OIM Failed provisioning

Similar Messages

• How do you complete or re-attempt failed provisioning tasks

  Hi All,
  If a modify operation has been perfomed, and subsequent provisioning tasks failed, is there a way to get IdM to go back and attempt to complete the failed task and remaining tasks.
  For example, when the MX_VALIDTO attribute changes we call an event task to determine if MX_DISABLED should be set or not. This task is a generic pass which executes some logic which evaluates other attributes. This step failed because we caused an error to be raised due to an unexpected value in one of those other attributes.
  We have now modified the logic in the script and want to 're-provision' the failed task without triggering a new change on the identity.
  I know about the uRetryPrivilegeAdd and uRetryPrivilegeRemove internal functions, but it seems as if these only deal with cases where privilege assignment had failed. Is there something similar that will reconcile and clean up failed task heirarchies where it is just attribute / entry modifications rather than privilege assignments.
  Regards
  Paul

  Hi Paul,
  Hope all is going well with your project, the two bits of code you need for this are:
  Find all the failed privileges for an Identity
  var sql = "SELECT MSKEY,aValue,provstatus FROM MXPV_Priv_AddStatus WHERE (MSKEY = " +V_MSKEY +" and (ProvStatus = 1001 or ProvStatus = 1101))";
  sqlresult = uSelect(sql);
  This will give you a load of pairs of failed MSKEY - identity and aValue - privilege, which you need to split into strings via an array and then into values, and you can then retry using
  retry = uRetryPrivilegeAdd(provmskey,provavalue);
  I've put the full code on http://sap-idm.blogspot.com/2011/01/retrying-failed-provisioning-tasks-in.html in case you need more information.
  Good luck,
  Ian Daniel

• OIM 11gR2 provisioning with GTC

  Hello,
  We are curently implementing Oracle Identity Manager 11gR2, and we are having difficulties with the implementation of the provisioning from OIM to the Target Systems exposed through a webservice on Oracle Service Bus.
  We are using the Generic Technology Connectors as a basis of working. And initially we have created a GTC with only reconciliation Transport & Format Providers:
  Connector Name TargetSystem1
  Transport Provider (Provisioning):
  Format Provider (Provisioning):
  Transport Provider (Reconciliation): Database Application Tables Reconciliation
  Format Provider (Reconciliation): Database Application Tables Reconciliation
  We have configured the Process Definition of TargetSystem1 with all the operations (Create User, Update User, Enable User, Disable User, Delete User, etc.) connected with custom Java implementations, that are working just fine is we trigger them form Eclipse. The “Create User” task has only “Required for Completion”, “Allow Cancelation while Pending” and “Allow multiple instances” check boxes set to CHECKED; it also has all the fields in Integration TAB mapped, Responses mapped, but when we create a User in OIM and provision it with an account on the TargetSystem1_GTC Application Instance, the provisioning process in not accessing the “Create User” task to make the provisioning in the target system. The user that we are trying to provision has the account Status set to “Provisioning” and the Account Type set to “Unknown”. We have also checked the logs of OSB, but there is no activity there, because no request from OIM is being received.
  After we investigated more closely the Oracle documentation for the Generic Technology Connectors we discovered that if we do not select Transport & Format Providers during the GTC creation, then the corresponding steps are not performed and they are not initialized, thus the provisioning cannot be done. The documentation also states that if we need to create custom providers in order to make the Provisioning with the GTC, but unfortunately we have no knowledge or any examples on how to do such custom providers for the provisioning of Users from OIM on the target systems via the Oracle Service Bus.
  We have installed a second GTC with both provisioning and reconciliation Transport & Format Providers:
  Connector Name: TargetSystem2
  Transport Provider (Provisioning): Web Services
  Format Provider (Provisioning): SPML
  Transport Provider (Reconciliation): Database Application Tables Reconciliation
  Format Provider (Reconciliation): Database Application Tables Reconciliation
  The Web Services and SPML options were the only options that we could select from the out of the box connectors that are installed, and we did not find any other connectors in the download section of Oracle for this product, that can accommodate such communication. So, we configured the provisioning accordingly, and modified the “Create User” task from the TargetSystem2_GTC Process Definition, in order to use our custom adaptor instead of the adpTargetSystem2_GTC adapter that was preset when the TargetSystem2_GTC is created. But this does not help us, because the provisioning is not done, and the “Create User” task is not used. The user that we are trying to provision has the account Status set to “Provisioning” and the Account Type set to “Unknown”.
  Next we tried to see if the GTC can be used to communicate directly with the OSB, using the Web Services Transport Provider and SPML Format Provider, and we did not make any modifications to the after the normal installation of the TargetSystem2 GTC. In this case the we can see that the OSB is being accessed by OIM, but unfortunately this case does not help us also, because the operations implemented on the OSB webservice have a different structure then the one SPML expects as default:
  Caused by: com.thortech.xl.gc.exception.XSDValidationException: The SOAP response does not contain a valid SPML response type. Should be one of these -->addResponse modifyResponse deleteResponse resumeResponse suspendResponse setPasswordResponse
  Do you have any suggestion on how to make the provisioning process work?
  Edited by: user1717356 on 22.10.2012 03:22

