OIM - AD  auto provisioning

Similar Messages

• OIM Org auto-provision

  Hello all,
  I want to achieve that organization A is provisioned automatically to Oracle LDAP as soon as A is created through OIM admin console,what issues should i do?Need ur help.
  Thanks.
  Regards.

  First create Adapter(Java Code), which will update ur AD with Organization name. Say for example
  1. create class like updateOrgNameInLDAP.
  2. create method called updateorgName(LDAP Connection detials,String OrgName){code }
  3. create Jar and put that jar into xellerate\java tasks folder
  Then create Adapter in Design Console.
  1. Type Adapter Name
  2. Adapter Type -> Entity Adapter.
  3. Save.
  4. Create Adapter variables (contain connection parameters of LDAP and OrgName)
  5. Click New Adapter Task. (Java ->New Instance) then it will open
  6. Give Adapter Task Name and then API Source ->select the class and appropariate method. then save.
  7. Map ur adapter variables.
  8. Save.
  9. Click Build button on Adapter. Thats all..!
  Now, how to attach ur entity adpater to ACT table..
  1. Go Design Console.
  2. Click on Development Tools -> Business Rule Definiation -> Data Object Manager
  3. Click on Search button. Select Organization from Data Object Manager.
  4. There select Post-Insert Tab, click on Assign ( There select ur new entity adapter just created above)
  5. Now, Map Adapter tab will active. click on that then map your adapter variables.
  Thats All...! Hope this will help you.
  All the Best.

• OIM - OID (11g) auto-provision thru ldap sync

  Hi,
  I have configured ldap sync. I have following questions
  1. We have created custom attributes in OID and referred to custom object class. Now when I try to create user in OIM, user is auto-provisioned to OID. But the custom attributes in OIM are not getting provisioned to OID (unable to see the custom attributes in user object of OID, unless we refer manually the custom object class). Can any one let me know how to auto-provision the custom attribtues into OID?
  2. When user is auto-provisioned to OID, it is not showing any resource profile details of OID in OIM? Is it the expected behavior? But create, udpate, delete are happening as expected.
  Please let me know if any one know the solution.

  Hi,
  Where you able to achieve this?? i have similar requirment where, i have added 5 custom attributes in both OIM and OID, when i create the users these attributes doesnot get updated on OID....should i add these UDF in any objectclass which OIM understands??please suggest
  Thanks in advance

• OIM and Exchange Auto Provision along with AD

  Hi,
  How can I configure an AD connector in OIM to automatically provision an Exchange account for a user?
  At present as part of manual provisioning test, I have to assign the AD User resource and Exchange resource separately to provision a user with AD and Exchange accounts. Is there a simplest way to do it?
  Please advise. Also please share if any documentation available.
  Thank you!

  Policy based provisioning should work fine for you.
  Alternatively you can use an entity adapter or a combination of entity adapter and a policy.
  Policy based provisioning is described in 11 Creating and Managing Access Policies in Identity Manager Administrative and User Console Guide (assuming that you are using 9.1).
  Good luck
  /M

• Exchange 2003 Auto Provision: OIM

  I'm trying to provision a user to exchange 2003. I'm using Windows 2003. I can create an exchange account successfully via OIM if I provision it manually.
  I've created 2 Access Policies, one for AD and one for Exchange (Priority 1 and 2). They are both supposed to automatically provision a user in AD/Exchange once the account is created in OIM. AD account gets provisioned successfully.
  However, Exchange 2003 account gets a status of Rejected on Check AD User Process. So I tried setting the Depends On value in Exchange Resource Object to AD User via the console. Now it gives me a status of Waiting and never actually creates the mailbox.
  Help!!!

