OIM 9.1.0.2 - User group permission conflict issue

Hi Gurus,
IHAC who have faced a strange behavior about permission conflict.
User has been assigned to a user group (ANALISTA DRSI) who have permission to disable resource of the users he administrates. The user group has been assigned to resource's administrator.
The same use has been assigned to other user group (ANALISTA ADM DRSI) who have other permission. The user group has been not assigned to resource's administrator.
If the user has been only assigned to ANALISTA DRSI user group the user is able to see records on Rogue Account report. If the customer has been assigned to both ANALISTA DRSI and ANALISTA ADM the user is not able to see the record on Rogue Account report. He got a display error message (You do not have permission). Both user groups have the Report menu item assigned.
My question: if the customer is assigned to a user group who have permission to see the reports, should not the user is able to see the report even though he is also into the other group who do not have permission?
Is there conflit in the OIM???
Any tip will be very appreciated.

Orgnaization > Manage > Select Org in which users are getting created > Administrative Group (Drop Down) > Select Group for which users are not coming.

Similar Messages

  • OIM 9.1.0.2 - User group permission

    Hi experts,
    IHAC that need to configure some user groups in order to perform just specifics activities. We have configured the user groups but with no sucess.
    1) Group that should see/track all the opened requests.
    Given all request permission. (The requests don´t appear)
    2) Group that should disable Resource from user thru User Detail -> Resource Profile.
    Given all resource objects permission. (Error message: No permission)
    3) Group that create/manage Attestation.
    Given all attestation permission. (The attestation is created, but it doesn´t appear to delegated user)
    Any tip on how to set the correct permission?
    Brgs,

    Hi,
    I was looking for the same questions! One of them I could make it to work...
    About quetion #3, some steps:
    1. Create a group with name, lets say: AttestationManagers
    2. Give the following permissions:
    Attestation Requests
    Attestation Process Tasks
    Attestation Data
    Attestation Process Definitions
    Attestation Process Administrator
    3. Make the users responsable of attestation process part of group: AttestationManagers
    4. Create an attestation process and in the last field: Process Owner, put AttestationManagers
    5. Click: "Run Now"
    6. This attestation should appear to the user responsable of it.
    You can find an explanation about the attestation process in the following link: http://download.oracle.com/docs/cd/E14049_01/doc.9101/e14057/attestation.htm#insertedID1 and about the Process Owner, the point 15.1.1 in the above link.
    I hope it helps!
    Regards.

  • How to hide ribbon from all item view for particular user group

    hi friends
    how to hide ribbon from all item view of particular list for specific user group.
    using OOB functionality or javascript. 

    Hello,
    Use this codeplex tool to hide ribbon to user group:
    http://spribbonvisibility.codeplex.com/
    If you don't want to use above tool then you have to add SPSecuritytrimming in "Rajiv Kumar" code for filtering based on user group permission.
    http://www.topsharepoint.com/hide-the-ribbon-from-anonymous-users
    Hope it could help
    Hemendra:Yesterday is just a memory,Tomorrow we may never see
    Please remember to mark the replies as answers if they help and unmark them if they provide no help

