OIM- Attestation Process

Similar Messages

• OIM Attestation Process Default Administrative Groups

  It seems that, by default, when a user creates an attestation process that it inherits all the groups that the user is a member of as members of the Administrative Groups for that process. Furthermore, these groups have write and delete privileges.
  This is troublesome to me. Every OIM user is a member of the Employees group, therefore every attestation task could be deleted, modified, run, etc, by any user on the system. Surely this is not the intended behavior.
  It would make sense if the Process owner group were added to the Administrative Groups, but not every single group that they are a member of!
  Does anyone have an idea on how to correct this?

  Martin, Thank you for the reply. The OIM product docs have content indicating that OIM supports attestation at entitlement level. So was wondering if there is any straightforward way to achieve and I was missing something. I guess there will be a lot of overhead in maintaining the AD Groups as resource objects in OIM. In certain cases there will be thousands of AD Groups. If you know could you please advise on the impact / care to be taken with this approach.
  Thank you.

• OIM Attestation Process Stuck in 'Pending' State

  I have created an User Entitlement Attestation process that resulted in zero total records. I think that this was because I did not have any resources marked as 'financially significant'. Nevertheless, it seems that the process should have auto completed since there were no records found, but instead it is stuck in 'pending' with no tasks for anyone to perform.
  Anyone know what I should do to get the process to complete?

  Hi
  I also facing the same issues as you, User Entitlement Attestation process don't work.
  Did you able to fix it now ?
  Thanks in advanced
  Thanks
  John

• [OIM 9.1.0.2] Attestation Process scheduled is not automatically running

  Hi Gurus,
  IHAC that noticed that some attestation processes have not been triggered in the specified scheduled time, . So the Attestation tasks are not displayed into specified Reviewer's inbox (To-Do List).
  There is a group responsible for creating the attestation processes and they have created a lot of processes. It seems that for some reason the attestation scheduled task is not automatically running for some cases.
  For the attestation processes that were stopped, it is needed to run manually the scheduled task. With this action the attestation task flow runs.
  Any tip on what could I check?
  Thanks.

  Hi,
  I checked the Schedule task 'Initiate Attestation Processes'. It is Enabled, with frequency 30 min. Actual status: Inactive.
  I got the follow error on the logs:
  Something related to Memory.
  I am investigating why when I use 'Run Now' option the attestation process work. Any tip?
  <28/11/2012 03h32min51s BRST> <Info> <EJB> <BEA-010227> <EJB Exception occurred during invocation from home or business: [email protected]340a3f3 threw exception: java.lang.OutOfMemoryError: Java heap space>
  <28/11/2012 03h32min51s BRST> <Notice> <Stdout> <BEA-000000> <ERROR,28 Nov 2012 03:32:51,518,[XELLERATE.SCHEDULER.TASK],Error while resubmitting the attestation process for delegation
  Thor.API.Exceptions.tcAPIException: EJB Exception: ; nested exception is:
  java.lang.OutOfMemoryError: Java heap space
  at Thor.API.Operations.AttestationOperationsClient.updateResponses(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
  <28/11/2012 03h34min57s BRST> <Notice> <Stdout> <BEA-000000> <ERROR,28 Nov 2012 03:34:57,977,[XELLERATE.SCHEDULER.TASK],Error: Thor.API.Exceptions.AttestationProcessNotFoundException
  Thor.API.Exceptions.AttestationProcessNotFoundException
  at com.thortech.xl.ejb.beansimpl.AttestationOperationsBean.initiateAttestationProcess(Unknown Source)
  at com.thortech.xl.ejb.beans.AttestationOperationsSession.initiateAttestationProcess(Unknown Source)
  at com.thortech.xl.ejb.beans.AttestationOperations_yqqnsm_EOImpl.initiateAttestationProcess(AttestationOperations_yqqnsm_EOImpl.java:1033)
  at Thor.API.Operations.AttestationOperationsClient.initiateAttestationProcess(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

