OIM 9.1.0.2 Group Membership Removal for Disabled Users

Similar Messages

• Remove GrantSendOnBehalfTo disabled user accounts - A novice at scripting

  Hello.  Can anyone help please
  In our exchange 2010 environment we have users who are granted send on behalf to access.  Obviously some users leave and I m finding that there are ghosts left behind which are causing issues with our team who add users into the grantsendonbehalfto
  option using the EMC.  Using the log view we coy out the command and then remove the disabled user from the command and then paste this into an Exchange Powershell command line.  This wrks because it is doing what Exchange EMC does which is rewrites
  the -GrantSendOnBehalfTo option in it new entirety.  
  The problem occurs because I need to remove these en-mass from approx 700 plus accounts.  
  I have tried to modify one user in order to get the script to work but it doesn't.
  This is the error message that happens when I run the script below against a known account with at least 2 disabled users in:-
  Couldn't find object "xxxxxxxx.xx.xxxxxxx.xxx.xx/DisabledUsers/2013-08/Gaynor Collins-Punter". Please make sure that i
   was spelled correctly or specify a different object. Reason: The recipient xxxxxxxx.xx.xxxxxxx.xxx.xx/DisabledUsers/2
  13-08/Gaynor Collins-Punter isn't the expected type.
      + CategoryInfo          : NotSpecified: (:) [], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : F6498844
      + PSComputerName        : ex02-0029.xx.xxxxxxx.xxx.xx
  Am running the script from my local PC
  This is the script I have used.
  # Gather info use get-mailbox -resultsize unlimited$mailboxes = Get-Mailbox zplew1
  Foreach($mailbox in $mailboxes)
  for($i = ($mailbox.GrantSendOnBehalfTo.count)-1; $i -ge 0; $i--)
  $address=$mailbox.GrantSendOnBehalfTo[$i]
  $addressString=$address.addressString
  If($addressString -like "*disabled*")
  $mailbox.GrantSendOnBehalfTo.removeat($i)
  $info >> "C:\Scripts\grantsendonbehalfto.csv"
  $mailbox |set-mailbox -GrantSendOnBehalfTo $mailbox.grantsendonbehalfto
  }If you requiere any more info please let me know.

  #1 - I recommend posting in xchange forum fo rhow to do this
  #2 - Wen an account is disabled most on the information in the object is hidden.  YOu would need to undelete to use the object.
  #3 - Get list as text and validaye al values are not deleted accounts.  Remove deleted and save back.
  ¯\_(ツ)_/¯

• OIM 11g - Approval workflows for disabled user accounts

  Hi,
  We have a scenario wherein a user will be created in OIM with a future start date resulting in a Disabled Untill Start Date user status. Once the user is created, we should let anyone submit a New Hire form for the user and the submitted form needs to be approved by the Manager. Once the Manager approves the form, the target accounts should get created with disabled status. These accounts should get enabled on the start date.
  As submission of New Hire Form is not a straightforward process, we came up with the following design.
  A dummy resource object corresponding to the New Hire Form will be created and can be requested for a newly hired person by anyone who has OIM access. An approval workflow will be configured for the New Hire Form Resource object and provisioning of target accounts will be based on Manager's approval for this resource object.
  However the challenge that we see with this design is, it wasn't possible to place a request for New Hire Form dummy resource object for a disabled user. But the requirement is to complete the New Hire Form submission process befor the user becomes active.
  How can these workflows be invoked for a disbaled user? Is there any other way to implement this requirement?
  Any kind of help/guidance is greatly appreciated.
  Thanks and Regards
  Deepa

  911709 wrote:
  If I create a dummy resource, called "Group Membership" for example, and use this to show the groups that are available in AD, how can I have the request be routed to different approvers? For example, group cn=HR Users,cn=Users,dc=company,dc=com needs to be routed to HR for approval. Group cn=IT,cn=Users,dc=company,dc=com needs to be routed to IT for approval. How can I change the approvers dynamically?
  Re: Spawning multiple approval tasks in parallel in OIM11g SOA Composite
  You can have dynamic task assignment in BPEL; where you defne a variable in the task assignment and update the variable with the approver group name before triggering the task assignment task. Check BPEL docs for same.
  If every group needs a different approver, and there are 5000 groups, can I make 5000 resources and use the built-in routing of approvals? Or, use the dummy resource approach and handle the management of the approvals in some other way.Just make one resource with one field attached to it which takes in the group name and handle approval in SOA by reading a lookup which has AD group to Approval Group mapping.
  >
  Thank you.-Bikash
  Edited by: Bikash Bagaria on Feb 18, 2012 1:00 AM

