OIM Approval - Behavior

Similar Messages

• OIM approval / provisioning workflows

  Hi All
  I have a query about OIM approval / provisioning workflows.
  Application X (e.g. Active Directory) has an OOTB connector which can provision the user and manage his role in the application. The user can raise request for role change via OIM Admin console.
  My query - Can I configure access policy/user group for creation of a base user identity in the application X. This will create user identities for all users in application X without any roles. Later user should be able to request for roles and upon approval, his role should be updated in application X.
  Can this scenario can be implemented with any OOTB connector with provisioning and role approval workflows in place. Do you see any complexity in this. Please provide your comments.

  The base provisioning van be done using access policies.
  If you want request based role management in pre OIM 11g you would have to do it over custom ROs. There are a couple of ways to do this.
  The easiest way to do is to combine the approaches in these two postings and create a custom RO that moves the user into an OIM group that has an attached access policy that manipulates the child table on the base target system RO.
  http://iamreflections.blogspot.com/2010/09/oim-howto-one-resource-object-per.html
  http://iamreflections.blogspot.com/2010/09/oim-howto-target-system-group.html
  Please take a look and see if this is understandable. I probably should write another entry that addresses this specific use case.
  /Martin

• OIM - Approval process

  Hi All
  I have OIM integrated with application 1. Application 1 has many responsibilities which are to be maintained by OIM by 1 level approval process. This means the end user can log into OIM admin console and request for more responsibilities. I have a table for Resource object and another table for Responsibilities similar to AD Resource Object and its child table for AD groups.
  Problem is that every responsibility has a separate owner and if a user raises a request for responsibilityX, it should go to the owner of the responsibility. How should I go about it..
  Please help !!
  Thanks

  Thanks Kevin
  This is really helpful. I guess this would probably work in case when the number of responsibilities and user groups are limited. But in my case I have almost 1500 responsibilities and having a user group corresponding to these responsibilties would not be an easy task.
  I take your suggestion of creating a lookup for the mapping of responsibility and its corresponding owner. To move further, shall I go ahead and use API's to handle the object form and assign the task based on this lookup. Can you please suggest if this will be a good approach and provide some basic startup.
  **** Another thing which I am not able to understand is - When I provision a user using direct provisioning, these reponsibilities are attached to the process form as child table. How should I go ahead with creating a object form for the responsibilities.
  Currently, when an end user logs into admin console, he can only request for RO provisioning with no details or responsibilities. (No object form is attached to RO).
  This is similar to Group assignment in Active Directory, but in that case I wrote a separate piece of code that was adding the user directly to the AD group.
  Thanks

• OIM approval -  End User Experiance

  Hello,
  In my configuration for OIM resource request :
  * 1st level of approval goes to manager -> user could login and check status of his request and could understands that it is pending on manager and verify his manager name in the request pending status. This is good. :)
  * 2nd level of approval goes the resource owner - (which is implemented as a group - the approval request goes to member of the group). What user sees is that the request is pending on the approval-group. He don't know whom to reach and eventually ends up talking to OIM admin to understand the current approver for the request.
  A valid use case is - in case resource approver changes then dynamically all the pending requests should move to the new approver. This works best in the current configuration (group member approval).
  How to enhance end user experience when the request is pending on 2nd approval step.
  thanks,

  But i don't think this will automatically re-assign the request to new approver in case of approver change.I didn't understand this line. What do you mean by Automatically Re-assign to new approver in case of approver change.
  How approver will get changed? Someone has to reassign the task to other person/group ?
  What is your Use Case ?

• OIM Approval Workflow Scenario/Question

  Hello,
  Can anybody please explain how the approval workflow actually works in OIM?
  Scenario - After a user does self registration using the web console - how can we specify tasks in between that workflow - so that the user's manager should receive/approve the request first and then suppose then the request goes to some Department Head for his approval and then only the user will receive and confirmation email for logging into OIM.
  I understand the Provisioning workflow perfectly from OIM User Form to PRocess Form and from their to Target. But really want to understand this 'Approval/Self REgistration' workflow. Can anybody explain me with the steps that are needed to be configured in OIM Design Console for the 'scenario' explained above.
  Many Thanks!