• Error in attestation process

  Hi,
  I have created an attestation process and ran the same. The task for the review got generated for the same and I can see the tasks in the reviews queue.
  Now when I try to perform any action on these task after login to OIM as reviewer I am not able to save action. I am getting following error when I click on Save Action button :
  <Nov 15, 2012 3:56:11 PM IST> <Error> <XELLERATE.ATTESTATION> <BEA-000000> <Class/Method: ManageAttestationTaskAction/saveAttestationRequestActions encounter some problems: {1} Thor.API.Exceptions.tcInvalidPermissionsException
  Thor.API.Exceptions.tcInvalidPermissionsException
  at com.thortech.xl.ejb.beansimpl.AttestationOperationsBean.submitReponses(AttestationOperationsBean.java:399)
  at Thor.API.Operations.AttestationOperationsIntfEJB.submitReponsesx(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
  at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
  at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
  at $Proxy363.submitReponsesx(Unknown Source)
  at Thor.API.Operations.AttestationOperationsIntf_r58oir_AttestationOperationsIntfRemoteImpl.__WL_invoke(Unknown Source)
  at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
  at Thor.API.Operations.AttestationOperationsIntf_r58oir_AttestationOperationsIntfRemoteImpl.submitReponsesx(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
  at $Proxy177.submitReponsesx(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
  at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
  at $Proxy316.submitReponsesx(Unknown Source)
  at Thor.API.Operations.AttestationOperationsIntfDelegate.submitReponses(Unknown Source)
  at com.thortech.xl.webclient.actions.ManageAttestationTaskAction.saveAttestationRequestActions(ManageAttestationTaskAction.java:623)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:269)
  at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(tcLookupDispatchAction.java:133)
  at com.thortech.xl.webclient.actions.tcActionBase.execute(tcActionBase.java:894)
  at com.thortech.xl.webclient.actions.tcAction.execute(tcAction.java:213)
  at org.apache.struts.chain.commands.servlet.ExecuteAction.execute(ExecuteAction.java:58)
  at org.apache.struts.chain.commands.AbstractExecuteAction.execute(AbstractExecuteAction.java:67)
  at org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
  at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
  at org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:305)
  at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
  at org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
  at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
  at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
  at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
  at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
  at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
  at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at com.thortech.xl.webclient.security.CSRFFilter.doFilter(CSRFFilter.java:76)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.iam.platform.auth.web.PwdMgmtNavigationFilter.doFilter(PwdMgmtNavigationFilter.java:121)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.iam.platform.auth.web.OIMAuthContextFilter.doFilter(OIMAuthContextFilter.java:107)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
  at java.security.AccessController.doPrivileged(Native Method)
  at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:31
  3)
  at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
  at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
  at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
  at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:13
  6)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
  at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
  at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
  at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
  >
  Please let me know what could be the reason for the same.
  Thanks.

  *<Nov 15, 2012 3:56:11 PM IST> <Error> <XELLERATE.ATTESTATION> <BEA-000000> <Class/Method: ManageAttestationTaskAction/saveAttestationRequestActions encounter some problems: {1} Thor.API.Exceptions.tcInvalidPermissionsException*
  Are you using XELSYSADM?
  One approach can be to give ALL USERS all the permissions temporarily to figure out which Permission is missing and where...
  You can assign permission via ALL USERS group profile --> Drop Down --> Permissions --> Assign..
  Note down the current permissions so that after you fixed issue, you can restore the current permissions

• Attestation process-query

  my requirement is during the Attestation process the 1st reviewer will delegate the some of user resources to 2nd reviewer e.t.c. when the 1st reviewer deleagates to the 2nd reviewer should mention the start date and end date.
  can the above requirement come under OIM OOB functionality or do we need to go for customization?
  if so please tell the steps fr customization

  Have you looked at using the APIs?
  http://otndnld.oracle.co.jp/document/products/id_mgmt/idm_904/doc_cd/javadocs/operations/Thor/API/Operations/AttestationOperationsIntf.html
  I took a quick look and nothing looks very promising but it may be me being blind so it could be worth a second look.
  Best regards
  /Martin