  Hi,
  I think you need to put this check only for few attributes?
  If Yes, then lets suppose you want to have a check for Country Field in Database which once modified by target Admin, then OIM should know.
  1) Create one dummy field CountryDummy (Hidden) in OIM TargetProcess form and dont map it to any target attributes. This dummy field will only store values populated from OIM user profile to -> DB Connector Process Form.
  2) On success of "Reconcilation Update Recievced", Put a custom process task which does a comparison with "CountryDummy" & "Country" and inform Admin using email notifications that this mismatch has been found.
  HTH,
  ~J

• OIM approval / provisioning workflows

  Hi All
  I have a query about OIM approval / provisioning workflows.
  Application X (e.g. Active Directory) has an OOTB connector which can provision the user and manage his role in the application. The user can raise request for role change via OIM Admin console.
  My query - Can I configure access policy/user group for creation of a base user identity in the application X. This will create user identities for all users in application X without any roles. Later user should be able to request for roles and upon approval, his role should be updated in application X.
  Can this scenario can be implemented with any OOTB connector with provisioning and role approval workflows in place. Do you see any complexity in this. Please provide your comments.

  The base provisioning van be done using access policies.
  If you want request based role management in pre OIM 11g you would have to do it over custom ROs. There are a couple of ways to do this.
  The easiest way to do is to combine the approaches in these two postings and create a custom RO that moves the user into an OIM group that has an attached access policy that manipulates the child table on the base target system RO.
  http://iamreflections.blogspot.com/2010/09/oim-howto-one-resource-object-per.html
  http://iamreflections.blogspot.com/2010/09/oim-howto-target-system-group.html
  Please take a look and see if this is understandable. I probably should write another entry that addresses this specific use case.
  /Martin

• OIM 10g provision takes long and gives DOBJ UPDATE FAILED

  Hi.
  We Recently added a resource but it´s provisioning process takes about 1 minute to complete.
  When a user makes a request for lets say 10 users, when the request is approved, the web page tries to wait until all the 10 user provisioning process is finished but that means 10 minutes waiting and OIM gives DOBJ.UPDATE_FAILED. I assume this is a timeout.
  How can I configure OIM (10G) to do all the provisioning process in background so there will not be needed to wait a lot of time watching a stall page when the (last approval step) approve button is pressed ?
  Thanks.

  It´s a Webservice which makes a LOT of transactions and takes a lot doing them, we cannot change its behavior because it was built by someone else.
  Offline Provisioning Explains a lot!
  Even fixes a Rollback problem we were having caused by conectivity problems with some target Systems.
  Thank YOU!