  Yes, turns out it's a bug. Found it on metalink, Doc ID 786449.1

• Auto provisioning for AD is not working in oim11gr2

  Hi All,
  I have current environment as OIM 11.1.2.0.7 and AD connector MSFT_AD_Base_11.1.1.5.0 with patch applied 14190610 and Connector_Server_111200
  I configured an auto provisioning to AD
  I created an access policy based on a role MSAD Users.
  i am expecting when i assign this role user should provisioned to AD automatically but it is not done. I also ran the Evaluate User policies scheduler which in enable state.
  i provisioned user manualy and its working fine. also i checked access policy with another target application R12 application it is also working fine.
  but i dont y it not working for AD . I filled all required fields in process form lyk organisation and AD Server.
  I ran in to same issue in DEV at that time i applied BP07 to oim and 14190610 patch to AD connector, after that it was worked
  Now my UAT is in same environment still it is not working
  Please suggest me some solution
  Regards
  $sid

  Hi All,
  I have current environment as OIM 11.1.2.0.7 and AD connector MSFT_AD_Base_11.1.1.5.0 with patch applied 14190610 and Connector_Server_111200
  I configured an auto provisioning to AD
  I created an access policy based on a role MSAD Users.
  i am expecting when i assign this role user should provisioned to AD automatically but it is not done. I also ran the Evaluate User policies scheduler which in enable state.
  i provisioned user manualy and its working fine. also i checked access policy with another target application R12 application it is also working fine.
  but i dont y it not working for AD . I filled all required fields in process form lyk organisation and AD Server.
  I ran in to same issue in DEV at that time i applied BP07 to oim and 14190610 patch to AD connector, after that it was worked
  Now my UAT is in same environment still it is not working
  Please suggest me some solution
  Regards
  $sid

• EBusiness Suite User "Auto-provisioning" and  "Self-Request" Problem

  I have two types of OIM User, Staff and Contingent
  Staff (Role = Full-Time)
  Contingent (Role = Contractor / Role = Consultant)
  Resource Object: eBusiness Suite User
  Here's my RO configuration:
  Auto Pre-populate: true
  Allow Multiple: true
  Self Request Allowed: true
  Allow All: true
  Auto-Launch: true
  EBS Connector, by default has two forms:
  UD_EBS_UO: Object Form
  UD_EBS_USER: Process Form
  I have requirement which will auto-provision eBusiness Suite User resource to Staff users.
  Originally, UD_EBS_OU is the table name used by the RO. For auto-provisioning to work, I have implemented it this way:
  First, I have defined a User Group for Staff and assign an Access Policy to it (for users with Role == Full-Time).
  Then, I have detached Object Form UD_EBS_UO from the RO. This way, when Staff user is created in OIM, it is automatically provisioned with eBusiness Suite User, though it won't have a Resource Form, only a Process Form. Process Form fields are automatically pre-populated with values (via my Pre-populate adapters).
  Now my problem is during Self-Request. Contingent user doesn't get auto-provisioned with EBS RO, but he can self-request for it. Problem is, since I detached the Object Form from the RO, user is not seeing any form during request. And I have a requirement that approver of the request should also be able to view/modify the details of the request form. But that is not possible now that Object Form does not exist for this RO.
  Is it possible that Self-Request and Auto-Provisioning works both ways under the same Resource Object? How do I configure that? Appreciate your quick response and help. :)
  Edited by: user10202544 on Feb 10, 2010 3:27 AM

  Yes I have set permissions to all users for the Object Form.
  It is required for me to have both Self Request and Auto-provisioning work for eBusiness Suite RO.
  During approval, however, the approver needs to see the Object Form (where he can view/modify its values before approving it). That's impossible for me since I detached the Object Form from the Resource Object. I need do to this for auto-provisioning to work.
  It seems that it doesn't work both ways. Any other suggestions?

• EBusiness Suite User "Auto-provisioning" with Object Form

  eBusiness Suite User RO has two forms, 1 Object Form and 1 Process Form
  I want to configure access policies to auto-provision EBS RO to OIM users (particularly Staff/Full-time users).
  On the Resource Object configuration, I checked Auto-Save. This enables my Object Form to be automatically saved during auto-provisioning. I have pre-populate adapters attached to my Object form, such that during auto-provisioning the fields are pre-populated based from a user's profile in OIM.
  However, my problem is, my pre-populate adapters always get xelsysadm attributes and not the user's (whom the request is being created for).
  You may ask why I needed the Object Form?? I could have just discard my object form from the Resource Object, and directly populate values in the Process Form.
  However, I have a business requirement, that eBusiness Suite User can also be self-requested for certain users (contractor, contingent) which are not part of the auto-provisioning/access policy. This is why I still needed my Object Form.
  Is there a way that auto-provisioning and self-requests works both ways under one Resource Object?