• Attestation Process - 90_dml_insert_attestation_mil_sch.sql

  hello, now i stuck on Attestation process. Please help.
  I'm new to OIM and using version 9.0.3.1.
  Now i'm doing the lab exercise for Attestation Process(howevr this lab exercise is apply to version 9.0.3.1), in 1 of the steps its instructed me to execute the 90_dml_insert_attestation_mil_sch.sql but i can't find in the folder that it specify.
  However i managed find the similar files name as Oracle_Create_Attestation.sql, so i wonder is Oracle_Create_Attestation.sql is equally as 90_dml_insert_attestation_mil_sch.sql ??
  Thanks a million
  John

  Rajiv ,
  BY changing the process owner group to what you suggested it worked , the attestation process is created but for some fields it showing junk values .
  Hw can i attach a snapshot here ?? I wud like to show you the snapshot of the attestation process which is created .
  Thanks
  Suren

• Customization of Attestation Process in Oracle identity Manager

  Hi all,
  In our case we have to create an attestation process for some users and they belong to some particular group.
  when reviewer of this attestation process view his inbox .He can see table with several column like user resource and options like certify, reject ,decline and delegate.
  we also need to display group to which above user belong as a column in this table.Can anybody help us on this that how we can customize this default table
  which is shown to reviewer.
  Thanks in Advance
  Regards
  Puneet Bassi

  Hi,
  As martin said its a custom interface.You will have to extend ManageAttestationTask class. You need to override few method particularly populateTableData and populateTableDataForRequestDetails methods.
  I would recommend this approach until you are every much familier with struts development because if you messed up attestation won't work and more over oracle dosn't support any action class customizations.
  Regards
  Nitesh

• [SOLVED]OIM: Attestation Email notification isn't working :(

  Hi.
  I'm using OIM9031@JBOSS.
  I've created a new attestation with 'Users by manager' scope, selected 'Reviewer is each user's manager' option, set 'Notify process owner if reviewer declines' check box.
  I've verified, that process owner (XELSYSADM) has a valid email adress and all predefined email templates are ok.
  I've created a IT Resource 'Email Server' of type Mail Server.
  But notifications don't even launched (according to logs). What am I doing wrong?

  Has the actual attestation event triggered? The scheduled task "Initiate Attestation Processes" must run before any attestation events get sent out, even when you click the run once.
  Looking at the documentation, can you verify this stuff?
  System Control
  Attestation has the following dependencies:
  The User Profile Audit feature must be enabled.
  Historical data must be collected at least up to the Process Form level.
  If the auditing level is set below the required levels, then clicking menu item links related to attestation generates the Attestation Feature Not Available page, and prevents the user from defining any attestation processes.
  Audit levels are controlled by the system property called XL.UserProfileAuditDataCollection and the attestation feature expects this value to be set to at least Resource Form.
  -Kevin

• Revert back attestation process already executed

  Hi,
  Can the attestation process run be cancelled or reverted back?
  Regards.

  All the the database tables have a comment field on them. Find the ones relating to attestation and how they are organized. There are also metadata that can be found by going to the lookup definitions and do a search on Attest to find the other tables. Then you have to start working on queries to get the information related to the attestation you want and start your testing.
  -Kevin

• How attestation process scheduler runs?

  When i create an attestation process with following details
  starting date:10 August 2010
  schedule: run every one days
  Please tell me how many times in a day will this process run?
  When I tried to create attestation with above details,execution history showed that the process got executed multiple times in a day.

  It might be not what you had in mind but this might be a solution:
  mount a partition of your networked drive on: /var/log
  then all your logs will be on the NFS drive without editting a boatload of configs.
  You know that it is, of course, close to impossible to catch log-entries that happen before your NFS-mount,
  so you might want to consider something like this when mounting:
  kill -SIGSTOP <all logger-pids>
  cp -a /var/log /dev/shm/logtmp
  mount NFS-volume on /var/log
  cp -a /dev/shm/logtmp /var/log
  kill -SIGCONT <all logger-pids>
  this is it..more or less, far from complete ofcourse but you get the idea of what it is supposed to do.
  remember that you can't have, ever, any bootlog directly written to NFS during boot because during boot time your NFS is not mounted yet
  good luck !
  TSK
  Edited by: 833060 on 1-feb-2011 13:31
  by the way, Nicolas has a good point...is it worth the extra networktraffic and slowdown ?