• Queuing/Retrying 'Rejected' status OID Process Tasks: OIM-OID provisioning

  Hello Gurus,
  I have already up and running environment with OIM, OID connector pack and OID as the target system. So when a user data (for e.g. a UDF) is being provisioned from OIM to OID target system; if a process task comes back with 'rejected' status due to target unavailability/OID down; then is there any settings that we can configure within OIM design console that queues up and retries these 'rejected' tasks related to each individual user?
  Is there any setting within any of the OID lookups such that we can set a retry count for such process tasks?
  The goal is without human intervention all these 'rejected' process tasks should run successfully and be set to 'completed' status. If the target system is unavailable then there should be a way to run all these failed tasks - is my assumption.
  Is it by anyway related to 'Offline Provisioning'?
  Please provide some guidelines.
  Thanks,
  - oidm.
  Edited by: oidm on Mar 16, 2010 10:34 PM

  But it'll only allow us to 'retry' those specific tasks for a limited number of times and limited period of time. And will this task be retried only if its 'rejected' or it'll be retried for whatever number of times we specified?
  What if the target system doesn't come up for the whole day? Can we specify some value for the same in 'Duration' fields?
  So all in all if we talk about retrying the failed/rejected tasks we just have these options in hand as far as task 'status' is concerned?
  Thanks,
  - oidm.

• OIM to provision a web services based application , how ?

  Hi All,
  I want to provision to a system which is web services based. There is an ESB above that application which accepts requests for creating accounts etc.
  I was thinking I could use OIM GTC SPML connector to provision to this system.
  I spoke to the team which maintains ESB , and they were asking me whats SPML.so I figured customer's ESB may not support SPML requests.
  They have sonic ESB , I dont know much here , as I am new to web services.
  Here are my questions
  1.What do we expect of Target system if we plan on using OIM GTC SPML connector ?
  2.What is the solution for this situation.
  3.Would it be a good idea to build a custom connector
  Any help is appreciated.
  Thanks,
  Pandu

  Hi,
  I have been working recently with the SPML GTC. Here are a few pointers:
  i. OIM will invoke the target web-service synchronously i.e. it will wait for a response. So make sure the response is relatively quick.
  ii. SPML is just a message format with some security headers included; In your scenario, you can ignore most of this.
  iii. The tough part will possibly be the response back to OIM. This has to be in SPML or it will fail validation in OIM, therefore reflecting that the user provisioning failed(even if it did succeed in the target system)
  iv. The target system, needs to send back to OIM an ID, psoID, which is what OIM will use to associate the user identity with the target resource. For eg., supposing you send a modifyRequest for an user existing on the target system, OIM will just send a message similar to
  <modifyRequest psoID=TargetSystemUserID>
  <firstname>NewFirstName</firstname>
  </modifyrequest>
  so, the point being: be careful what you send back in the response. (In our case we sent back the emailID as the psoID, as it was the key for our application)
  v. And Finally, there are some issues we faced with the GTC itself, and have recently filed a bug. This might not be a problem in your case. However, stay warned: the GTC may not be ready for Production yet.
  Will be glad to help you further, let me know.
  AJ

• Invalid Naming Error while creating user in OIM and provisioning to OID

  Hi,
  I am trying to create users in OIM. As per the access policy, the users will directly provisioned to OID. When I am creating users in OIM, its showing provisioning for OID user resource. The create user task is rejected with error as
  "Response: Invalid Naming Error
  Response Description: Naming exception encountered"
  If anybody is getting these error, then please suggest a solution.
  Thanks.

  logs ???
  Are you provisioning any custom attributes of different object classes . Make sure you include those object classes as well , go to connector documentation for adding the object classes .., may be some configuration look up ....i guess
  Thanks
  Suren
  Edited by: Suren on Jul 6, 2010 7:41 PM

• OIM-OID Provisioning - OID Group PrePopulate Approach :

