as a test case to discover how much is involved. Document what steps are needed to make the changes and then do them in bits and pieces.

• LDAP user groups not visible for configuring a Group Portal

  Hi,
  We have created a Custom Security Realm(myRealm) on WebLogic 7.0 SP2 in which
  I've added the Novell LDAP Authentication provider as the authentication provider
  and then set "myRealm" as the default realm for the domain. I am able to start
  the WLS server instance and login to portalAppTools with the "administrator" account.
  We would like to configure a Group Portal. In Portal Administration interfaces,
  when I click on Group Administartion, I am unable to see any of my external LDAP
  groups. I know that we cannot create/delete users or groups in the external LDAP
  repository thru the Admin UI but the documentation says that I should be able
  to view the users/groups in the Admin UI. Authentication against the external
  LDAP repository works fine. Can anybody suggest the reason why we are unable to
  view any of the Users or Groups in our external LDAP repository thru the User
  Administration interfactes.
  Appreciate any feedback.
  Thanks
  Vikram

  Hi Jim,
  I've configured a default LDAP V2 Compatibility Realm by modifying the Config.xml
  file. I was able to restart Weblogic and see the LDAP Groups and Users thru the
  WLS console. In our project we've a unique requirement wherein all Application
  Groups and User Accounts would be stored in an LDAP repository and all BEA SERVICE
  level accounts and groups are stored in a Database (groups like AdminEligible,
  Administrators etc.). We need to be able to look at the groups in both the Database
  and LDAP repositories in order to administer and configure a Group Portal. On
  the outset it looks like we will not be able to do what we want to with the current
  portal framework. Please suggest if there are any alternatives in order to implement
  this solution. I am sure there are lot of other Clients who cannot create groups
  like Administrators, AdminEligible etc in their LDAP repositories and will be
  forced to think of alternatives.
  I would appreciate if you can reply back at your earliest convenience.
  Thanks
  Vikram
  Jim Litton <replyto@newsgroup> wrote:
  The Weblogic 7.0 Authentication Providers (new JAAS Framework) is not
  supported with Portal 7.0. You will need to configure the Compatibility
  Security CustomRealm for Novell to try to get Portal working.
  see defaultLDAPRealmForNovellDirectoryServices at
  http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1083149
  In addition, remember to test functionality through the Weblogic
  Console. If you can see groups and users there okay it is very likely
  that Portal will operate.
  -- Jim
  Vikram wrote:
  Hi,
  We have created a Custom Security Realm(myRealm) on WebLogic 7.0 SP2in which
  I've added the Novell LDAP Authentication provider as the authenticationprovider
  and then set "myRealm" as the default realm for the domain. I am ableto start
  the WLS server instance and login to portalAppTools with the "administrator"account.
  We would like to configure a Group Portal. In Portal Administrationinterfaces,
  when I click on Group Administartion, I am unable to see any of myexternal LDAP
  groups. I know that we cannot create/delete users or groups in theexternal LDAP
  repository thru the Admin UI but the documentation says that I shouldbe able
  to view the users/groups in the Admin UI. Authentication against theexternal
  LDAP repository works fine. Can anybody suggest the reason why we areunable to
  view any of the Users or Groups in our external LDAP repository thruthe User
  Administration interfactes.
  Appreciate any feedback.
  Thanks
  Vikram

• OIM 11gR2 user not provisioning to Active Directory (11.1.1.5 connector)

  Hello all,
  I'm trying to set up an OIM 11gR2 instance to work with Active Directory with the Active Directory 11.1.1.5.0 connector. I've full installed both OIM and AD on separate servers, and I've installed the AD 11.1.1.5 connector on OIM. I have configured Active Directory properly (connector on OIM and the connector server on the AD server-side), and have set up the two IT Resources on OIM. I can run, for example, the Active Directory Organization Lookup Recon job and have it return results in the Lookup window.
  My problem is that I cannot get it to provision to a user. I've created an Application Instance and Form for Active Directory, attached the Form, associated them with the appropriate resources (AD User), and added them to the Catalog, and then gone through the process of adding an account to the user, selecting the Application Instance, adding it to the cart, checking out, filling out the fields (Password, User ID, UPN, First Name, Last Name, Common Name, and Organization Name), and then submitting the request. This is all done as the xelsysadm admin user, but it still results with the account stuck on "Provisioning" because the "Create User" task failed due to a Connector Error (the reason stated is just a repeat of "Create Object" failed).
  Anyone know what I'm missing here?
  Thank you!
  Edited by: 939908 on Nov 12, 2012 6:36 AM