  Well that's something crucial with OIM request model. AFAIK in such cases the information for requester is populated and since invocation of access policy is through sysadmin so the information of XELSYSADM is populated.
  Rather what I would suggest is that attach these pre-populate adapters to the process form and skip flow of the data from Object->Process form. So your request model remains intact and the information you want to pre-populate is also done. Hope this should work and is viable for you.
  Thanks
  Sunny

• Using the JDE Connector to Auto Provision (11g)

  Looking for companies using OIM 11g who have recently setup auto provisioning using the JDE connector. Any insight (gotchas, etc.) you could post here would be appreciated.
  Edited by: user13686208 on Mar 23, 2011 12:02 PM

  Ranjini,
  By auto-provision, do you mean all users default gets an AD resource?
  To start off with,
  1)are you able to manually provision users to AD?
  If no, then ur problem is with the AD Connector parameters or Task Create User.
  If yes,
  2) do you have an access policy for provisioning?
  If no, you need to create a policy to provision the AD resource to the All User Group.
  If yes, need to check if the users are part of the group and also try retrofitting the policy.
  Rgds, Ajay

• CUP Provisions user to SAP successfully but gives "Auto-Provisioning" error

  Hi All,
  I'm getting an "auto-provisioning" error in CUP when a "Change Account" workflow is approved. The strange thing is, CUP does successfully provision the change to the SAP backend. Yet, the "New Account" provisions successfully without the error.
  Here is an example of the audit trail log from Change Account:
  Request submitted for approval by Dylan Hack(HACKDY) on 06/28/2010 17:14 
  Approved By Dylan Hack(HACKDY) Path AE_AUTO_APPROV_ERROR and Stage AE_AUTOPROV_ERR on 06/28/2010 17:14 
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
  Auto provisioned for request on 06/28/2010 17:14 
     User Provisioning failed for System(s) : DEV. Error Message :
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
  Request submitted for reroute by system on 06/28/2010 17:14 due to auto provisioning failure 
     Rerouted in the Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR to Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR
  Note: the role names were replaced with "xxxxxxx."
  The system log gives an error, but it is very vague:
  2010-06-28 17:14:34,682 [SAPEngine_Application_Thread[impl:3]_33] ERROR com.virsa.ae.service.ServiceException
  com.virsa.ae.service.ServiceException
       at com.virsa.ae.service.sap.SAPProvisionDAO.intializeWithChangeUserInputParameters(SAPProvisionDAO.java:762)
       at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3457)
       at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3419)
  Any ideas or suggestions?
  Current software level AC5.3 SP12.
  -Dylan

  Hello Varun,
  Thanks for the thought on this. We don't use User Defaults for Change Account, but do for New Account. You question prompted me to do more testing with very interesting results.
  Results
  New Account with User Defaults configured:
  User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
  New Account without User Defaults configured:
  User provisioned successfully, no Auto-Provision error.
  Change Account with User Defaults configured:
  User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
  Change Account without User Defaults configured:
  User provisioned successfully, Auto-Provision ERROR, Defaults NOT provisioned.
  In both New and Change Account, the configured User Defaults are NOT provisioned even though the user is provisioned. AC5.3 is on SP12, the RTA is VIRSANH SP12 and VIRSAHR SP10.
  For the Change Account, the user is always provisioned regardless of User Defaults; however, when no User Default is configured, the Auto-Provisioning error occurs. The User Defaults NOT provisioning is a real problem, the CUP error message, I can work around for now.
  What about on your side? Am I the only guy using SP12 here?