  • OIM 10g Event Handler : Integrated with User Groups.User Members

    I have created custom event handler and integrated it with User Groups.User Members data object.
    here is my code od event handler class:
    public class GroupEventHandler extends tcBaseEvent {
         public GroupEventHandler() {
              this.setEventName("Event Handler Sample");
         protected void implementation() throws Exception {
              System.out.println("============@@@@@@@@ IN EVENT HANDLER ");
              try
              String groupKey = this.getDataObject().getString("Groups.Key");
              writeToFile(groupKey);
              catch (Exception e)
                   e.printStackTrace();
    But I am getting this exception :
    ERROR [ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)' XELLERATE.SERVER - Class/Method: tcTableDataObj/getString encounter some problems: Column 'GROUPS.KEY' not found
    com.thortech.xl.dataaccess.tcDataSetException: Column 'GROUPS.KEY' not found
         at com.thortech.xl.dataaccess.tcDataSet.getColumnIndex(Unknown Source)
         at com.thortech.xl.dataaccess.tcDataSet.getString(Unknown Source)
         at com.thortech.xl.dataobj.tcTableDataObj.getString(Unknown Source)
         at oim.GroupEventHandler.implementation(GroupEventHandler.java:19)
         at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
         at com.thortech.xl.dataobj.tcDataObj.runEvent(Unknown Source)
         at com.thortech.xl.dataobj.tcDataObj.eventPostInsert(Unknown Source)
         at com.thortech.xl.dataobj.tcUSG.eventPostInsert(Unknown Source)
         at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
         at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
         at com.thortech.xl.dataobj.tcTableDataObj.save(Unknown Source)
         at com.thortech.xl.ejb.beansimpl.tcGroupOperationsBean.addMemberUsers(Unknown Source)
         at com.thortech.xl.ejb.beans.tcGroupOperationsSession.addMemberUsers(Unknown Source)
         at com.thortech.xl.ejb.beans.tcGroupOperations_ejm77u_EOImpl.addMemberUsers(tcGroupOperations_ejm77u_EOImpl.java:1671)
         at Thor.API.Operations.tcGroupOperationsClient.addMemberUsers(Unknown Source)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
         at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
         at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
         at weblogic.security.Security.runAs(Security.java:41)
         at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
         at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
         at $Proxy66.addMemberUsers(Unknown Source)
         at com.thortech.xl.webclient.actions.UserGroupMembersAction.assignMemberUsers(Unknown Source)
         at com.thortech.xl.webclient.actions.UserGroupMembersAction.assignGroupMembers(Unknown Source)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)
         at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(Unknown Source)
         at com.thortech.xl.webclient.actions.tcActionBase.execute(Unknown Source)
         at com.thortech.xl.webclient.actions.tcAction.execute(Unknown Source)
         at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
         at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
         at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
         at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
         at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
         at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
         at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
         at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at com.thortech.xl.webclient.security.SecurityFilter.doFilter(Unknown Source)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3592)
         at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
         at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
         at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2202)
         at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2108)
         at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1432)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)

    Anyone have idea about why "Groups.Key" not found exception thrown here..
    I have assigned this event handler at postinsert event of User Groups.User Members Data Object.

  • Security permission to user Group for menuitem in ax 2012

    Hi experts,I have a query,
    Query is that i want to give menu item level permission to user group,for e.g i want to show accounts Payable
    all set up parameter to Finance Group,so how it can be done? i don't want to use Roles--->Duties------->Privileges method,
    I want to just create two groups for one ACount Payable set up parameters will be showed on main ,and for
    other group it was disable?
    is that possible with out creating new roles ,duties and then privileges procedure?

    Hi Munsifuv. You might get more help on this and your other AX questions on an AX-specific forum. We can help with connecting Power Query to data sources, but aren't necessarily experts on configuring those sources.
    Thanks,
    Ehren

  • Reconcile user groups to OIM (11g)

    I would appreciate it if someone may let me know how to reconcile the organization and leadership structure information from an Oracle DB based identity vault into OIM (11g) to create organizational roles, for example, into the user group and user group membership tables, i.e. the UGP and USG table series. Many thanks.

    yesy, I have defines correct search value but its again and again throwing error. I change the search values too. But its not working.

  • [OIM] Cannot use special character in User Group Name

    Dear IdM expert,
    I have problem creating user group in OIM if user group name contain special character like '&', '<' or '+'.
    I read Note 430081.1 : Can a Field Label in an Object Form Contain Special Characters? and change <AppFirewall><SecurityLevel> in xlconfig.xml to 0, (by default SecurityLevel is set to 1). But still no luck.
    Could anyone find way to do this? Thank you.
    Best Regards,
    Satit

    I don't think the app fire wall applies to recon events so that is probably how they got in.
    You may have to update the database tables directly to solve this. Should not be a big issue as you aren't messing with any table primary keys.
    Best regards
    /Martin

  • OIM User Group

    hi,
    I have created a user group say "Employee grp" where the user belongs to this group cannot edit the user details (UDF fields), process form, child forms. Now there is a new requirement where the helpdesk user can change/reset only the password for other user accounts. Check the below points,
    1. User can view his user details, process form etc. can edit any field.
    2. User can view other user details, process form etc. but cannot edit any field except the change password..
    In short, this new group has to enable only the "change password" button if the user access other user details and nothing else. Is it achievable???
    thanks in advance
    Edited by: achiles on Oct 12, 2010 10:51 AM
    Edited by: achiles on Oct 12, 2010 10:58 AM