  Hi,
  I am working on OID Connector 9.0.1.14 with OIM 11.1.1.5.
  I have reconciled all the Roles and Groups from OID to OIM and can successfully provision users to the OID along with membership to these specific Roles and Groups.
  I want to prepopulate the OID Group based on certain attribute from the OIM User form. My Approach so far is :
  1) Created an Entity Adapter with a variable : say Org and GroupName.
  2) Set the Logic as if Org = XYZ (+XYZ does exist on OIM+) set GroupName as = "OID Group 1" else set GroupName as = "OID Group 2"
  3) Attached this adapter to the "OID User Group" form on the "Data Object Manager" at the pre-insert stage.
  4) Mapped the Adapter variable as :
  a) Org Maps to "Organization Definition" with the qualifier "Organization Name"
  b) GroupName maps to the "Entity Field" with the qualifier "UD_OID_GRP_GROUP_NAME"
  However nothing seems to happen when I create/modify a user with Orgization Name as XYZ and manually Provision the OID Resource. I can see the form but nothing is populated in the Group Field. Upon completing the request, I get the user provisioned to OID but without any Group information..
  Is my approach right ? Am I missing something ?

  Here is what I have done for a client. My requirement was for a given department, a user must have a list of groups provisioned to them. So here is what i've done:
  1. Create a lookup that has Code Key = Department, Decode = CN of the groups in a delimited format.
  2. Create a provisioning task that will look at the department code from the user form, reference the lookup and find the decode values. Split them based on a delimiter. Then using each value, lookup the code key value from the real lookup that contains the full distinguished name of the group in the OID Group lookup. I even appened the IT Resource Key and ~ so that my search would be Decode or Code = "IT Resource Name~CN=<CN VALUE>%". This would return only the single group code key value. And then i add it to the child table. Repeat this for all the values in the delimited field.
  3. Create a provisioning task that removes the values from the child table based on the delimited value. You'll need to search through the existing child table values.
  Once you have the 2 tasks, you'll want to add a value to the your Lookup.USR_PROCESS_TRIGGERS that is your group determining field. Create your task name in this lookup. On your provisioning workflow, for the Adding of the groups task, make this unconditional, and have a preceding task of the Create User. Give it the name from your Lookup.USR_PROCESS_TRIGGERS and append " - Add Groups" to the task name. Create another task called the same, but append " - Delete Groups" to the task name. On the Add Groups task, make the preceding task the Delete groups. When you map your inputs to the adapters, on the delete, select the old value check box from the User Form so that you get the old value. Now, when the value changes on the user form, it will first remove the old groups, then add the new ones. All this will be done using the child table APIs, so that the existing Insert and Delete task triggers for your child table will run.
  -Kevin

• ADD new fields in OIM to provisioned on OID

  Hello,
  I need a confirmation about these steps to add a new field to provisioned to OID.
  new field called slClient
  did i need to do all these steps ?
  1- Resource Object
  OID User --> Object Reconciliation (tab), add Field: sl Client --> String
  Xellerate User --> Object Reconciliation (tab) , add Field: sl Client --> String
  2- Form Designer
  UD_OID_USR --> add : UD_OID_USR_ CLIENT --> sl Client
  3- Lookup definition
  AttrName.Recon.Map.OID --> Add: sl Client --> slClient ( this is what field name in OID database)
  AttrName.Prov.Map.OID --> Add: sl Client --> slClient ( this is what field name in OID database)
  4- Process Definition
  OID User --> Reconciliation Field Mappings (tab), Add field map: sl Client --> UD_OID_USR_ CLIENT( this is what in Form Designer)
  Xellerate User --> Reconciliation Field Mappings (tab), Add field map: sl Client --> Letter Client (what is defined in User Defined Field Definition)
  5- User Defined Field Definition
  Users --> Add Letter Client --> USR_UDF_LTR_CLIENT ( this is what in OIM database)
  I need to validate also the relationship, between all the components.
  thanks,
  TG

  I believe for trusted reconciliation with OID, the OOTB connector does not allow for additional attributes to be populated no the Xellerate User object. I beleive it only retrieves a set list of attributes that are requried for creating an OIM user and also adds in the additional values for Xellerate Role, and Xellerate Type, and Organization.
  I would suggest you create a new Resource Object, marked as trusted, called OID Trusted. Duplicate your recon lookup to have only values needed for your trusted recon. Create an event handler/entity adapter on your Users data object which will populate the Xellerate Role, Xellerate Type, and Organization to populate these values. Then create a provisioning process definition with no additional tasks. Map all your reconciliation fields to your Xellerate User object. Then create a duplicate scheduled task of the OOTB OID recon and set your Resource Object to OID Trusted. Also, don't forget to create a recon rule and set your recon action rules. Run the recon and there you go.
  -Kevin