  Hey 833249, thanks for your reply
  The organization field attribute is filled in correctly, in that the OU I selected exists in AD.
  These are the errors listed in the connector server log:
  +11/9/2012 9:07:07 PM <ERROR>: Class-> ActiveDirectoryUtils Method -> GetDirectoryEntry, Message -> Exception occured during the creation of directory entry.+
  +11/9/2012 9:07:07 PM <ERROR>: Class-> ActiveDirectoryUtils Method -> GetDirectoryEntry, Message -> Exception Message : Logon failure: unknown user name or bad password.+
  +11/9/2012 9:07:08 PM <ERROR>: Class-> ActiveDirectoryUtils Method -> GetDirectoryEntry, Message -> Exception Stack Trace : at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)+
  at System.DirectoryServices.DirectoryEntry.Bind()
  at System.DirectoryServices.DirectoryEntry.get_NativeObject()
  at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.GetDirectoryEntry(String path, ActiveDirectoryConfiguration configuration) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line 1423
  +11/9/2012 9:07:08 PM <ERROR>: Class-> ActiveDirectoryConnector Method -> Create, Message -> Encountered Excetion: Unable to get the Directory Entry+
  +11/9/2012 9:07:08 PM <ERROR>: Class-> ActiveDirectoryConnector Method -> Create, Message -> Stack Trace: at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.GetDirectoryEntry(String path, ActiveDirectoryConfiguration configuration) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line 1456+
  at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.DirectoryEntryExists(String path) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line 1512
  at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line 219
  ConnectorServer.exe Error: 0 : Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: Unable to get the Directory Entry
  at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line 368
  at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.CreateImpl.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 388
  at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object proxy, MethodInfo method, Object[] args) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 244
  at ___proxy1.Create(ObjectClass , ICollection`1 , OperationOptions )
  at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest request) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:line 609
  I'm not sure why the username/password error could be occurring, as those fields in the AD IT Resource are correct (I've run AD recon jobs that have connected properly). Is there something I'm missing?

• USR user defined field in OIM design console in not visible

  Hi all,
  We have OIM setup in the environment and wanted to add some custom attributes for USR user defined field definition. When I open the User Defined Field Definition tab, I could not see USR form. When I tried to export specific users from OIM just to check whether USR is visible or not, it is appearing. When I tried to import the same set of users again to OIM, I could still not be able to see USR in OIM design console.
  Any ideas why this has happened? There were no changes in OIM env recently.
  Please help.
  -Mahendra.

  Exported the user in xml file and found that Form Administrator is missing. I added that specific section from other working environment and it is working fine now.
  -Mahendra.

• Users & Groups not in Get Info options

  When opening a Get Info window to change Sharing & Permissions, adding a new entry to the list shows maybe 4 options when the OS has dozens of users & groups. Why are standard options like "staff" not showing up?

  I need to enable a folder to be read/write by "staff" for a specific application I am using, and the new GUI isn't allowing me to do that
  What app is it? Why does it require you to do this? What folder is it that you want to modify? What are you trying to achieve? More then likely there is a better way to do it, or may not be needed in the first place.
  Lasso web application. In order to execute file editing commands (read txt files, write them, manipulate uploads, etc), the target file/folder must have, under the POSIX rules of 10.4, either an owner of "lasso" (a user created by the software), or the group of "staff."
  In order to make the source code files themselves easy to administer on the server, I typically have always left owner as the main user I log into the system with, and set group to staff. This is the most convenient configuration for ≤ 10.4 systems.
  In 10.5, after copying files to servers I'm seeing a mixture in the Get Info ACL of {user owner}, admin, and everyone in some systems, and {user owner}, staff, and everyone in other systems. Haven't tracked down why the difference (I suspect preservation of permissions somehow during the copy). Even when staff is in the ACL, it's not a part of the options the GUI presents.
  Anyway, I was trying to take advantage of the ACL in allowing two otherwise separate users/groups to have some shared access, and needed "staff" as a group for these files.
  I didn't just use the chgrp command as I don't yet know the consequence of using POSIX commands on what I want to be ACL controls. So, am trying to do some digging into all that now. I was just thrown by the lack of visibility of all the usual user & groups options I am used to seeing in ≤ 10.4.