• Retrieving User groups and email for all users in a group

  Hi Everyone,
  I need to create an ADF application to retrieve all the groups in OID, the user would select a group and it should list down all the email addresses in that group.
  Can you suggest what is the best way to achieve this. My main concern is how to retrieve groups and email addresses from OID. I was unable to find APIs for it.
  Your suggestions are greately appreciated.
  Thanks,
  Husain

  In a multi-user environment, a user install a dreamweaver extension,but just the user who install the extension can use it.
  Is there a way that administrator install the extension and make this extension available for other users in multi-user environment(e.g. the Windows 7)
  Dreamweaver had this capability many releases ago, but it has been dropped, so it's no longer available.
  Regards,
  Randy Edmunds
  Dreamweaver Development
  Adobe Systems, Inc.

• OIM: Issue with changing AD group membership

  I'm trying to add/remove groups in the AD child form and I get the error below.
  - I can successfully change properties on the main form, such as last name, etc...
  - I don't get why the errors come up from the schedule task API..ex: com.thortech.xl.schedule.tasks.ADITRes ??
  - I've tried tracing this all the way to the .jar file using a decompiler... I think it has somethign to do with either the Group DN or the IT resource, but can't tell which.
  - I've successfully Reconed all Groups/OUs.
  - I don't see how it can be the ITResource since I can change attribs, unless it's looking at the IT resource of the Schedule task.
  EDIT: I'm using OIM 9102BP11 with latest version of the ADconnector (9.1.x)
  I should also note that this was working perfectly fine until I tried to move to GCADITResource. Even when I move back to regular ADITresource, provision a new user, i keep getting this error.
  DEBUG,20 Sep 2010 10:28:56,377,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADITRes : initialize:: STARTED
  ERROR,20 Sep 2010 10:28:56,377,[OIMCP.ADCS],====================================================
  ERROR,20 Sep 2010 10:28:56,377,[OIMCP.ADCS],*com.thortech.xl.schedule.tasks.ADITRes : initialize : null*
  ERROR,20 Sep 2010 10:28:56,377,[OIMCP.ADCS],====================================================
  ERROR,20 Sep 2010 10:28:56,377,[OIMCP.ADCS],================= Start Stack Trace =======================
  ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADITRes : initialize
  ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],
  ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],*Description : null*
  ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],*java.lang.NullPointerException*
  at java.util.Hashtable.put(Hashtable.java:396)
  at com.thortech.xl.schedule.tasks.ADITRes.initialize(Unknown Source)
  DEBUG,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : hashTableEnvForDirContext:: STARTED
  ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],====================================================
  ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],*com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : hashTableEnvForDirContext : null*
  ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],====================================================
  ERROR,20 Sep 2010 10:28:56,379,[OIMCP.ADCS],================= Start Stack Trace =======================
  ERROR,20 Sep 2010 10:28:56,379,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : hashTableEnvForDirContext
  ERROR,20 Sep 2010 10:28:56,379,[OIMCP.ADCS],
  ERROR,20 Sep 2010 10:28:56,379,[OIMCP.ADCS],Description : null
  ERROR,20 Sep 2010 10:28:56,379,[OIMCP.ADCS],java.lang.NullPointerException
  at java.util.Hashtable.put(Hashtable.java:396)
  at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.hashTableEnvForDirContext(Unknown Source)
  at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.connectToAvailableAD(Unknown Source)
  at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.getAttributeValues(Unknown Source)
  at com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks.addUserToGroup(Unknown Source)
  ERROR,20 Sep 2010 10:28:56,379,[OIMCP.ADCS],================= End Stack Trace =======================
  ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],====================================================
  ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],*com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks : addUserToGroup : ADD User to Group Operation Failed:null*
  ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],====================================================
  ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],================= Start Stack Trace =======================
  ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks : addUserToGroup
  ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],
  ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],Description : null
  ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],java.lang.Exception
  at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.hashTableEnvForDirContext(Unknown Source)
  at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.connectToAvailableAD(Unknown Source)
  at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.getAttributeValues(Unknown Source)
  at com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks.addUserToGroup(Unknown Source)
  ERROR,20 Sep 2010 10:28:56,381,[OIMCP.ADCS],================= End Stack Trace =======================
  DEBUG,20 Sep 2010 10:28:56,381,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : disconnect:: STARTED
  DEBUG,20 Sep 2010 10:28:56,381,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : disconnect:: FINISHED
  DEBUG,20 Sep 2010 10:28:56,381,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks : addUserToGroup:: FINISHED
  INFO,20 Sep 2010 10:28:56,563,[XELLERATE.ADAPTERS],Adapter: adpADCSADDUSERTOGROUP has completed for the task: Add User To Group.
  Edited by: Alex S on Sep 20, 2010 10:45 AM