• OIM-OID provisionning issue with external plug in with AD

  Hi OIM/OID Guru's,
  We are using OIM with OID connector and having external authentication plug-in feature of OID with AD. Here we are using OID for user profile storage and doing password validation by using external plugin through AD however we have been
  facing one issue which is mentioned below :-
  Whenever we are creating any user in through OIM and found that user is provisioned to the OID target source but populating wrong value of attribute orclSourceObjectDN in OID process form:-
  orclSourceObjectDN = cn=OIDTEST3,CN=Users,DC=oracle-test,DC=oracle,DC=com
  correct value should be orclSourceObjectDN =cn=OIDTEST3,CN=Users,DC=oracle,DC=com
  we don't have any container in OID with DC=oracle-test however not sure how the process form is picking up this value?
  However could you please put more light why it is appending wrong DN in OIM process form? Where should i check for this from OIM side?

  Hi Dear,
  thanks for your reply and we are using OIM 9.x version. Checked Root DN value as you suggested (see below snap shot for oid resource definition):-
  Admin Id     cn=username
  Admin Password     *******
  Group Reconciliation Time Stamp     
  Last Target Delete Recon TimeStamp     
  Last Target Recon TimeStamp     
  Last Trusted Delete Recon TimeStamp     
  Last Trusted Recon TimeStamp     
  Port     6060
  Prov Attribute Lookup Code     AttrName.Prov.Map.OID
  Prov Group Attribute Lookup Code     AttrName.Group.Prov.Map.OID
  Prov Role Attribute Lookup Code     AttrName.Role.Prov.Map.OID
  Role Reconciliation Time Stamp     
  Root DN     DC=oracle,DC=com
  SSL     false
  Server Address     My server name
  Use XL Org Structure     false

• OIM manipulating provisioning - description on resource profile

  Kamaraden!
  I have an OIM installation with AD and Exchange connectors. When users are provisioned, going back to the resource profile, you can see the resource and several data, for example the Description field. For AD User, descriptions shows the windows logon name (what I think it is correct), and for Exchange, it shows a number (probably a key of some table). Trying to discover from where this description field is taken, I realized that it comes from the ORC table, ORC_TOS_INSTANCE_KEY (if I change it, it changes in the description of the resource profile too).
  I have many questions about this. First of all, who puts this value in this field of the ORC table. I followed the provisioning tasks for AD and Exghange (Create User and Create Mailbox), and got inside the code (I decompiled it with cavaj), but the logic of the adapters attached to that process task and the code in the java classes, only creates efectively the user or the mailbox, and returns.. so, when the resource profile is being modified?
  Other question related to that, is where are the conventions of the process tasks names for provisioning? For example, FIELD Updated reacts over the event of modification of FIELD. Create User sounds logic for provisioning when a resource is granted on an application, but Create Mailbox? How is this task attached with the provisioning submit of a resource?
  DrLDAP

  You are right, the number that you see in the description field in the resource profile is the ORC KEY. If you need to change this to show any value in the process form, you can do so by going to the provisioning workflow form in the design console and click of Map Descriptive field.
  I dont think it has been documented anywhere about the field name<space updated> task.
  The name Create User or Create Mailbox has no significance. you can really keep any name for the task. The way OIM understands that it needs to execute this task is if it sees the task is marked as "Required for Completion". all tasks marked required for completion will be executed by oim before it can say that provisioning has been completed. For e.g i a provisioning process all you might need to do is send a mail and not create any account etc.
  then you have a task "Send mail" (or any name) mark the task as required for completion. Now when this resource is granted by the admin to the user, this task would have executed. The name is not of essence when it comes to provisioning.