    It is possible. My approach is..
    You can create a UDF say Change Password with datatype boolean and field type checkbox in Users Group form.
    Now when you create HelpDesk Group in Admin console, you can select the check box and specify whether users in this group are allowed to change password or not.
    Create an adapter and check whether the user is member of helpdesk group and then check whether he has permissions to change password only, if he is not allowed to change other info then you can show up an error message to the user.

  • Is there a way to pull  User, Group , Other permissions of a file

    I wanted to know whether Java provides any API to pull up each and every permission associated with a file.
    For example: In Unix, a file has 3 sets of permissions as shown below:
    <UserPermissions><GroupPermissions><Others'Permissions>
    Example: -rwxrwxrwx
    r - for read
    w - for write
    x - for execute
    There are some methods provided in java.io.File, such as canRead() and canWrite(), which help in telling whether a file is readable or writable. But I did not find any API which tells whether a perticular user has read/write/execute permission or not. Also, I presume the canRead(),canWrite() methods pull up the permissions pertaining to the owner of the file, but not for the group and others part of a Unix File's permissions.
    Is there a way to pull up the read/write/executable permissions for all the 3 catergories namely, UserPermissions, GroupPermissions and Others'Permissions.
    I appreciate your note on this and appreciate your time too.

    In the java.io.File class, there's methods canRead() and canWrite().
    They will test the read/write permissions of the Unix user you are running your Java program with.
    They will not return a list of user names, user groups etc though.
    You'd have to get the permissions through some platform specific method, eg. via JNI.
    regards,
    Owen

  • OIM to OID Provisioning to cn=groups

    We want to provision a user in to cn=groups in addition to cn=Users in OID.
    Flow is like, when we provision a user into OID. It is getting provisioned into cn=Users.
    But now depending on this user's User Type: If User Type is A or B. We want to provision this into cn=Groups (Which has two nodes cn=A and cn=B).
    So if the user created & Provisioned has User Type=A, it should be added to cn=A in cn=groups and same for userType=B.
    Requirement is we should have all the users of User Type=A in cn=A and similar for B. Please suggest the best approach to achieve this.
    Thanks.
    Regards,
    Nitin

    Hi,
    Problem still exists: I've reconciled groups from OID to OIM running this task: OID Group Lookup Reconciliation Task.
    Now i am able to see OID groups in Lookup.OID.Group. but when i try to add these groups from access policy/or during manual prov from OID User Group lookup search option, it is showing no value.
    I tried checking UD_OID_USR from, it has UD_OID_GRP as child table. And when i preview UD_OID_GRP from design console, i am able to query OID Groups that i reconciled.
    Also checked value of linked lookup in UD_OID_GRP: Lookup.OID.Group which is correct and populated good.
    But not able to see same user groups through Admin console. It throws this error on search:
    ERROR,28 Jul 2010 11:40:22,632,[XELLERATE.WEBAPP],Class/Method: tcLookupFieldAction/lookupByColumn encounter some problems: lookup Error
    ERROR,28 Jul 2010 11:40:24,820,[XELLERATE.WEBAPP],Class/Method: tcLookupFieldAction/lookupByColumnFiltered encounter some problems: No Values Present
    ERROR,28 Jul 2010 11:47:08,937,[XELLERATE.WEBAPP],Class/Method: tcLookupFieldAction/lookupByColumn encounter some problems: lookup Error
    ERROR,28 Jul 2010 11:47:10,386,[XELLERATE.WEBAPP],Class/Method: tcLookupFieldAction/lookupByColumnFiltered encounter some problems: No Values Present
    Help required urgently.
    Regards,
    Nitin