• WCS 5.0.56.2 Auto-Provisioning

  In WCS 5.0 Cisco introduces Auto provisioning of WLCs.
  Unfortunately there is not much documentation available, except for option explanation.
  If i understood this right, Auto-Provisioning takes care of the initial setup of an out-of-the-box WLC. A very handy solution for wide spread WAN environment.
  Has anyone here been working with this option, and can direct me into the right direction?
  I try to auto-provide initial setup parameters from my WCS 5.0.56.2 to a WLC 4402 running 4.0.128.0 on a factory default configuration.
  I hooked up the WLC with his glasfiber and his management port to our management vlan and also configured DHCP on one of the switches for our management vlan.
  WCS is also hooked up to this management vlan.
  I created filters, in WCS for either Serial No. and MAC-ADDRESS providing required parameters for initial setup.
  Those filters remain idle, and the WLC doesn't recieve an IP-address from the DHCP scope configured.
  Am i missing something? Do i like this function to do things it is not supposed to do?
  Please let me know if someone had better experience.
  Cheers,

  Hey Sebastian,
  Could you tell us a little more? I try to make it work too, but with little success.
  What I do is:
  - create a config group from my controller templates, do not add any controller to this config group, put in it all templates from my controller (including the local management user and WLANs).
  - Create an auto provisioning filter, using this config group and my controller Ip addresses and MAC address, enable the filter and make sure it is not set to monitor only.
  - I do see a file with my controller MAC address created at that instant, so I am close to being happy.
  - In my DHCP server, option 150 points to WCS.
  When I clear my controller config and reboot, it gets to autoinstall, receives an IP address from DHCP and the option 150 information. It then downloads the file with its MAC address... but no template is in there! I can't connect to my controller until I push a username and password to it, and none of my templates are there, no WLAN, nothing...
  Any quick idea on what you did that I do not do?
  thanks
  Jerome

• Auto-provisioning new users with GRC 10.1

  There is some lack of clarity at my client on auto-provisioning new users into SAP systems with GRC 10.  Here's what they want and I'm telling them they need SAP IdM.
  The client will regularly have upwards of 500 new users on an on-going basis.  These users are approved and created in Active Directory.  The client believes that GRC 10 can now pick up these new users from Active Directory and then go ahead and provision them into ECC and CRM automatically, as soon as they're created, with no further approval required.
  To the best of my knowledge, the easiest way to do this would be for IdM to do this, and have IdM trigger GRC for certain users, and to provision users who fall into this group of 500 users.
  These users are different from regular users, who need to go through the approval workflows.  Regular users will have managers and roles that need approval.  These 500 or so users are approved to be created in the system and don't need to get caught up in the approval workflow.
  Am I wrong in saying that IdM 7.2 is the best way to do this, or am I missing something about what GRC 10 can do?
  Thanks for your help.  I really appreciate it.

  Hi Santosh,
  In AC 10.1, I created one brf plus initiator rule.Although I saved it in GRAC_ACCESS_REQUEST package.Transport button is not available(Not greyed).
  Dis you faced this issue..How to get this change in transport??
  PS:Application are activated.
  Thanks,
  Mamoon

• CUP - Initiator for roles not requiring approval (i.e. auto provisioned)

  We recently upgraded to GRC 5.3, SP10 and started noticing that using CUP, for roles that should be automatically provisioned (i.e. no approval required), it is taking between 3 minutes 45 seconds to 5 minutes for the request to be successfully submitted and automatically approved with provisioning.   I was wondering if anyone is experiencing simlar system performance
  Our set-up for auto provisioned role requests is as follows:
  1.  Created initiator INI_NO_APPROVE using role for attribute
  2.  Created stage STG_NO_STAGE  with Approver Determinator = No Stage
  3.  Created path definition PATH_NO_APPROVE with number of stages =2 and initiator = INI_NO_APPROVE
  Thanks!

  F.Y.I.
  As per SAP's recommendation - we applied note:1423983 in all target provisioningn systems and this resolved the issue.