  Hi,
  There is one possible solution for your requirement. I jsut the forget the name of the workflow which trigger while self registration.
  You can do one thing in that process add two task which assign task to manager and once he approved the request task will be assigned to deapartment head and once he approved the user will be created in OIM.
  Task will be assigned not as approval but as asisgned task, if its ok with you; just try this and let me know.
  Regards
  Alabhya Goel

• OIM - Approval

  Hi
  I am trying to configure 1 level approval process in OIM so that whenever an end-user raises a request for an application (RO), it goes to his manager for approval. Once it is approved by his manager, he should get provisioned to the target application. To achieve this , I have done the following:
  1. Added tcCompleteTask adapter in Standard approval process
  2. Created New process as 'Manager Approval' giving type as Approval and object name as my RO
  3. Added a task as 'Manager Approval' and specified 'Request Target User's Manager' in the Assignment tab under default rule
  Now whenever the user raises a request for this RO, it goes to the user itself and gets approved. Please let me know if I am missing something.
  Thanks

  You should check out the Oracle By Example articles and walk throughs available. You need to put in some kind of effort on your own to learn at least the basics. The OBEs will give you samples of importing a connector and creating an approval process. There is a notification tab on the process tasks where you can assisgn a status of the event and a notification. You'll also need to configure an email server as well.
  I would also suggest you create your own topic once you have gone through the OBE samples. And posting the same question onto multiple existing topics will making tracking answers more difficult.
  -Kevin

• OIM Approval Processes

  I have an approval process configured to go to the target user's manager first and then to a resource owner for the final approval. If a user request the resource the workflow works as expected, goes to their manager for approval and then to the resource owner. The issue I am having is when the user's manager request the resource on thier behalf OIM then sends the approval to the manager's manager which is not what I was expecting. I was expecting the manager's approval to be auto completed since it was the manager of the user who was submitting the request. Has anyone run into this?
  Thanks

  I found that the result I am seeing is actually how OIM was designed to handle such scenarios in the 9.1 release. Their logic is that a requestor should never be an approver which makes sense but I would have expected that if a manager requested a resource for a direct report the approval request for a target user's manager would get auto completed since it is the targets user manager making the request. Looks like I will have to write custom code to get the desired approval process.

• Defining Approver list in BPEL -OIM Approval Workflow

  Hi,
  We have a requirement where in we need to retrieve array of users from external resource (not integrated with OIM) and pass them as an approver list during resource provisioning request. As these users are not managed as a role in OIM, how do we achieve this functionality? We are retrieving these approvers as part of Java embedding in BPEL process, but not sure how to pass them as a approver list in BPEL -One of them can approve the request.
  Thanks in advance

  Thanks Kevin,
  So can I assign String DataType to the comma separated OIM Logins (approvers) and BPEL will take care of assigning them as approvers appropriately? If so, then will the request will be approved if one them approves it?
  Thanks again

• OIM Approval Workflow

  Hi,
  I need to implement the following scenario in OIM.I have following 3 types of users in OIM . Employee,Organization Admin and Resource Admin.
  1.Organization Admin logs into OIM and request a resource to an user.While requesting,Organization admin needs to enter some information about the user (it could be either process form or resource form)
  2.Once the request is submitted,Resource Admin should see it in his pending task list.
  3.Resource admin approves the request and the user gets provisioned to the target system.
  I tried creating a process form,in which the admin can enter user details,but I am not sure how to attach approval workflow in that.
  When I tried using Resource Form,I am not able to populate user's information in the form.
  Any idea about how to implement this scenario?.Thanks in Advance.