  • Restricting certain users groups to read only for certain folders

    Hi
    I'm not sure if this is the correct forum, but hey, hopefully someone might now the answer or direct me to the correct one.
    I'm writing a VB program to amend ACLs for specific user groups.
    Effectively, I make all prior year folders read only, whereas the default for the group is Modify, Delete etc.  This means they can continue to work in the "new year folders", but historic years is List/read only.
    I've got to the point the program does everything I want, i.e. stops folder creation7deletion, file & folder name changes, copying for the historic years, but does not prevent deletion of files in the folder.  Effectively I set Deny access on the
    historic folders.
    Testing using the Windows GUI would appear to resolve the problem is I change the Deny Special Permission (for the group) from "This folder only" to "This folder & files".
    Question then is how to I set this in VB, the default appearing to be "This folder only"
    Here's extract of my code
    Thanks
    IfvarDirectoryName.IndexOf("\"&
    Date.Now.Year) = -1
    Then
                FileAcl3.AddAccessRule(
    NewFileSystemAccessRule(GroupAdmin(0),
    FileSystemRights.Modify,
    AccessControlType.Deny))
                FileAcl3.AddAccessRule(
    NewFileSystemAccessRule(GroupAdmin(0),
    FileSystemRights.DeleteSubdirectoriesAndFiles,
    AccessControlType.Deny))
                FileAcl3.RemoveAccessRule(
    NewFileSystemAccessRule(GroupAdmin(0),
    FileSystemRights.ReadAndExecute,
    AccessControlType.Deny))
                FileAcl3.RemoveAccessRule(
    NewFileSystemAccessRule(GroupAdmin(0),
    FileSystemRights.ListDirectory,
    AccessControlType.Deny))
    Dim FileInfo3 As IO.FileInfo = New IO.FileInfo(varDirectoryName)
    Dim FileAcl3 As New FileSecurity
    If varDirectoryName.IndexOf("\" & Date.Now.Year) = -1 Then
    FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.Modify, AccessControlType.Deny))
    FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.DeleteSubdirectoriesAndFiles, AccessControlType.Deny))
    FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ReadAndExecute, AccessControlType.Deny))
    FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ListDirectory, AccessControlType.Deny))
    FileInfo3.SetAccessControl(FileAcl3)
    End If

    Ho Rohn
    Your right, when I added the flags I got the following error at execution
    {"No flags can be set. Parameter name: inheritanceFlags"}
    I've developed a work around, which gives me exactly - subject to further testing - what I want.  I simply mark each file in the relevant folders with a Deny Delete option.
    I will however explore the DirectorySecurity class option, but initial review of the www seems a little shy on VB examples.
    Thanks
    Perry
    You should be able to use FileSecurity and DirectorySecurity the same way (they have identical methods). Since this is a scripting forum, I'll provide a PowerShell example (which is fairly close to C# and VB; they all use the exact same classes):
    $varDirectoryName = "c:\folder"
    $GroupAdmin = "Admin Group"
    $FileInfo3 = New-Object System.IO.DirectoryInfo $varDirectoryName
    $FileAcl3 = $FileInfo3.GetAccessControl()
    $FileAcl3.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule (
    $GroupAdmin,
    [System.Security.AccessControl.FileSystemRights]::Modify,
    ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit),
    [System.Security.AccessControl.PropagationFlags]::None,
    [System.Security.AccessControl.AccessControlType]::Allow
    $FileInfo3.SetAccessControl($FileAcl3)
    I could have taken a lot of shortcuts when using the enumerations, but I think keeping it verbose helps show how similar the code can be.
    Does that make sense?

  • Built-In Users-group is suddenly gone on folder security tab.

    Dear forum-members,
    I have got a problem with folder-permissions (acl) on a Windows 2003 Server with Terminal Services (Citrix).
    The application "Sybase" is installed on the D-drive (disk). A thrid party application needs Sybase to communicate through the sql.ini with the database. All terminal server users needs read permissions on the Sybase install directory to
    use the sql.ini.
    Normally every new folder on a server has the Builtin Administrators-group and System account "Full-Control" permissions and the Builtin Users-group had "Read en List" permissions. Now on the Sybase folder only the Builtin Administrators-group
    en System account are at the security tab, but
    not the Builtin Users-group.
    When I manually set the Builtin Users-group with read permissions it okay, but after a while the Builtin Users-group is gone/deleted/removed. There is no signal that a person, proces or action removes the permissions for the Builtin Users-group. I set
    Auditing on the folder, but with no result. I know for sure there is no GPO (Group Policy) that removes this group.
    For now I have a dirty solution to run a scheduled task every 10 minutes that run xcalcs to set the permissions. A tried a GPO to set the permissions, after a reboot the group policy doesn't apply (only after a gpupdate /force).
    Does some one of you has another proper/nice solution to force the read permissions on the Sybase folder for the Builtin Users-group?
    Thanks in advance.
    Greetings, Sidney