• GRC 5.3 CUP auto provisioning of Mitigation Assignment in RAR

  Hello,
  Is there any other workflow that needs to be triggered for the auto provisioning of the Mitigation control id assignment to the userid in RAR system from CUP,  upon request completion?
  I created a request that after the final stage of sox approver, got auto provisioned roles assigned to the user id in the SAP system , but it also stated that auto provisioning failed and got re-routed to the detour path of the security admin as I configured in case of auto provisioning failure. When I look at the error log, it states:
  User Provisioning failed for System(s) : XYZ. Error Message : User type TE is unknown
     Role: ROLEA assigned to user: TESTER1 in System(s): XYZ.
  1). So, even though the approved role is being assigned to the user in the backend system, some other stuff is failing at auto provisioning. And I thought it might be the mitigation control assignment to the userid in RAR. I have the mitigation fields/objects active. But how do I ensure the auto-assignment of mitigation control ids also gets assigned on the same request upon sox approval?
  2). The other question is where is the value of the 'controller' stored when configuring a stage for workflow approver determinator in the sox approver stage? Where is this value picked up from? We don't want to use the RAR mitigation approvers or monitors, we want to use a custom approver id from CUP and then the control id to be assigned upon approval automatically to the userid in RAR via CUP request completion during auto provisioning. Is this possible? The only thing failing for us is trying to determine how to create the custom approver determinator for SOX approver in CUP since it asks for 'attribute' value for workflow type 'Compliant User Provisioning' which doesn't make sense for this.
  And then the above error even though the user role assignment is auto provisioning already but still giving the error as I listed above and re-routing to detour path instead of completing the request. Is it due to auto provisioning failure of mitigation control assignment in RAR?
  Thanks in advance,
  Alley
  Edited by: Alley1 on Sep 20, 2011 1:15 AM

  Hi Karell,
     Here is response to your questions:
  I can use the following CAD in an AE workflow: web service to fetch role approvers. I question this as it is merely a RE workflow service : No. As far as I know the web service is only for RE/ERM.
  Can the Risk Analysis be initiated in stage x automatically once stage (x-1) was completed. So no person involved, it is mandatory however, in my opinion there should be no extra person involved to actually press the button "Risk Analysis" : No. There is no way to automate the risk analysis part. Someone will have to click on the button to check for SoD violations. You can configure to run automatic risk analysis when the request is submitted but this is not 100% perfect. If someone adds or removes role during approval phase, it will invalidate the risk analysis which was run during request submission.
  Can somehow the Risk Owners defined in the RAR componed be asked to approve/reject risk that came out of the Risk Analysis described in my previous point. They should only be contacted when there is a risk indicated. : This is possible by following Babak's workflow.
  Regards,
  Alpesh

• Limitations of Auto-Provisioning through CUP (AE)

  Hi all,
  I am looking for some information on what are all the benefits and limitations of using auto-provisioning over manual provisioning for the backend systems through CUP (AE).
  We are implementing GRC AC 5.3 and it is organization's business decision whether we need the proviosing piece to be automated or not. However, I would like to get your suggestions based on your project experiences esp in a decentralized security administration where security admins are in different geographical locations and have to provision only for their user groups.
  Can we perform all the activities thro' auto-provision similar to a security administrator manually creating a user, assign appropriate user groups etc.,  or is there any limitation?
  Which approach would be better for decentralized administration?
  Appreciate your suggestions..
  Thanks
  Siri

  Hi Alpesh & Williams,
  The user default settings such as date, timezone, decimal etc can be configured through the 'user defaults' and 'user default mapping' . I see the option of assigning user  groups and appropriate parameters too.
  Say the user belong to user group AAA_XXX  and another user belongs to AAA_YYY, where
  AAA - location
  XXX - Dept
  I have configured these (location, dept) as required fields while entering the request in CUP .
  However, during run time how will the correct user group be assigned to the user. Is it through the user default mapping? Where do we maintain all the user group information that is available in the ECC system? Do we have to create user default, user default mapping for each user group??
  The documentation from SAP is not very clear .. Appreciate if you can provide some lights on this area.
  Thanks
  Siri