• OIM AD Provisioning Issue -urgent prodution issue

  Hi,
  We are facing this wierd issue where in user's manager get back the approval screen with Approve button activated even after they have hit the approve button. This is causing partial provisioning to trigger. For the first time provisioning process gets triggered but nothing appears on the resource list for the user, but when the user's manager hits approve button (thinking that approval did not succeed) resource appears on the users resource list in provisioning status, task which determines if account already exist says "Account Already exist".
  Any suggestions or solutions are highly appreciated.
  Thanks in advance

  Hi,
  I just looked into logs for a failed user and found the following:
  ERROR,14 Jan 2011 08:53:52,188,[ABC.ALM.ADAPTER.ACTIVEDIRECTORY],Class/Method: ProcessFormUtil/setValueOnProcessForm encounter some problems: EJB Exception: : java.rmi.AccessException: [EJB:010160]Security Violation: User: '<anonymous>' has insufficient permission to access EJB: type=<ejb>, application=WLXellerateFull, module=xlDataObjectBeans.jar, ejb=tcFormInstanceOperations, method=setProcessFormData, methodInterface=Remote, signature={long,java.util.Map}.
  at weblogic.ejb.container.internal.MethodDescriptor.checkMethodPermissionsRemote(MethodDescriptor.java:560)
  at weblogic.ejb.container.internal.BaseRemoteObject.checkMethodPermissions(BaseRemoteObject.java:115)
  at weblogic.ejb.container.internal.BaseRemoteObject.preInvoke(BaseRemoteObject.java:272)
  at weblogic.ejb.container.internal.StatelessRemoteObject.preInvoke(StatelessRemoteObject.java:52)
  at com.thortech.xl.ejb.beans.tcFormInstanceOperations_2j82mm_EOImpl.setProcessFormData(tcFormInstanceOperations_2j82mm_EOImpl.java:1706)
  at Thor.API.Operations.tcFormInstanceOperationsClient.setProcessFormData(Unknown Source)
  at sun.reflect.GeneratedMethodAccessor368.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(Unknown Source)
  at weblogic.security.Security.runAs(Security.java:41)
  at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
  at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
  at $Proxy82.setProcessFormData(Unknown Source)
  So is this the issue? If yes how can we over come this?
  Thanks again

• OIM 10g - Provisioning issues

  Hi Gurus,
  I have the following situation in the OIM:
  I have 2 resources (A and B). B is configured to Allow Multiple and depends that A is provisioned.
  The resource A is already provisioned. So, when I need to provision B, is being showed to user fill out the resource forms of the B as well as of the resource A, and the workflow's process of A is triggered again.
  This is causing a bad user experience.
  Any tip in this behavior.
  TIA,
  Carlos

  Kevin,
  The resource form is necessary because I have a lot target attributes I do not have in the user definition.
  But the my principal concern is, should the resource form of the resource A (already provisioned) be showed to the user for filling out? The request was did only for the resource B. Is this behavior correct?
  Detail: When the resource A is not in Depends On tab, the A's resource form is not showed during request.

• OIM (Xellerate) Provisioning Functionality with Web Services

  Hi,
  Has anyone had any experience with needing to issue user provisioning requests to Oracle Identity Manager (formally Xellerate) using web services?
  I envision that it would most likely involve using SPML as the standard communication protocol within the SOAP messages.
  From my readings, the current version of OIM does not offer web services as one of its interfaces, but I'd like to check if anyone has already done this themselves?
  Any help is appreciated.
  Thanks.

  If you have made some custom connector using internal oim api, you can made your own web service interface but outside of OIM infrastructure.
  We have made some custom connector test directly from Eclipse, before integrate it inside OIM, so if you want to provide a web service interface to publish some OIM funtionality should be possible do it using OIM API.
  using generic connector let you use only a SPML webservice for provisioning resources, your webservice must parse the SPML message and then run your own logic, however you must login to OIM and then assign the resource to the user using the connector, There is not a web service interface to do it outside OIM infrastructure.