• Attestation Process - futher action

  Hi All
  I had create a attestation process, invite reviewer to review the resources.
  let say, the reviewer had certify the resource and submit.
  Once the reviewer submit the resource and i need to do further action such as send an email to administrator but how should to create this task to send an email ?
  Thanks in advance

  Hi,
  1.You need to modify out of box attestation schedule task to achieve.Just check the schedule task and its code.You can modify it easly.
  2.This is available out of box.In every resource provisioning process you will find attestation related task.I don't remember the task name.Go to that task and in the response tab you will find certify and reject response.You can your de provisoned task on the reject status.
  3.This will be tough to do it not sure if possible.Check the out of box API.
  Regards
  Nitesh

• OIM - Approval process

  Hi All
  I have OIM integrated with application 1. Application 1 has many responsibilities which are to be maintained by OIM by 1 level approval process. This means the end user can log into OIM admin console and request for more responsibilities. I have a table for Resource object and another table for Responsibilities similar to AD Resource Object and its child table for AD groups.
  Problem is that every responsibility has a separate owner and if a user raises a request for responsibilityX, it should go to the owner of the responsibility. How should I go about it..
  Please help !!
  Thanks

  Thanks Kevin
  This is really helpful. I guess this would probably work in case when the number of responsibilities and user groups are limited. But in my case I have almost 1500 responsibilities and having a user group corresponding to these responsibilties would not be an easy task.
  I take your suggestion of creating a lookup for the mapping of responsibility and its corresponding owner. To move further, shall I go ahead and use API's to handle the object form and assign the task based on this lookup. Can you please suggest if this will be a good approach and provide some basic startup.
  **** Another thing which I am not able to understand is - When I provision a user using direct provisioning, these reponsibilities are attached to the process form as child table. How should I go ahead with creating a object form for the responsibilities.
  Currently, when an end user logs into admin console, he can only request for RO provisioning with no details or responsibilities. (No object form is attached to RO).
  This is similar to Group assignment in Active Directory, but in that case I wrote a separate piece of code that was adding the user directly to the AD group.
  Thanks

• OIM 11gR2 : Process task adapter

  Hello Experts,
  I have to create a process task adapter in order to assign the users provisioned on AD to various groups on AD.
  1. How may i configure a new process task adapter from ther design console ?
  2. How may i map the variables between the process task created in the design console with the input parameters of the adapter java code ?

  http://www.idmworks.com/blog/oracle-identity-manager-basics-creating-a-custom-adapter-in-oim-11g
  http://idmrockstar.com/blog/2009/08/how-to-create-a-prepopulate-adapter-in-oim/ (HINT)
  http://docs.oracle.com/cd/E14571_01/doc.1111/e14309/creadp.htm#BABGHIFA

• OIM Attestation of AD Groups

  Hi,
  Need some help with attestation functionality in OIM. The requirement is simple. The reviewer needs to attest the AD groups to which the user belongs. By default when I create attestation tasks and send to the reviewers, the reviewers are able to view the AD attributes and the AD groups. But the reviewer is able to certify/reject/decline at account level. The reviewer doesn't see the option to certify/reject/decline at the AD group level. The requirement is able to certify/reject/decline at each AD Group level? Could you please advise on how to achieve this?
  TIA.

  Martin, Thank you for the reply. The OIM product docs have content indicating that OIM supports attestation at entitlement level. So was wondering if there is any straightforward way to achieve and I was missing something. I guess there will be a lot of overhead in maintaining the AD Groups as resource objects in OIM. In certain cases there will be thousands of AD Groups. If you know could you please advise on the impact / care to be taken with this approach.
  Thank you.