    Hi Shaon,
    Thank you for your reply.
    The 'third party app' is APP-V sequenced and not in production yet, so only some test users are using the app.
    I did a test today to use Domain Users instead of Builtin Users, but the same problem. After a reboot only the Builtin Administrators and SYSTEM has permission on the Sybase installation folder and Domain Users (& Builtin Users) were automatically
    removed again.
    We have 6 terminal (citrix) servers and all of them has the same problem, so it's not server related.
    Could it be an issue with the way how Sybase is packaged (it's a silence install through our deployment application)?
    Before I do the next test: Will it help to force the rights (replace permissons) from the upper folder to the sub-folder(s)? (force the inheritance)
    Greetings, Sidney

  • Which table/view stores information on APEX user groups?

    Hi All,
    I need to list all the APEX users, their roles(i.e. IS_ADMIN or IS_DEVELOPER) and the user groups they belong to.
    Can some one kindly share the information on which tables/views will have all this information?
    I am aware of apex_workspace_users which tells me about the roles (i.e. IS_ADMIN or IS_DEVELOPER).
    Thanks in advance.
    Annie

    Thanks jari for your help.
    I did manage to get the information on user groups by using APEX_UTIL.get_groups_user_belongs_to function.
    However there are two issues in that:
    Firstly, the requirement is that i should be able to retrieve this details by executing queries in SQLPPlus and not APEX WS. However, executing APEX_UTIL.get_groups_user_belongs_to function in sqlplus returns no data. That means there are certain permission issues on the underlying tables.
    Secondly, the user groups are listed in a single row and I'd like the result in the multiple rows.

  • How to map Portal User groups to a MDM System?

    Hi,
    Have anyone tried mapping portal user group to a MDM System?
    The idea is to avoid each user to do user mapping for MDM of their own.
    When i look into the usermapping section of a portal user group, it shows me a message -
    "There are no systems available for user mapping for the selected principal"
    Thanks and best regards,
    Arun prabhu S

    Hi All,
    Got it!
    1. Create portal users,
    2. Create a portal user group,
    3. Assign Users to User group,
    4. Go to System Administration, edit permission of the MDM system, add the user group to the MDM system permission list and save
    5. Go to User Management, modify the user grooup, go to the User mapping of the user group and do mapping for MDM system and user group using a valid MDM User name and password and Save
    6. In User Management, modify the Portal role for MDM , add the user group to the role and save
    7. Edit permission of the role object, add the user group to the permission list and save
    Result:
    All the users assigned to the user group will be able to access MDM information on the portal correspond to the MDM mapping done at the user group level. This avoids self user mapping in personalization link.
    Best regards,
    Arun prabhu S

  • How to diable only one field enabled and other fields disabled for one user group?

    Hi,
    I have a form contains many fields. A group of users can add items using that form.
    As per the user requirement I have created a filtered view and that filtered view can be seen by some other sharepoint user group but as per their further requirement the new sharepoint user group is only allowed to update Remarks field. All other fields
    should be disabled for them.
    In my idea, I have to create multiple forms and in one of it except Remarks field all should be disabled but I am unable to assign multiple forms to a single list.
    Or how to make Remarks field enable to this user group and for other admin user group all fields could be enabled.
    Hope I have expressed my question correctly.
    Any solution would be appreciated.

    There is no Out of the Box way to set permissions on each column, primarily due to the performance impact. The following thread provides some options,
    http://social.technet.microsoft.com/Forums/sharepoint/en-US/c0794232-9bab-4cea-91d8-f311a793a863/how-to-set-column-wise-permission-in-sharepint-list-in-sharepoint-2010?forum=sharepointadminprevious
    Dimitri Ayrapetov (MCSE: SharePoint)

Maybe you are looking for