  The individual rows in the AD user group object child table contains references to which IT resource this group refers to so if you switch ADITresource back and forth it is very easy to get things out of synch.
  The exact structure of references between the rows in the child table, the IT resources and the DN of the groups is a bit complex so I can't tell you by heart exactly how it should be but take a look into this and hopefully you will be able to spot the issue.
  Best regards
  /Martin

• Triggering Group Membership Rules against all users

  I have created a few new groups and access policies that use rules to define membership. How do I trigger the search through the entire user list to populate the new groups? If I edit a single record, then the rule gets applied. I need to batch apply the new rules to all users.
  KC

  Hi,
  I am not very sure if it will work or not but try running this default task it update all the user I guess.
  Set User Provisioned Date
  Else you can write a schedule task to update some attribute on user profile.
  Regards
  Nitesh

• My company uses Firefox on Server 2008 R2 and need to set up selective mass cookie removal for multiple users at one time.

  Our company just started using Firefox due to some website compatibility issues with IE. We had a 3rd party tool clearing all cookies without any exception options. We are now needing include exceptions for cookie removal due to website security changes. Is there a way to setup all users on the server to have the same cookie removal profile without doing individual setups?

  Go to the '''[https://addons.mozilla.org/en-US/firefox/ Mozilla Add-ons Web Page]''' {web link}
  (There’s a lot of good stuff here) and search for what you want.

• AD Group Membership with User From Domain Outside of Forest

  Here's one to twist your brain around -
  I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
  I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
  Approach #1
  Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
  Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
  Approach #2
  Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
  Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
  adTHANKSvance
  Eric

  You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
  This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
  If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
  Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
  http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
  Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
  You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
  objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
  String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
  //Specify the Base for the search
  String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
  ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
  Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
  System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
  Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
  BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
  Good luck.

• Extracting user group membership to a spreadsheet - tip?

  Hello,
  This is a tip that works for me.
  Sometimes I need to extract the Group Membership names for a user or users.
  What I do is have PTSpy running when I find their name from an administrative search. Clicking on the user name opens up the EDIT USER page where you can see the users groups.
  At this point look in PTSpy for the line:
  Create query: '/* QUERY_DYNAMIC_USERGROUPS:ANSI */ SELECT DISTINCT(a.ObjectID), a.Name, a.IsLocalized      FROM PTUSERGROUPS a, PTUSERLINKS b      WHERE a.ObjectID=b.GroupID           AND b.UserID=?           AND (b.ISSTATIC=? AND b.ISDYNAMIC=?) ORDER BY a.ObjectID DESC'
  followed by 3 lines:
  setInt, index: 0, value: 0001. <--user ID
  setInt, index: 0, value: 1. <--Static Group Membership
  setInt, index: 0, value: 0. <--Dynamic
  Copy and drop that into SQL Query Analyser, plug in the value provided and save it to a spreadsheet or just copy and paste it.
  If you want find dynamic groups - there is a similar query in the PTspy log - look for the /*QUERY_DYNAMIC_USERGROUPS:ANSI
  in PTSpy log
  If anyone has anything else to add - please do!
  Thanks,
  V
  Computers are like Old Testament gods; lots of rules and no mercy. ~Joseph Campbell

  Hi,
  To identify members of a local group by using a command line, refer to:
  1. Open Command Prompt.
  2. To list members of a group, type: net localgroup "groupname"
  Note: You must include the quotation marks.
  For example, export the members of the local group Administrators to a text file named group.txt, refer to:
  net localgroup “Administrators” > C:\group.txt
  You can also write a script as you want.
  Best Regards,
  Nina Liu
  TechNet Subscriber Support in forum
  If you have any feedback on our support, please contact
  [email protected]  
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
  Thanks this does seem to work. It does seem that just copying the command does not work because of the quotes, and that you have to manually type the quotation marks into the command prompt, I'm thinking they are picked up as a different character when you
  copy paste from a html page or other document.

• Group Membership Update Task -AD Connector 11g

  OIM 11g R2:
  When will Group Membership Update task be triggered for a user? Will this get triggered when a Entitlement associated to a user is updated (entitlement metadata) -How will OIM identify that it is an update to the existing Entitlement and that User is associated with?
  This is my understanding on other group related OOTB tasks:
  Insert Group Membership will be triggered when a new entitlement  is added to the user
  Delete Group Membership will be triggered when a Entitlement is removed
  Thanks in advance.