  Hey Nitesh...
  Thanks for the Reply....
  Sorry i mistakenly put process form in place of object form. By default approver is only able to see only first name and last name in user details. What additional configuration i need to do so that approver can see the object form also for that user and then can approve/Reject. As the approver is from different organization so not able to view user details....but as per requirement have to show only the requested resource object form!
  Also i have couple of other questions which i am not able to crack....appreciate if you can help me to figure out the solution :)
  1. When i requested a resource for multiple users then approver is not able to approve it for few users and reject it for others under same request. Does OIM provide any kind of customization which can help me to achieve this.
  2. Once my user get provisioned in any resource lets say AD after that when i modified the user OIM profile and save it, it should modify the AD account also if the modified attribute is mapped in Resource form using prepopulate. Is this valid requirement?
  Edited by: user10781632 on Feb 26, 2009 5:35 AM

• OIM approval workflow creation

  Hi Gurus,
  Is it possible to give permission to a group in the OIM to be able to create/manage Resource's approval workflow? If so, what I should do? Which permission are needed?
  Or just system administrator is able to do that?
  The group was created just to perform that activity and it can't have another privileges.
  I would appreciate any help.
  TiA,
  Carlos

  In pre 11g there is no really good way to do this as approval workflows are defined in the design console. One of the things I am excited about 11g is that the approval workflow is moved to BPEL (http://iamreflections.blogspot.com/2010/09/oim-11g-approval-workflow-orchestration.html)
  If you need to support this in pre 11g you can either try to configure the design console to just have the approval workflow menu item. i haven't tried that but it does not look simple or straightforward to me.
  If the approval workflows are simple you could try to go over the custom resource object or custom menu item road. A third option would perhaps be to let them define the workflows in a free standing tool and then parse in the changes and use the OIM API to update the approval workflows.
  Best regards
  /Martin

• OIM Approval Workflow starting Exception

  Hi to all. I'm working with approval workflow in OIM11g and I've followed the OBE for the design of a ResourceSerialApproval Workflow. When submitting a request which is to be approved by this workflow at request level, the request creation fails with this exception:
  IAM-2050014:An error occurred while initiating approvals for request oracle.iam.platform.workflowservice.exception.IAMWorkflowException: Unable to instantiate the workflow process due to null. The corresponding error message is {1}.
  I've searched this forum for the error and seen that maybe it could be caused by a bad props file when registering the workflow: this is NOT my case. The workflow gets correctly deployed.
  Could anyone help me?
  Please I have no idea on how to solve this problem.
  Thanks in advance,
  Giuseppe.

  Hi,
  Open your approval workflow in Jdev, open "ApprovalProcess.bpel" file in source mode,
  Check if custom attribute is getting assigned before the payload is loaded:
  something like
  <copy>
  <from variable="resourceAdmins"/>
  <to variable="initiateTaskInput" part="payload"
  query="/ns2:initiateTask/task:task/task:payload/task:ResourceAdministrators"/>
  </copy>
  <copy>
  <from>
  <payload xmlns="http://xmlns.oracle.com/bpel/workflow/task">
  <RequestID xmlns="http://xmlns.oracle.com/bpel/workflow/task"/>
  <RequestModel xmlns="http://xmlns.oracle.com/bpel/workflow/task"/>
  <RequestTarget xmlns="http://xmlns.oracle.com/bpel/workflow/task"/>
  <url xmlns="http://xmlns.oracle.com/bpel/workflow/task"/>
  Regards,
  Raghav.