• Groups not visible in GAL

  Hi All,
   We are in co-existence with OCS 2007 R2 and Lync 2013. The security groups are visible in the users who are still located at OCS pool and using OCS client, but not users who are moved to Lync 213 and using Lync 2013 client and OCS 2007 R2 pool users
  and using Lycn 2013 client. Both the files GalContacts.db
  and GalContacts.db.idx
  are not seen among the uses who use Lync 2013 clients.
  Which server generated the address book OCS FE or Lync 2013 FE during the co-existence? How to configure Lync 2013 FE to generate the Addressbook.
  Regards,
  Swamy

  I have noticed the command fails when i use  -TargetUri https://southlyncpool.contoso.com/abs/handler, but succeeds when i use -TargetUri https://southlyncintweb.contoso.com:443/abs/handler
  adding :443 at the URL suceeds !!
  Test-CsAddressBookService -TargetUri https://southlyncpool.contoso.com/abs/handler -UserSipAddress "sip:[email protected]"
  Target Fqdn   :
  Target Uri    : https://southlyncpool.contoso.com/abs/handler
  Result        : Failure
  Latency       : 00:00:00
  Error Message : Getting web ticket for the given user is failed. Error Code: 28037 , Error Reason: The AppliesTo element of web ticket request points to a different web server or site.
  Diagnosis     :
  Test-CsAddressBookService -TargetUri https://southlyncintweb.contoso.com:443/abs/handler -UserSipAddress "sip:[email protected]"
  Target Fqdn   :
  Target Uri    : https://southlyncintweb.contoso.com:443/abs/handler
  Result        : Success
  Latency       : 00:00:00
  Error Message :
  Diagnosis     :

• Custom attributes added to user objects not visible in OWA address book

  Hi,
  I am using Exchange 2013 and recently added a new custom attribute in the user object properties using the details template editor to be visible in the GAL  The new attribute is correctly getting displayed in the GAL from outlook clients but not visible
  in OWA address book. Is there a way to update the display of user objects in OWA address book to include the new custom attribute?
  Thanks!

  Hi Abu,
  Please see following link:
  Customize Details Templates
  http://technet.microsoft.com/en-us/library/ms.exch.toolbox.detailstemplate(v=exchg.150).aspx
  It says, Use the Details Templates Editor to customize the client-side graphical user interface (GUI) presentation of object properties that are accessed by using address lists in Microsoft Outlook.
  My understanding is this setting only visible in Outlook.
  Please correct me if there is any misunderstanding.
  Thanks
  Mavis
  Mavis Huang
  TechNet Community Support

• Message thrown as User group not created

  Hi,
  When the User tries to access a Transaction Code which is a (Query created from table BSEG) he gets a message that User Group has not yet been created, where as the User Group has been created and can be seen.
  We checked the SU53 screen after accessing this transaction and all checks were successful.
  Please provide ur suggestions.
  Regards,
  Priya

  Just check if the query is attached is to a User Group or not .
  GOTO to SQ02 find the infoset for the query
  goto to Environment->User Group .
  Please check this and reward if useful.

• New user creation in AE- user group not getting assigned

  Hi All,
  Here is a typical case, wherein when we create a new user with AE for the production system, the user gets created and the roles are also assigned but the user group is not getting assigned. The user group is being fetched from a table from the backend and all that is working fine. Infact in order to test the configurations we even created a new user in the production instance of AE giving the development system as the target system for user creation and in this case the user was successfully created and the user group is also assigned. The problem is arising only when the target system is production system.
  Connectors are all working fine, but we are unable to think of a reason. Can somebody help us on this?