  If entitlement display name is updated in OIM then it also get updated in provisioned resource profile for all users who are associated with the entitlement but it does not insert 'Group Update' task.
  If entitlement - group name is changed in target system them OIM treats this change as a completely new and does not update it for the existing associated users.
  Thanks,
  Pallavi

• Design question: Change Group membership for a AD resource via SelfService

  Hi all,
  based on the OIM tutorials, I designed OIM that way that an end user can successfully request a resource. Is there a way to allow end users to modify their resource "subscriptions"? For example, I would like to allow end users to change their AD group memberships after the initial provision to the resource.
  From what I have learned from the tutorials, I would assume to create an AD group membership attribute in the user account profile form and propagate changes to that attribute back to AD.
  Or is there a way to allow end users to change their resource data directly under "My Resources" ?

  there is no concept of requesting a modification of an already provisoned account. Like you said this can be achieved thru an attribute on the user's profile and on changing that attribute, downstream applications can be propagated the new value.
  Typically if changes to an already proviisoned account needs to be done in oim and through oim, an oim admin goes to the user's resource profile and clicks on edit on the process form and can edit any data there. in case of ad groups, there will be a child process form that shows the groups that the user is a member of, you can insert(add) new groups or delete existing groups from there and save the form. In the proviisoning porcess of AD you will need to write a porcess task, which should add/remove the user from the specified group in AD on the trigger when a new group is added or an existing group is removed wehn the admin is modifying the user's AD process form/process child forms in oim.

• Samba winbind and group membership.

  I have a Solaris 10 (update 4) box (x86) that is joined to an active directory via samba/winbind.
  The users are working fine however their group membership is not.
  Users that should be members of certain groups do not seem to be: in that if I run
  "groups" and check the group member ship for myself I am missing entry of some groups yet I can verify that I should be a member of that group by running getent group "domain\\group name" and seing my username entered.
  winbind has the following parameters set
  winbind enum users = yes
  winbind enum groups = yes
  winbind nested groups = yes
  I am at a loss as to why it picks up some groups and not others.
  Has anyone come across something similar or know how to solve this issue?
  Regards,
  James

  Hi,
  I know this thread is very old but unfortunately I'm facing exactly the same problem under Solaris 10 Sparc. Any ideas? Maybe this issue was solved?
  Regards,
  Oliver

• Programmatically determine group membership under NI Security

  I am trying to use NI Security provided with the LV DSC module (v8.2).  I would like to be able to programmatically determine the group membership of a given user.  Is there a way to do this?
  Thanks,
  --David Moerman

  David,
  Also, here is a Knowledgebase article that covers the same topic:
  Programmatically Determining which Security Groups a User Belongs to Using LabVIEW DSC
  http://digital.ni.com/public.nsf/allkb/99A026B68D18B484862571DC006CD8EB?OpenDocument
  Message Edited by Coal Man on 06-19-2007 09:12 AM
  Brian Coalson
  Software Engineer
  National Instruments

• Automating removal of Discovered Users from ACS

  I use ACS 4.1 on a Windows server that looks up unknown users in Active Directory. Users in AD are in various groups and ACS has these groups mapped to the ACS groups so that users are granted appropriate access to their needs. This has worked well.
  I am now seeing that users are are removed from one AD group and added to another group do not have this change reflected in the ACS system. This is because ACS only looks at the AD group for *unknown users*. The user who has moved AD groups was an unknown user, but, upon first logon, that user became a discovered user. From that point forward, only credentials are checked, not group membership.
  On the User Setup section in ACS, there is a button to *Remove Dynamic Users*.
  I would love to know the following:
  1. Is there a way to have ACS check the current group assignment in AD for *Discovered Users*?
  2. If not, is there a way to automate the *Remove Dyanmic Users* fucntion? I have used CSUtil in the past but it seems a little cumbersome for this feature in that I had to dump out the users, reformat the output, and then push the deletion back through. I don't recall it making distinctions of known versus discovered users. It just had users names in ACS groups.
  Any insights would be greatly appreciated!

  Right, I mention that in my original post. But it requires me to go in and do it. Not the automated process I am looking for.
  The other approach I mentioned is to script around the CSUTIL command. While it meets part of the automation requirement, it is not very robust and does not do exactly what I am looking for. It also becomes another complex script that I would have to support.
  Thank you.

• Manually execute a povisioning task for a user in OIM 11g

  Experts,
  In OIM 11g, I would like to execute a resource provisioning task for a user thru OIM admin console.
  In OIM 10g, when we select a resource profile for a user, it used to show the list tasks that are executed. There we can add a new task to run manually there.
  How to do the same in OIM 11g. in OIM 11g, it is not even showing the lists of tasks executed during provisioning.
  Please let me know.

  If you are talking about manually adding the provisioning tasks to a user for a particular resource, then you can go to the resource profile of the user, select the particular resource -> click the 'Resource History' button on the right corner and from there you can manually add the tasks.
  -Bikash