• OIM , Approval WorkFlow Page Error

  Dear All,
  Kindly if anyone can share some experience on the following issue:
  1 - I have IDM 9.1.0.x
  2 - To define the approval workflow when I try to open the workflow designer i.e Manage Resources>Manage> select resource ... it shows error page with no error number just a link to IDM admin.
  My question is:
  1- Could it be due to some issue in connector of the relevant application (MySQL on backend> GTC with Java customized connector)?
  2- Or it could be a problem in the IDM system itself related to some configurations, missing installation components.
  what should I check to verify if it is some issue with the IDM servers settings?
  Thanks

  thanks for your reply,
  can you please be a little more elaborated and guide me how to remove this error, when click on the resource instead of opening workflow designer it opens a page with a link to admin, not showing any error just "A system error has encountered" message.
  thanks.

• OIM - Approval process available on updates/modifications of a resource ?

  Hello,
  I would like to implement a typical workflow :
  1) UserA is able to provision a resource for other users. He provisions it for UserB. There's an approval process which says that it's UserB's manager (ManagerB) who will approve this request. UserA provisions the resource.
  2) ManagerB approves the request
  3) UserB is now able to use the resource and modify it. He modifies it and his modifications aren't effective until his manager's approval.
  4) ManagerB approves the modification request, ensuring that the data is correct
  The main goal of this kind of workflow is that every action of the resource user means that an according approval process is fired.
  Right now I'm unable to implement such a process. Another user said on this forum that approval events are fired on grant/enable/disable/revoke events. I would like to know if it's possible to use this kind of processes on ANY modification of a given resource.
  And by the way, is there any mean to know exactly which are the minimal permissions/rights to have to be able to provision a resource to a user in a workflow as described earlier ? Right now I'm working with 177 different rights, whose names aren't quite helpful...
  Thanks in advance !

  Ajp , following your instructions, to enable approval on attribute changing (e.g, for resource named 'MyResource') I should take the following steps:
  1) Create a resource object called "Dummy ResObj"
  2) Create a Process Definition of type Approval (with respective task assignment adapters) and associate it with 'Dummy ResObj'.
  3) Create a task inside this to get the manager's approval
  4) Open a Process Definition of type Provisioning associated with the resource 'MyResource'
  5) Create a Process Task Adapter to provision target user to the Dummy ResObj
  - this adapter would get passed the resource object key and the user key
  - the adapter will create a request (on adding user)
  - it would also utilitize the tcUserOperations API
  7) Create a Process Definition for Dummy ResObj
  8) Create a Process Task Adapters to provision and de-provision target user to the Dummy ResObj
  9) Create tasks in the 'Dummy ResObj' provisioning process that calls this process task adapters
  Am I right? Haven't I missed something?

• Approval Process for Role in OIM

  Experts,
  When a role is approved for a user in OIM, can we stop the user without getting assigned to the role immediately.
  We would like this scenario, user requests for role, the role owner approves it in OIM and then the role assignment happens in OIA.(or)
  User requests for the role, the approval workflow sends the request to OIA for approval from role owner , once approved it can be assigned in OIA and then automatically reflected in OIM as well.
  Which option is more feasible...and recommended?
  Thanks,
  Krish

  Thanks Kevin for the reply.
  Approval process code will be initiated in OIM and approving happens in OIA. Once approved, the role can as well be assigned in OIA. This can update OIM automatically by assigning the user with the requested role.
  (Or)
  Approval process code will be initiated in OIM, approving also happens in OIM, the role also gets assigned in OIM and an OIA updates this change accordingly.
  Which one would be recommended?
  Krish.

• OIM 10g Approvals

  Hi All
  I have the following queries regarding OIM approval workflows.
  1. In OIM approval workflows, how can we ensure that the requestor is not the approver for his requests (Seggregation of Duty - SOD)
  2. As per the OOTB functionality of OIM, the request goes to user's manager for approval. In case the Manager's ID is disabled, the request goes to xelsysadm.
  How can we change this behavior so that if the user's manager is disabled, the request should go to User's manager's manager.
  Please help.

  Answer to your questions:
  1. This is a known bug and has been fixed in the latest patch.
  2. You need a custom task assignment adapter that will check whether the manager is disabled and return the manager of manager user key instead.