  Hi Vani,
  If you are provisioning the user group using user defaults, check  that production system is selected in the user defaults configured. Configuration -> user defaults. You can define any user default system, but for perticuticular user defaults that is applicable define all the systems, in which you want user defaults to be provisioned.
  Kind Regards,
  Srinivasan

• Batch Risk Analysis in Full Sync mode with special user groups not working

  Dear All,
  we start Batch Risk Analyse Job in Full Sync with special User groups (use Range). In the Joblog I can see, that he selecet lesser users as in jobs before. But after all is finished (also managment job) when I go in Informer, he shows me also this user groups I have no analysed in Backgroudjob... Also he shows me in the detailed anlayse the date from a run before.. And we have deactivated some Risk - these are still in the analysis.
  Have some one a information for me what here is wrong..
  Best Regards
  Gabriele Herr

  to old..

• BPC 7.5 - Domain User Group Not Work - Configuration Server Manager

  Hi Guys,
  I install BPC 7.5 from NW. From the PC client only work ok with the same user OWNER the BPC .NET. In  Server Manger -> Option
  -> Define Systems User Group, add the follow data:
  - System user group name= Domain Users
  - Domain Type=Active Directory
  - Domain Name = BAIRES
  Is correct the Syntax? or need use the form OU=xxxx?
  Thanks.

  Ok, thanks, and So I have other problem. I need Add User from different Domains, How configure this?
  Tks

• Custom User Attributes not visible on user profile in OIM 11g

  hi ,
  As I have created a custom attribute in OIM11g. I am not able to view the attribute after I crate a User in OIM.
  Please help me in solving my issue .
  Thanks
  srikanth

  It's a very basic thing. Just try creating an Authorization Policy and you would know how to do it. For your refernce I am also pasting the excerpt from the same Metalink Article
  After creating the UDF, please follow the below steps to make the UDF visible for modification by an admin user:
  1. Navigate to create a new 'Authorization Policy'as below:
  a. Login to UI and click on Administration
  b. On the top left you will see the Authorization Policy tab
  c. Now click on Create Authorization Policy
  2. Please use the below information to create the Authorization Policy
  a. Name: UDF policy
  b. Entity Name: User Management
  c. Permissionsc. Permissions:
  i. Modify User Profile
  ii. View User Profile
  Please make sure that the UDF is selected in the attributes for these permissions.
  d. Data Constraints: All Users
  e. Policy assignment: All Users
  3. Create a user called "useradmin' and add the below 2 roles:
  a. All Users (This is default)
  b. Identity User Administrators (This will provide the administrative tab to this user so that he can administer other users)
  4. Create another end user called 'testuser1' populations the necessary fields.
  5. Now login as 'useradmin'
  6. Search for a user called 'testuser1' and open the user.

• OIM 11gR2 Approval workflow not getting triggered

  I created an approval workflow by following the 11gR2 developer's guide and deployed it. then created an app instance and also an approval policy for operational level which is auto approved and for request level with this composite. when i raise a request for this app instance in the catalog the SOA composite is not getting triggered. I am able to see a task in pending approval of system admin whenever i raise request for any user and if i complete that pending approval the app gets provisioned directly. Also i do not see any request ID also. please help to find out whats going wrong

  Now i tried raising a request from another user who is not a member of SYSADMIN role. This time the request id is generated and a task 'Manual Task for Provision operation for Beneficiary X' is generated in pending approvals of xelsysadm user. When completed the app instance gets provisioned. So this means operational level approval task is triggered? and it has auto-provisioning?
  why my custom approval workflow is not getting triggered?
  I have created 2 approval policies, one for request level which is auto approval and other for operational level where i have selected the deployed composite name.In both the approval policies i have selected the request type as Provision ApplicationInstance. There is no error also while deploying the composite. Am i missing any step? please help.
  Edited by: 955932 on Jan 10, 2013 10:19 PM

• Is there a workaround to CSCtn42049 user groups not deleted on topology?

  My customer has 200 devices and the topology view is very dificult to visualize.
  I tried using user defined groups, but after deleting them to start over they keep on the topology.
  It´s probably the CSCtn42049 bug.
  Is there a way to mannualy clear the topology and get rid of that deleted groups from topology?
  Besides that on the Level 2 map I see several Ethernet segments that causes the links not shown
  properly as they should. All links have CDP activated.
  Is there a procedure to troublesoot and correct the topology in order to have the links shown direct from one device to the other like most
  of them are shown?

  The 2012 (no camera on back) was the one that has Tegra 3.
  The old flash 11.1 should work on Nexus 7 2013 if it has Android 4.x, however with Android 5.0 or Lollipop I am not sure.